Cybersecurity

Lightning Network releases emergency update after critical bug on LND nodes

The bug led LND nodes to fail to sync chain in the second critical bug in less than a month.

An emergency update was released to all of Lightning Network’s LND node operators on Nov. 1, after a critical bug caused LND nodes to fall out of sync chain. This was the second critical bug experienced by the network in less than a month.

According to Lightning Labs, developer of the Bitcoin Lightning Network, some LND nodes stopped syncing due to an issue with the btcd wire parsing library. The hot fix (v.015.4) was released nearly three hours after the break. The release stated:

“This is an emergency hot fix release to fix a bug that can cause lnd nodes to be unable to parse certain transactions that have a very large number of witness inputs.”

As per the issue on GitHub, non-updated nodes will be vulnerable to malicious channel closings once channel timelocks expire in two weeks. The bug impacted only LND nodes, making the current chain state outdated, although payments transactions were still available. Some versions of electrs were also impacted, according to another issue on GitHub.

The bug was triggered by a developer dubbed Burak on Twitter, with a message in the transaction saying: “you’ll run cln. and you’ll be happy.”

Sometimes to find the light, we must first touch the darkness.https://t.co/dhCwF0DxpE

— Burak (@brqgoo) November 1, 2022

Burak was also responsible for triggering a similar bug on Oct. 9, when they created a 998-of-999 multisig transaction that was rejected by btcd and LND nodes, leading to the rejection of the whole block and all blocks following the transaction. On the same day, Lightning Labs released a patch to fix the issue.

I just did a 998-of-999 tapscript multisig, and it only cost $4.90 in transaction fees.https://t.co/CvBHaRAqPu

— Burak (@brqgoo) October 9, 2022

On Twitter, users suggested that it was time for an LND bug bounty program:

Savage takedown of LND lightning nodes by exploiting a consensus discrepancy between Bitcoin Core and btcd with a single Bitcoin transaction.

Encoded message:
“you’ll run cln. and you’ll be happy.”

Probably not a “responsible disclosure”. Time for an LND bug bounty program? https://t.co/sLZQIsS4Zt pic.twitter.com/S8HwKXdoip

— Stadicus (@Stadicus3000) November 1, 2022

Hacker Anthony Towns also claimed to have disclosed the vulnerability to LND developers two weeks ago, noting, “The btcd repo doesn’t seem to have a reporting policy for security bugs, so not sure if anyone else working on btcd found out about it.”

The Lightning Network is a second layer added to Bitcoin’s (BTC) blockchain that allows off-chain transactions, i.e. transactions between parties not on the blockchain network.

Crypto hacks are set to hit all-time highs in 2022, analyst explains

Kim Grauer, Director of Research at Chainalysis, explains why the amount of crypto stolen in hacks is surging and what could be done to invert this dangerous trend.

Reducing the amount of hacking by improving cybersecurity should be considered a top priority for the crypto industry, said Kim Grauer, director of research of blockchain intelligence firm Chainalysis.

As pointed out by the firm, this year could outpace 2021 in terms of crypto stolen through hacks. The vast majority of these exploits have been targeting the field of decentralized finance.

“This can’t go on in the industry because people are going to lose faith in investing in DeFi platforms”, Grauer said in an interview with Cointelegraph.

Unlike centralized exchanges, which have improved their resiliency to crypto hacks, decentralized protocols have proved to be vulnerable to exploits mainly due to the open source code they are based on.

“Anyone can parse over this open source code and look for code vulnerabilities that they can exploit”, Grauer explained.

Still, the researcher doesn’t think that vulnerability to hacks is an intrinsic problem of decentralized finance, but rather a consequence of the fact that not enough resources have been invested in security on the code level.

“There are contracts that have proven that they can remain secure”, she pointed out.

Grauer believes that once enough resources will be invested in making the code “perfect”, decentralized protocols could become more secure than their centralized equivalents.

Check out the full interview on our YouTube channel and don’t forget to subscribe!

From neglecting security to bad tokenomics, DeFi has played a hand in its own decline

Tokenomics aimed at financing worthless models, rampant hacks, and a lack of real-world utility have played a role in the beleaguered crypto market’s decline.

Decentralized finance (DeFi) led cryptocurrency’s rapid growth in early 2021, but the crypto market has since plummeted in value. Global markets have played a role, but so has recklessness among developers when it comes to both cybersecurity and (often self-serving) inflationary token models.

Too much DeFi has been based on tokens minted from nothing or tokens that finance other tokens at high interest rates, with no part of the entire activity having any real underlying economic activity to back the yields offered.

Secondly, security issues, hacks and exploits of DeFi contracts and bridges have been widespread, and most notable DeFi platforms have suffered some form of exploit.

Lastly, the lack of a uniform standard for defining DeFi contracts has limited DeFi to native smart contract platforms and tools, which also limits potential for growth, universal clients and, ultimately, adoption.

Despite these failures, DeFi is likely here to stay. But it will need to see changes and improvements to have true utility.

Too many unsustainable yields and too much ‘minting’

The DeFi summer of 2021 gave rise to several projects that promised yields that were not undergirded by any real economic activity. Some of the yields were at rates as high as 200%, and many were paid for by minting more of the same arbitrarily created tokens.

*DeFi sometimes promises very high yields. Source: Trader Joe’s*

This arrangement essentially created a system that required an ever-increasing number of new users to create demand. The promised yields could only be sustained as long as new users were forthcoming. Eventually, several DeFi operations offering tokens with high yields suffered catastrophic failures (Terra, Voyager, Celsius and 3AC, to list a few). The future of DeFi will likely not lie in tokens that promise yields that are not sustained by true economic activity outside of minting tokens.

Cybersecurity has not been a priority

Another feature of the DeFi summer was the large number of projects that suffered from external and internal hacks of their reserves or users. Examples include the Ronin network, Polygon, Blizzard, Wormhole, Meter Bridge and, most recently, Binance Smart Chain (BSC). Some of the hacks illustrated weak security practices, to put it mildly.

Some projects lost a good portion of their reserves, and it took days or weeks before anyone noticed or disclosed a breach. And there were examples of protocols that were coded to move value without checking account balances. There were also examples of protocols undermined by developers that the operators apparently hired without fully validating their identities. These unfortunate incidents could prove to be learning experiences for the community.

Resorting to fundamental security practices such as independent system monitoring and alerts would be beneficial, in addition to more rigorous and careful vetting and development. DeFi projects that will prove successful in the future will be those that approach security in a more fundamental and principled way while learning from the issues and events of DeFi’s early days.

Redefine DeFi to finance real economic activity

One of the touted and expected benefits of blockchain technology is its potential to bring more of the unbanked and underbanked into the financial system. This represents a huge potential for the growth and upliftment of communities.

However, it has been a missed opportunity thus far. Much of DeFi has simply focused on financial products for those already in the crypto community by building those products around the borrowing, lending and shuffling of crypto tokens. DeFi’s maturation would be bolstered by addressing the aspirations of the underbanked in the real world.

Taking advantage of the ability to tokenize real-world items using similar standards as ERC-721 for nonfungible tokens (NFTs), “buy now, pay later” (BNPL) DeFi products are beginning to emerge. Some of these products are based on lending to finance tokenized real-world items such as smartphones as a work tool, and recently even mortgage financing.

The DeFi products are secured by those real-world items, able to accommodate a decentralized set of agents and customers, and are based on the actual yields achievable for such financial transactions. More products designed to underwrite real-world financial aspirations and address underbanked communities are likely to continue to emerge.

Develop a standard for representing DeFi contracts

Standards can be a significant catalyst for growth. The ERC-20 standard, for instance, helped the development of fungible tokens by making them easier to interpret across different applications and platforms. For instance, an ERC-20 token can be defined on Ethereum, BSC or Avalanche, and a user can manage them with clients developed by teams independent of those projects.

Examples of such clients include MetaMask, Brave or, indeed, any client implementing the ERC-20 standard. There are many developments that this has enabled, including the bridging of tokens across platforms. Similarly, the ERC-721 standard has been a catalyst for the growth of nonfungible tokens, allowing users to utilize different platforms and clients for managing NFTs.

A standard for representing decentralized financing for end users will likely have similar effects. For one thing, it will allow various development teams and projects to represent DeFi products in a consistent manner, which would reduce a lot of ad hoc interpretations and coding of DeFi contracts and aspirations. It will allow users to manage their DeFi products on different clients and browsers that support the standard. This would include automatic payment for DeFi loans or lines of credit, as well as potentially providing portability for DeFi products across platforms.

Define a standard for DeFi contracts

A DeFi standard would necessarily need to be encompassing enough to be able to define various types of DeFi products. This would include secured and unsecured DeFi loans, lines of credit, BNPL contracts, DeFi mortgages, and even crypto yield products currently prevalent in the crypto community.

*Illustration of the components for a potential DeFi standard. Source: Ken Alabi*

This standard is defined such that it could be utilized for any DeFi contract, and would be based on a generalized form of DeFi consisting of a lender or asset provider, a borrower, and a potential repayment structure. For instance, a BNPL contract would be similar to a secured loan, having a principal amount, collateral, duration and terms, but where the interest rate would typically be 0%. Overall, the standard would define such broad and general ways to successfully define DeFi contracts. The standard would improve on existing DeFi and traditional finance contracts by allowing such contracts to be more portable, potentially transferable, and more easily tradable as collaterals by having a consistent form utilized by all users of the standard.

The future of DeFi

Assets need to have utility. They also need to provide rewards for those who deploy them. When these constructs work correctly in identifying and pairing those with funding with those in need of funding (who are also able to deploy resources efficiently and repay resource providers), they have been an important driver of growth and development in human societies.

These constructs drive enterprise and small businesses; fund commerce, mortgages and provisions of shelter; and touch every part of any economy. Societies that have developed more successful ways of identifying borrowers with lower default rates, utilizing credit scoring and other algorithmic means, including even AI, have tended to be more successful at lifting more members out of poverty than those that have not.

Decentralized finance has the promise and ability to reach millions not served by the traditional banking and finance system. This potential has a greater chance of being realized if DeFi shakes off its initial incarnations that focused more on products with bogus yields that were not underlined by any real value creation by borrowers and relied more on simply printing unbacked tokens.

Developing and utilizing standards in the creation of DeFi contracts would be a catalyst for leading the growth of DeFi when applied to responsible and well-grounded contracts and products.

Ken Alabi has a doctorate in engineering from Stony Brook University, a master’s in computer-aided engineering from University of Strathclyde, and is an IT professional, programmer and published researcher with several peer-reviewed publications in various fields of technology. The author has also published articles related to blockchains, decentralization of business processes similar to blockchain technology, and the interoperability of blockchains.

This article is for general information purposes and is not intended to be and should not be taken as legal or investment advice. The views, thoughts, and opinions expressed here are the author’s alone and do not necessarily reflect or represent the views and opinions of Cointelegraph.

Web3 is the solution to Uber’s problem with hackers

Centralized databases on Web2 are a honeypot for hackers. Decentralizing data on Web3 eliminates a major vulnerability for companies like Uber.

Uber is a staple of the gig economy, for better or worse, and a disruptor that once sent shockwaves throughout the mobility space. Now, however, Uber is being taken for a ride. The company is handling a reportedly far-reaching cybersecurity breach. According to the ride-hailing giant, the attacker has not been able to access sensitive user data — or at least, there is no evidence to suggest otherwise. Whether or not sensitive user data was exposed, this case points to a persistent issue with today’s apps. Can we continue to sacrifice our data — and thereby our privacy and security — for convenience?

Web2, the land of hackable honeypots

Uber’s track record for data breaches is not exactly spotless. Just in July, the ride-hailing giant acknowledged hushing up a massive breach in 2016 that leaked the personal data of 57 million customers. In this sense, the timing of the new incident could not have been worse, and given how long it takes to establish the damage done in such breaches, the full scale of the event has yet to reveal itself.

Uber’s data breach is not anything out of the ordinary — Web2 apps are ubiquitous, ever reaching further into our lives, and many of them, from Facebook to DoorDash, have suffered breaches as well. The more Web2 apps proliferate across the consumer space and beyond, the more often we will get such incidents in the long run.

The issue comes down to the very architecture of apps built on Web2. Through their centralized tech stacks, they naturally create honeypots containing users’ sensitive data from payment details to consumer behavior. As users funnel more and more data through various consumer apps, hackers have more and more honeypots to pursue.

The only true solution to the problem is also the most radical one — consumer apps should embrace Web3, restructure their data and payment architectures to grant users more security and privacy, and welcome this new era of the internet.

What would a Web3 Uber look like?

Web3 does not necessarily mean a change in the app interfaces we interact with. In fact, one could argue that continuity and similarity are key to adoption. A Web3 Uber would look and feel pretty much the same on the surface. It would have the same overall purpose and function as existing Web2 ride-hailing apps. Below the deck, however, it would be a very different beast. All the benefits of Web3 such as decentralized governance, data sovereignty and inclusive monetization models — systems that distribute earnings democratically — are engineered below the surface.

Web3 is all about verifiable ownership. It is the first time that people can verifiably own assets, be it digital or physical, through the Web. This pertains to ownership of value in the form of cryptocurrencies, but in the case of Web3 ride-hailing, it also pertains to retaining ownership of your data and ownership of the apps, underlying networks and the vehicles themselves.

Web3, Web 2.0, Uber, Hacks, Hackers, Cybercrime, Cybersecurity, Data

In practical terms, a Web3 Uber will allow users to control how much data they give, to who and when. Web3 Uber would ditch centralized databases in favor of peer-to-peer networks. Self-Sovereign Identities — decentralized digital IDs that you own and control — would allow people and machines alike to have decentralized digital passports which are not dependent on any one central authority for their proper function.

Drivers and passengers would be able to verify themselves on the Web3 ride-hailing app with their SSI in a fully peer-to-peer manner. They would also be able to choose what data they’d like to share or sell and to whom, exercising full ownership over their personal information and digital footprint.

Decentralized governance will make for another monumental shift. It will mean that all stakeholders, be it drivers, passengers, app developers and investors alike, will have the ability to co-own, co-govern and co-earn on all levels — from the infrastructure powering the decentralized application to the intricacies of the DApp itself. It would be a ride-hailing app by users, for users.

Imagine for a moment that the fees charged by Uber were voted on by drivers and passengers, not dictated by a boardroom in Silicon Valley. Ask the next Uber driver what they think of that. Users, for their part, will be able to vote things like disaster-time price surges into the bin. For drivers all over the world, Web3 ride-hailing will mean being paid fairly without a third-party corporate intermediary taking a cut.

Web3 also enables a new kind of sharing economy, one where anyone, anywhere is able to own the vehicles being used by ride-hailing apps or any other kind of vehicle-focused app via machine nonfungible tokens (NFTs) — tokens that represent ownership over pools of real-world vehicles. It will be possible for the communities in which these vehicles operate to have ownership rights over those same vehicles, granting the ability to vote on how they’re used and giving them an income stream. The more these increasingly intelligent machines provide goods and services to the community, the more the community earns. Web3 is turning the status quo on its head.

A shift to Web3 in consumer apps will address the root cause of the persistent breaches, removing the very need for centralized data honeypots without necessarily making things more complicated for users. Despite that being an enormous paradigm shift in and of itself, data sovereignty is just one of the advantages a Web3 Uber would have over Web2 Uber.

In the future, blockchain will become something as unseen as the inner workings of Google Pay — just fully accessible to those who wish to view it. It will be something users unknowingly interact with when ordering a pizza or hailing a ride — yet absolutely fundamental to a fairer, more democratic society in the digital age.

Max Thake is the co-founder of Peaq, a blockchain network powering the Economy of Things on Polkadot.

This article is for general informational purposes and is not intended to be and should not be taken as legal or investment advice. The views, thoughts, and opinions expressed here are the author’s alone and do not necessarily reflect or represent the views and opinions of Cointelegraph.

US lawmakers propose amending cybersecurity bill to include crypto firms reporting potential threats

Under the proposed amendment, the 2015 legislation would be renamed the Cryptocurrency Cybersecurity Information Sharing Act.

United States Senators Marsha Blackburn and Cynthia Lummis have introduced proposed changes to a 2015 bill that would allow “voluntary information sharing of cyber threat indicators among cryptocurrency companies.”

According to a draft bill on amending the Cybersecurity Information Sharing Act of 2015, Blackburn and Lummis suggested U.S. lawmakers allow companies involved with distributed ledger technology or digital assets to report network damage, data breaches, ransomware attacks and related cybersecurity threats to government officials for possible assistance. Should the bill be signed into law, agencies including the Financial Crimes Enforcement Network and the Cybersecurity and Infrastructure Security Agency would issue policies and procedures for crypto firms facing potential cybersecurity risks.

The original bill, which passed in the Senate in October 2015, essentially set up a framework for the U.S. government to coordinate cybersecurity reports from “private entities, nonfederal government agencies, state, tribal, and local governments, the public, and entities under threats” and recommend possible methods to prevent and protect against attacks. Under the proposed amendment, the legislation would be renamed the Cryptocurrency Cybersecurity Information Sharing Act.

Blackburn reportedly told TechCrunch that the amendments to the cybersecurity bill would provide a means for crypto firms to “report bad actors and protect cryptocurrency from dangerous practices,” given potential illegal uses. Lummis has also co-sponsored bills in the Senate aimed at providing regulatory clarity to the space by addressing the respective roles of the Securities and Exchange Commission and Commodity Futures Trading Commission over digital assets.

Lummis-Gillibrand would empower the Securities and Exchange Commission to enact clear regulations that define which cryptocurrencies are securities. https://t.co/9oNd5FX89N

— Cointelegraph (@Cointelegraph) September 8, 2022

The original cybersecurity bill stated it would be in effect for 10 years starting on the date of its enactment. As of October 2015, Congress reported the bill was held at the desk of the House of Representatives.

Entrepreneurs must learn to tackle business risks in the Metaverse

The Metaverse is fraught with risks. Implementing effective safeguards — both physical and virtual — will be critical to entrepreneurs seeking to do business there.

Hyped as it is, the Metaverse remains largely undefined. It’s a challenge to answer the question “What is the Metaverse?” in part because its definition depends on whom you ask. As it stands today, the “Metaverse” includes virtual reality and what we might previously have called “cyberspace” — including digital assets like non-fungible tokens (NFTs), cryptocurrencies and more.

In the rush to become the first to innovate in metaverse technology, companies are deprioritizing risk management. But risk management is as critical in the Metaverse as in our physical world — all risk is linked and must be managed in a connected way. If new entrants to the Metaverse are meant to protect against the overwhelming scale and cost of cyber risks, they must learn to identify these risks, continuously monitor for threats, and make informed decisions for a strong future based on information gained from past threats and attacks.

Here are three types of metaverse risks expanding the attack surfaces for businesses.

Physical hardware risks

From headsets to chips with highly efficient computing power, virtual worlds need hardware to operate. The physical hardware used to run the Metaverse can create a cyber risk of its own.

As people create, expand and join metaverse worlds, the huge and powerful potential of this virtual space creates new attack surfaces for bad actors to test and breach. The assemblage of hardware from multiple sources required to successfully enable entry into this digital reality invites increased threats like the man-in-the-middle (MITM) attacks we’ve seen (in real life) at ATMs and on mobile applications.

To ensure safety, companies entering or experimenting in the Metaverse will have more places to monitor as part of their risk management strategy. Companies will need to create more advanced and comprehensive security controls for physical hardware as well as digital gateways while continuously managing their compliance.

Risk in cryptocurrency assets

In the Metaverse, crypto trades have been huge sources of risk. While cryptocurrencies started as a controlled niche industry driven by experts who were very concerned with security and privacy, growth in the crypto space has brought with it more opportunity for risk.

Growing numbers of consumer traders, new companies, and hackers all increase the risk factors in crypto transactions. Crypto also has become the de facto currency for ransomware; as a result, cyberattacks against crypto accounts are on the rise. The growing number of metaverse technologies will continue to endanger crypto security until companies catch up and begin dedicating resources toward addressing this type of risk.

Tracking fraudulent activity and implementing secure authentication can make a significant difference against cybersecurity threats, particularly in crypto. Threats happen faster than ever before, so continuous monitoring of risks is a necessity.

Organizations can only do so much, as individual users — the holders of crypto wallets — are a large part of the risk. Scams, hacks and password threats target vulnerabilities at the individual level. Individuals share an important responsibility in conducting due diligence against crypto threats in the Metaverse.

Identity risk

By design, the Metaverse is based on anonymity and fluidity. A digital reality, unlike the offline world, allows users to cloak their identities and reinvent their characters. Digital avatars assume characteristics chosen by their owner, and these identities are not carefully regulated — as on the internet, aliases are changeable.

This opens individuals, as well as the companies that operate metaverse territories, up to even greater potential risk. With innovation rapidly expanding and security a lower priority, it is difficult for users and metaverse technologists to tell the “good guys” and the “bad guys” apart. Increasing calls for controls around identity risk in the Metaverse stem from incidents relating not just to unintentional data-sharing between human players and automated “mimic” avatars (bots), but also alleged episodes of player-to-player verbal abuse and even sexual harassment.

Implementation of safeguards against these breaches in privacy will only increase in difficulty if the future metaverse ideal — one large, interconnected web of metaverse territories where identities and assets are entirely portable — comes to fruition.

Right now, that technology isn’t yet available — and maybe it won’t ever be. But there’s no question that the Metaverse is emerging as a real business and consumer technology — and a real risk factor. And like every space, it requires real, proactive risk management.

Gaurav Kapoor is the co-CEO and co-founder of MetricStream Solutions & Services, where he is responsible for strategy, marketing, solutions, and customer engagement. He also served as MetricStream’s CFO until 2010. He previously held executive positions at OpenGrowth and ArcadiaOne, and spent several years in business, marketing and operations roles at Citibank in Asia and in the U.S.

CBDCs require governments to put a special focus on security

Any nation implementing a CBDC in the near future must make sure it’s ready to defend its digital assets and, most importantly, its private keys.

Today’s financial world is becoming increasingly digitized, and naturally, central banks want to adapt to the changing environment. The use of cash is rapidly declining. Globally, the rise of digital payment apps and COVID-19 have only accelerated the decline in cash usage, fueling interest in digital currencies and demand for easier payment solutions.

As crypto adoption continues to expand, the idea of central bank digital currencies (CBDCs) has also gained momentum. Governments across the world have been flirting with, and examining, the idea of issuing their own CBDCs, with a handful already launching.

It isn’t clear when CBDCs will become normalized. Don’t expect CBDCs to resemble Bitcoin’s (BTC) decentralized characteristics because, by definition, a central bank is a centralized entity. That being said, they can provide some of the same benefits, such as reducing payment verification times and providing proof of transaction. There are, however, still quite a few challenges to overcome.

Among these challenges are the operational risks of the “cyber sphere.” While banks are accustomed to investing resources in safeguarding their “fiat” reserves, safeguarding digital currencies requires a different mindset. Blockchain technology has some inherent vulnerabilities — including anonymity and irreversibility — that can be exploited by clever scammers. Although, it’s not clear if CBDCs will leverage blockchain technology.

Could CBDCs potentially expose central banks to new types of cyber threats? And how would these potential threats or vulnerabilities manifest themselves?

Cybersecurity isn’t easy

Hackers have become increasingly sophisticated and brazen in their attacks over the last few years. Both traditional finance and blockchain protocols find themselves victims of malicious intent. In fact, Denmark’s central bank was hacked as part of the SolarWinds operation in late 2020. This should sound alarm bells for governments everywhere.

Imagine a group of dedicated hackers finds, penetrates and gains access to a backdoor that gives them control of the central bank’s private key. Private keys are the most important elements of a blockchain system, as any transactions conducted with the private key are registered by the system as valid and secure. At this point, the bulk — or a significant chunk — of the country’s treasury could effectively be held hostage by a criminal organization. The hacker could mint or burn digital currency at will.

An influx or reduction in a digital currency could affect the value of the genuine currency, have an impact on consumers through inflation, and lead to monetary losses for companies. A breach to this extent could be catastrophic and potentially lead to the devastation of the nation’s entire economy. Of course, an attack of this scale would be far too advanced for even some of the most talented criminal masterminds, but the threat cannot be dismissed. Such an attack would be unprecedented, so predicting the aftermath is anyone’s guess. But it wouldn’t be pretty: The world’s economic and political order and stability would, undoubtedly, be tested.

Clearly, any government would spend top dollar on cyber defenses to protect its newly established digital infrastructure. But simply investing an abundance of resources isn’t a guarantee against hacks. Naturally, any central bank launching a digital currency would be an attractive target.

So how can a country that is determined to launch its own CBDC protect its treasury from criminals trying to steal it?

Securing the national treasury

Disincentivizing malicious cyber attackers is no easy task — they are always on the lookout for new and rewarding targets while exploiting the slightest vulnerabilities. Crypto hackers are adept at identifying attack surfaces, exploiting them, injecting malicious code, and taking control of individuals’ and organizations’ private keys.

Banks invest millions, if not billions, each year to defend their databases and IT infrastructure. Various security layers are employed to protect against hackers, inside jobs or unintentional leakage of sensitive information. While banks are familiar with information security, safeguarding digital assets requires a vastly different approach than traditional assets.

If they decide to leverage blockchain, central banks must consider how existing banking frameworks can be adapted to blockchain’s distributed architecture, with extra attention paid to the system architecture, governance and consensus mechanisms.

When it comes to safeguarding a nation’s treasury, there is no such thing as “too secure.” In the case of CBDCs, banks must take great measures to protect and defend their private keys. Today’s custody solutions have come a long way, and yet, almost all of them suffer from the same deficit. Due to the anatomy of a blockchain transaction, all transactions must be conducted while connected to the internet at some point.

This connectivity is their single point of failure and the reason they cannot be 100% secure. It is suggested that governments find a “never internet-connected” solution to store and manage the private keys while issuing the CBDCs, providing custody and conducting on-chain settlements.

Most central banks are rightfully taking their time and conducting all the necessary due diligence to weigh the risks and rewards of CBDCs properly. Some may actually decide to push off their involvement, especially given the crypto market’s volatility. But any nation implementing a CBDC in the near future must make sure it’s ready to defend its digital assets and, most importantly, its private keys.

When it comes to blockchain, central banks should completely rethink everything they know about IT security needs. Only then can they launch their digital currencies with enough peace of mind.

Lior Lamesh is the co-founder and CEO of GK8, a blockchain cybersecurity company that offers a custodial solution for financial institutions. Having honed his skills in Israel’s elite cyber team reporting directly to the prime minister’s office, Lior led the company from its inception to a successful acquisition for $115 million in November 2021. In 2022, Forbes put Lior and his business partner Shahar Shamai on its 30 Under 30 List.

Crypto security experts raking in $430K salaries amid spike in hacks

The demand for blockchain security experts comes amid a rise in crypto hackings in 2022.

The rise of crypto hacks over 2022 has skyrocketed demand for blockchain security experts, with some auditors making upwards of $430,000 per year.

Speaking with Cointelegraph, blockchain recruitment firm CryptoRecruit founder Neil Dundon said that while security audit services have long been in demand, the rise of decentralized finance (DeFi) protocols has opened up opportunities for auditors to review potentially vulnerable smart contracts:

“There’s always been a demand for security auditors […] But since DeFi apps have been out there, there has been quite a big increase in demand for security audits across the space because one small vulnerability in the protocol can potentially lead to the loss of hundreds of millions of dollars.”

A report from Chainalysis earlier this month revealed that hackers extracted more than $2 billion from cross-chain bridge protocols alone this year.

In a Bloomberg report on Monday, CEO of decentralized lending service Morpho Labs Paul Frambot said that crypto security audits have moved from a “nice to have” business expense to a “must have” one.

“Security is, in my opinion, not taken sufficiently seriously in DeFi,” he said.

The rise in demand for crypto security auditors has seen a plethora of “for hire” ads across the industry.

According to job advertisements posted on Cryptocurrency Jobs, blockchain audit companies mostly look for experienced programmers with an understanding of blockchain technology, cybersecurity and cryptography.

While most security audit salaries fall within the $100,000-$250,000 range, some companies are willing to pay upward of $430,000 per year, according to Web3.career’s job board.

Crypto recruitment firm Plexus Resource Solutions Zeth Couceiro made a similar comment to Bloomberg, noting that in some cases, blockchain security auditors have been raking up to $400,000 annually.

Couceiro added that these auditors tend to make about 20% more than Solidity-focused developers, which is the most popular programming language used to deploy smart contracts on Ethereum and other Ethereum Virtual Machine- (EVM)-compatible blockchains.

Among the top vulnerabilities that security auditors look for in smart contracts include timestamp dependency, reentrancy attacks, random number vulnerability and spelling mistakes.

The Bloomberg report noted that venture capital firms have already poured $257 million into crypto security audit companies this year, which is up 38.9% from all of 2021, according to CB insights.

Curve Finance resolves site exploit, directs users to revoke any recent contracts

An exploit of the site’s front end appears to have resulted in the theft of over $573,000 USD, according to users.

On Tuesday, automated market maker Curve Finance took to Twitter to warn users of an exploit on its site. The team behind the protocol noted that the issue, which appeared to be an attack from a malicious actor, was affecting the service’s nameserver and frontend.

Don’t use https://t.co/vOeMYOTq0l site – nameserver is compromised. Investigation is ongoing: likely the NS itself has a problem

— Curve Finance (@CurveFinance) August 9, 2022

Curve stated via Twitter that its exchange — which is a separate product — appeared to be unaffected by the attack, as it uses a different domain name system (DNS) provider.

However, the issue was quickly addressed by the team. An hour after the initial warning, Curve said it had both found and reverted the issue, directing users who have approved any contracts on Curve in the last few hours to revoke them “immediately.”

The issue has been found and reverted. If you have approved any contracts on Curve in the past few hours, please revoke immediately. Please use https://t.co/6ZFhcToWoJ for now until the propagation for https://t.co/vOeMYOTq0l reverts to normal

— Curve Finance (@CurveFinance) August 9, 2022

Curve noted that, most likely, the DNS server provider Iwantmyname was hacked, adding that it has subsequently changed its nameserver.

A nameserver works like a directory that translates domain names into IP addresses.

While the exploit was ongoing, Twitter user LefterisJP speculated that the alleged attacker had likely utilized DNS spoofing to execute the exploit on the service:

It’s DNS spoofing. Cloned the site, made the DNS point to their ip where the cloned site is deployed and added approval requests to a malicious contract.

— Lefteris Karapetsas | Hiring for @rotkiapp (@LefterisJP) August 9, 2022

Other participants in the DeFi space quickly took to Twitter to spread the warning to their own followers, with some noting that the alleged thief appears to have stolen more than $573,000 USD.

Alert to all @CurveFinance users, their frontend has been compromised!

Do not interact with it until further notice!

It appears around $570k stolen so far #defi #crypto $crv

— Assure DeFi (@AssureDefi) August 9, 2022

Back in July, analysts suggested that they wer e favorably eyeing Curve Finance, despite the market downturn which continues to affect the larger DeFi space. Among the reasons cited by researchers at Delphi Digital for their bullishness, they specifically called out the platform’s yield opportunities, the demand for Curve DAO Token (CRV) deposits, and the protocol’s revenue generation from stablecoin liquidity.

This followed the platform’s release of a new “algorithm for exchanging volatile assets” in June, which promised to allow low-slippage swaps between “volatile” assets. These pools use a combination of internal oracles relying on Exponential Moving Averages (EMAs) and a bonding curve model, previously deployed by popular automated market makers such as Uniswap.

Update: Added announcement from Curve Finance that the issue has been resolved, pointing to its nameserver as the likely culprit for the exploit.

VC Roundup: Lightning Network payment rail, DeFi trading platform and blockchain security firm raise millions

ZEBEDEE, Halborn, Hashflow, Socios and EtherMail headline the latest funding deals from the world of blockchain and cryptocurrency.

Even with the onset of crypto winter, 2022 has been a watershed year for venture capital funding. Crypto and blockchain companies collectively raised $30.3 billion in venture capital in the first half of 2022, exceeding all of last year’s totals. While the number of deals has declined in recent months, startups at the intersection of blockchain payments, decentralized finance (DeFi) and cybersecurity are still attracting sizable interest from the VC community. The latest edition of VC Roundup highlights some of the most intriguing funding deals of the past month.

ZEBEDEE closes $35M Series B

ZEBEDEE, a Bitcoin (BTC)-powered payment processor for the gaming industry, has raised $35 million from several investors including Kingsway Capital, The Raine Group and Square Enix. ZEBEDEE is essentially a platform that allows game developers to incorporate programmable money, including BTC, into their games. The payment platform is powered by Lightning Network, making ZEBEDEE a “Bitcoin enabler of choice” for its partners, according to Kingsway Capital managing partner Afonso Campos.

So, we all know that the Lightning Network transfers value instantly and is ever growing with more than 4K Bitcoin stored on its public channels. But how does it make money?

You asked our Development Team and here’s their response pic.twitter.com/f3ZMpEFjhW

— ZEBEDEE (@zebedeeio) July 21, 2022

Blockchain security company raises $90M Series A

Blockchain security firm Halborn closed a $90 million funding round in July that was led by Summit Partners with additional participation from Castle Island Ventures, Digital Currency Group and Brevan Howard, among others. Halborn was founded in 2019 by ethical hackers offering blockchain security services. The company recently warned MetaMask users to be weary of a phishing campaign targeting their browser wallets.

DeFi platform Hashflow raises $25M in Series A funding

Hashflow, a decentralized finance trading platform headquartered in San Francisco, has closed a $25 million funding round backed by some of crypto’s most prominent venture funds. The investment round, which had participation from Jump Crypto, Electric Capital, Dragonfly Capital Partners and GSR, will aid Hashflow in expanding its product offerings for market markers and institutional traders.

See the biggest deals and more VC data from Q1, courtesy of @CointelegraphCS.

https://t.co/MPIp7dgMOW pic.twitter.com/KTGDkM4qBf

— Cointelegraph (@Cointelegraph) June 3, 2022

Socios acquires 24.5% stake in Barca Studios

Fan engagement token platform Socios announced in early August that it would invest $100 million in Barca Studios, the digital content arm of the FC Barcelona football club. Socios, which is owned by blockchain technology provider Chiliz, will help FC Barcelona accelerate its Web3 and nonfungible token (NFT) engagement strategy. Specifically, Barca Studios is pursuing NFT and metaverse projects that will help the football club engage with its vast global fanbase, and will rely on Socios’ blockchain to deliver on the strategy.

EtherMail secures seed funding for wallet-to-wallet communications

Web3 email solution EtherMail has raised $3 million ahead of the planned launch of its encrypted wallet-to-wallet communication service. Scheduled for release in the third quarter, EtherMail enables Web3 companies to send “rich, relevant content directly to their asset holders,” thereby reducing the risk of communication fraud. The service also streamlines community newsletter distribution by enabling autonomous, self-updating mailing lists. The seed round was led by Fabric Ventures and Greenfield One.