Crypto’s biggest selling point is responsible for $8.5bn in losses. But it can be made safe

Self-custody, the ability to personally control your own cryptocurrency without the need for governments or banks, is arguably the most valuable innovation of blockchain technology.

Yet it is also the biggest single cause of the thefts that increasingly plague the industry.

Compromises of the password-like private keys that control access to crypto wallets account for an eye-watering $8.5 billion in stolen onchain assets. That’s almost half of all hacks that have taken place over the past 10 years, according to DefiLlama data.

It’s a sobering statistic, and one that throws into question not just the idea of self-custody, but the $2.7 trillion industry built around it.

Yet despite its pitfalls, self-custody can be done safely, David Schwed, chief operating officer at SVRN and a cybersecurity expert who led development for BNY Mellon’s digital asset offerings, told DL News.

The problem, Schwed said, is that most crypto projects operate on shoestring budgets, are incentivised to build quickly, and don’t want to get slowed down by what they see as excessive security measures.

Projects need to hire seasoned chief information security officers and empower them to bring in teams of experts to build out proper security systems.

“If you do that, absolutely you can build self-custody,” Schwed said.

Crisis of confidence

The crypto industry has been shaken to its core in recent weeks after North Korean hackers stole a combined $579 million from two major decentralised finance projects, Drift and Kelp DAO.

The hacks triggered a crisis of confidence in DeFi. Industry insiders have started to question if the trade-offs inherent in decentralised technology are worth the trouble.

Yet the two attacks weren’t ultimately down to novel bugs or vulnerabilities in underlying code, as many before them were. Instead, the hackers exploited weak points in the security of the projects or other systems they relied on.

For Drift, hackers broke into the project’s internal systems by getting contributors to download malware following a months-long social engineering campaign.

At Kelp DAO, attackers compromised infrastructure providers in LayerZero’s decentralised verifier network, which the project relied on to know who to release funds to.

Competitive business

There are several reasons why security isn’t at the front of such developers’ minds, Schwed said. Investors in early-stage crypto projects often pressure developers to build out their product, get it to market, and work to gain traction as fast as possible, he said.

Crypto is a competitive business. Projects that make it to market first are often able to solidify their positions and bat away competition. Aave, the biggest DeFi lending protocol, was originally founded in 2017 as ETHLend. Uniswap, the biggest decentralised exchange, was among the first to launch back in 2018.
Then there are the costs. Bringing in a proper security team involves hiring a chief information security officer and at least three to five people at minimum, and that’s going to eat into the budgets of even the most well-funded projects, Schwed said.

The culture within scrappy crypto startups is also an issue.

A competent chief information security officer will want to put in so many controls and roadblocks that developers will feel like they’re not going to be able to build quickly enough, Schwed said. Often, the choice is made to simply not hire one, or bring in someone who is less experienced or takes a more lax approach to security.

“I look at their LinkedIn profile, and right before this they were an individual contributor engineer at a company, and now they’re head of security?” Schwed said, describing those people who he has seen leading security at some crypto projects.

“You don't have that experience to be that leader, to really force certain procedural safeguards,” he said.

Tim Craig is DL News’ Edinburgh-based DeFi Correspondent. Reach out with tips at tim@dlnews.com.