The following is a guest post by Michael Egorov, Founder of Curve Finance.
The recent Bybit hack Saw in a total of $ 1.5 billion lost in Crypto assets and has become the biggest hack in the entire history of this industry. Regarding this infringement, it is that Hackers have aimed the cold storage of Bybit – usually the most safe part of the infrastructure of a stock market.
While Bybit moved Quickly to supplement his reserves with the help of partners, the entire event still had many people shaken. This situation again creates concern about safety. How vulnerable are crypto exchanges and what lessons should the industry take out of this infringement?
The growing risk for CEX platforms
As I see it, this incident is more than just another attack-it is a wake-up call that uncovers the systemic security errors of centralized exchanges. Despite the implementation of strict security measures, CEX platforms remain important goals for hackers. Why? Precisely because of their centralized nature.
Unlike Defi, where user funds are distributed on self -wide portfolios, centralized platforms store assets in a controlled infrastructure. This creates a possibility of a single failure point, whereby the violation of a single security layer of attackers can easily give access to huge amounts of funds. After that it is almost over. Every recovery of funds must rely on centralized supervision, help from external agents and pure happiness.
Chain salysis report It is clear that centralized services were the most targeted services in 2024, which marked a remarkable shift from Defi -Hacks to CEFI. This is further confirmed by Hacken’s facts That Cefi has more than doubled in the previous year, which leads to the loss of almost $ 700 million. Vulnerabilities for access control were emphasized between the primary causes of infringements.
This confirms that stock markets must reconsider their approach to security.
Defi’s alternative view of the safety of assets
The good thing about Defi platforms is that their nature minimizes the risks we have treated above. Instead of trusting a centralized infrastructure, Defi protocols use smart contracts and cryptographic security mechanisms to protect assets. This eliminates the possibility of centralized failure points – there is no entity that can be used to remove user funds.
However, it should be noted that Defi is not without risks of itself. Because it works in a permissionless environment, hackers are always present. And because transactions are irreversible, the only real protection is a flawless code. Poorly written code can lead to vulnerabilities, but if there are no mistakes, hackers cannot benefit from breaking in.
Hacken’s 2024 Security report Indicates that Smart Contract -exploits in 2024 are only 14% of the crypto losses.
AI in cyber security: a double -edged sword
Because artificial intelligence becomes a more heated subject every day, there are many in the cryptomarket that wonder what role it will play in security. So I’m going to offer my two cents on this subject.
First of all, AI tools have not yet been developed into the point at which they would be effective with such tasks. But when they come to that level, it is very likely that they will be effective.
Well -developed AI tools may be very useful when it comes to simulating and analyzing the implementation of smart contracts. In other words, they can help with detecting vulnerabilities in smart contracts, allowing developers to patch security holes well before hackers get beating.
Automated tests and AI-assisted audits can also significantly improve the security standards, making both DEFI and CEFI systems more robust. But it would be wise not to fully rely on artificial intelligence in such things – even this technology can miss things.
At the same time, AI tools can also be armed by hackers to scan systems and identify errors to operate faster than ever before. This will inevitably mean a weapon race between security teams and hackers for which platforms should constantly stay a step for.
And the only thing I would absolutely advise against is to use AI to write the actual smart contracts. Given the current level of development of this technology, AI-written code of human developers cannot yet match quality or security.
What should crypto exchanges then do?
In the meantime, all centralized fairs are implementing the best practices of the industry, such as Multisignature portfolios and other security protocols. However, as the Bybit -Hack has shown, these measures do not seem to be enough on their own.
CEXs create inherently centralized failure points. Although they have to be very protected, they remain a few attack points, making them attractive goers for hackers. A potential solution for this problem can introduce the users -controlled portfolios with extra layers of supervision managed by the stock exchanges. However, it is also known that self -coasts and key management are extremely awkward for most users. So that is not a particularly safe approach.
What can exchanges do differently on their side of things in that case?
First of all, we must acknowledge that many security mechanisms that these platforms use today by these platforms, including multisignature portfolios, are dependent on web 2.0 technologies. This means that their security not only depends on how robust the smart contracts are, but also on the safety of web -based frontends. The onion with which users handle and which makes those smart contracts accessible.
Problems in Frontend Security can undermine the entire system, if hackers find a way to make it a compromise. But insuring security here is one and a half challenge. Web applications often depend on thousands of dependencies (for example, the user interface of Uniswap has more than 4,500), all of which represent a potential attack vector. If even one of these dependencies is affected, Hackers can inject malignant code into the interface without ever attacking the core system.
As such, developers must ensure that not only their own code is safe, but also every piece of software on which their platform depends.
A good solution would be to use large stock markets to use hosted web UIS. They do exist, also for the safe wallet, in particular. An even better option would be to use specially designed software that completely bypasses traditional web technologies when dealing with smart contracts. For example, there is an official CLI tool for safe portfolios, which considerably reduces the number of dependencies (by a factor about 100), which means that the risk of attacks of supply chain is submitted.
In addition, all signing for high -quality transactions must be carried out on insulated machines that are used exclusively for this purpose and nothing else. This minimizes the risk that the human factor plays a role in endangering the signing infrastructure with malware. Another approach can be the use of container systems such as Qubesos – they are currently quite exotic, but offer improved security as part of their design philosophy.
And of course, although hardware portfolios are the standard practice that everyone uses, when high-quality transactions are involved, it is crucial that exchanges implement mechanisms to check exactly what these portfolios sign. Currently, hardware portfolios do not make this task easy, but there are tools available in the market that can help verify transaction data before implementation.
All in all, implementing one of these measures is not a simple performance – this is a truth that must be recognized. Perhaps the industry as a whole must set up formalized security recommendations or even develop specialized operating systems that are tailor -made for safe interaction with crypto from the box.
But it is also true that without significant upgrades to security infrastructure the risks for CEXS will only continue to grow.
State in this article
