Polygon security chief Mudit Gupta has urged Web 3.0 companies to hire traditional security experts to stamp out easily avoidable hacks, arguing that perfect code and cryptography are not enough.
Speaking to Cointelegraph, Gupta noted that Several of the recent hacks in the cryptocurrency space were ultimately the result of Web 2.0 security vulnerabilities, such as private key management and phishing attacks to obtain login data, rather than poorly designed Blockchain technology.
Also, Gupta stressed that getting a certified security audit of a smart contract without adopting standard Web 2.0 cybersecurity practices is not enough to protect a protocol and user wallets from attack:
“I’ve been pushing at least every big company to get a dedicated security person who really knows that key management is important.”
“You have API keys that are used for decades and decades. So you have to follow the best practices and proper procedures. To keep these keys safe. There should be a proper audit trail and proper risk management around these things. But , as we have seen, these cryptocurrency companies ignore all of this,” he added.
Although blockchains are typically decentralized on the backend, “users interact with [las aplicaciones] through a centralized website”, so you always have to “take into account” the application of traditional cybersecurity measures around factors such as the domain name system (DNS), web hosting and security of the email, Gupta said.
Gupta also emphasized the importance of private key management, citing the $600 million Ronin Bridge hack and the $100 million Horizon Bridge hack as classic examples of the need to tighten private key security procedures:
“Those hacks had nothing to do with the security of the blockchain, the code was fine. The cryptography was fine, everything was fine. Except the key management, which was not. The private keys […] they weren’t stored securely, and the way the architecture worked was that if the keys were compromised, the entire protocol was compromised.”
Gupta suggested that the current sentiment from blockchain and Web 3.0 companies is that if “you fall for a phishing attack, it’s your problem,” but he argued that “if we want mass adoption,” Web 3.0 companies have to take more responsibility rather than do the bare minimum.
“For us […] we do not want only the minimum security that distances responsibility. We want our product to be really safe for users to use. […] so we think about what traps they can fall into and try to protect users against them.”
Polygon is an interoperability and scaling framework for building Ethereum-compatible blockchains, allowing developers to build easy-to-use and scalable decentralized applications.
With a team of 10 security experts currently employed at Polygon, Mudit wants all Web 3.0 companies to take the same approach.
After the hack of $190 million Nomad Bridge in August, Cryptocurrency hacks have surpassed the $2 billion mark, according to blockchain analytics firm Chainalysis.
Clarification: The information and/or opinions expressed in this article do not necessarily represent the views or editorial line of Cointelegraph. The information set forth herein should not be taken as financial advice or investment recommendation. All investment and commercial movement involve risks and it is the responsibility of each person to do their due research before making an investment decision.
Investments in crypto assets are not regulated. They may not be suitable for retail investors and the full amount invested may be lost. The services or products offered are not aimed at or accessible to investors in Spain.