The Golden Age of the Web3.0 World Should Not Be a Carnival for Hackers
Written by: Certik
CertiK's Chief Business Officer Jason Jiang recently appeared on Cointelegraph's podcast "The Agenda" to discuss Web3.0 security in depth following the Bybit incident. When $1.4 billion in assets evaporated overnight, it shocked not only the industry but also every user concerned about the security of digital wealth. This was not only the largest theft in crypto history but also exposed the hidden risks lurking in the rapid development of the industry.
As a leader in blockchain security, CertiK has never stopped analyzing such threats. After the Bybit incident, CertiK quickly conducted a technical analysis and pointed out the existence of the "blind signing" issue. In the conversation, Jason explained the reasons behind blind signing and suggested that users verify the transaction address at least three times.
When THORChain's validator nodes refused to roll back transactions, Jason bluntly stated, "We are like being in the Wild West," but also emphasized that only by embracing regulation can the Web3.0 industry mature. In the face of billion-dollar hacker attacks, a mere $4,000 bug bounty seems insignificant, and the industry urgently needs to address the lack of security investment. After all, the golden age of the Web3.0 world should not be a carnival for hackers.
After $1.4 billion was stolen from Bybit, CertiK executives interpret how to enhance the security of crypto assets
In February of this year, Bybit faced a hacking attack that sent shockwaves through the industry. Reports indicated that the North Korean hacker group Lazarus stole $1.4 billion worth of Ethereum-related tokens from this centralized exchange, making it the most significant cryptocurrency theft in history.
The aftermath of this hacking incident raised many questions: Where did the problem lie? Is my money safe? What measures should be taken to prevent such incidents from happening again?
According to data from blockchain security company CertiK, this massive theft accounted for about 92% of all losses in February. The incident caused the total cryptocurrency losses in February to surge nearly 1500% compared to January.
In the 57th episode of Cointelegraph's "The Agenda" podcast, hosts Jonathan DeYoung and Ray Salmond engaged in a conversation with CertiK's Chief Business Officer Jason Jiang, detailing the process of the Bybit hacking attack, the consequences of the exploit, and what measures users and exchanges can take to ensure the security of cryptocurrencies.
Are crypto wallets still safe after the Bybit theft?
In short, Jason believes that the reason the Lazarus group was able to successfully execute a large-scale hacking attack on Bybit was that they managed to control the devices of all signers—these three signers managed the multi-signature SafeWallet that Bybit was using. The organization then tricked them into signing what they believed to be legitimate malicious transactions.
Does this mean that SafeWallet is no longer trustworthy? Jason stated that the situation is not that simple. "When the Safe developers' computers are hacked, more information may leak from that computer. But I think the likelihood of this happening to individual users is quite low."
He mentioned that ordinary users can significantly enhance the security of their cryptocurrencies in several ways, including storing assets in cold wallets and being vigilant against potential phishing attacks on social media.
When asked whether Ledger or Trezor hardware wallets could be exploited in a similar manner, Jason reiterated that the risk is low for ordinary users, as long as they conduct due diligence and trade cautiously.
"One of the reasons this incident occurred is that the signers blindly signed the transaction instructions without seeing the full address," he added. "You must ensure that the address you are sending to is the one you truly intend to send to, especially for large transactions, and confirm it repeatedly."
"I believe that after this incident, the entire industry will attempt to self-correct and improve, promoting transparency and recognizability in the signing process. Of course, there are many other lessons to be learned, but this is undoubtedly one of them."
How to Prevent the Next Billion-Dollar Exchange Hacking Attack?
Jason pointed out that the lack of comprehensive regulation and security measures may be one of the factors that allowed this hacking incident to escalate. Previously, some validator nodes of the cross-chain bridge protocol THORChain refused to roll back or stop the Lazarus group from using the protocol to convert the stolen funds into Bitcoin, further sparking discussions about the boundaries of decentralization in the industry.
"Welcome to the Wild West," Jason said, "this is the reality we are currently in."
"In our view, if cryptocurrencies want to thrive, they need to embrace regulation," he believes. "To be more acceptable to the public, we need to proactively approach regulation and find ways to enhance the security of the industry."
Jason praised Bybit CEO Ben Zhou's response measures after the incident but also pointed out that the bug bounty program launched by Bybit before the hacking incident only offered $4,000. He stated that while most cybersecurity professionals are not solely driven by money, increasing the amount of bug bounties would still help exchanges maintain higher security.
When asked how exchanges and protocols can incentivize and retain top talent to ensure the security of their systems, Jason noted that security engineers do not always receive the recognition they deserve.
"Many people believe that top talent flows into development positions because those roles offer the most rewards," he said. "But this also relates to whether we give enough importance to security engineers. They bear significant responsibilities."
"Properly alleviating their pressure and providing more recognition and incentives, whether through monetary rewards or honors, is essential to give reasonable compensation within our capabilities."
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
