Blockchain needs standards

Without security audit standards, apps built on blockchain will continue to fall prey to hacks and exploits

OPINION
by Hind Kurhan /
article-image

Frame Fusion Art/Shutterstock modified by Blockworks

share

The 2023 crypto winter has been challenging for many, not least the thieves who target crypto wallets, platforms and token protocols. So far this year, they’ve only managed to steal $1 billion in crypto assets — a steep fall from 2022’s record $3.8 billion

Unfortunately, the decline appears to have more to do with a reduction in available capital than with stronger defenses. And while the scale of attacks has fallen, their frequency has in fact risen sharply: from 60 hacks in 2022 to 75 as of the end of October. And the year isn’t over.

If decentralized finance is ever to be widely accepted by retail and institutional investors, then it needs to achieve its goal of democratizing global finance. 

We must collectively do better at closing the loopholes that malicious actors are forever looking to slip through. 

The key to locking the door against bad actors? We need to vastly improve security auditing, which, at present, is inconsistent at best and a rubber-stamp exercise at worst. 

Specifically, our industry as a whole needs to adopt a consistent auditing methodology for decentralized technology that is rigorous, standardized and repeatable — as robust as what protects traditional finance.

Such an auditing standard, coupled with a public commitment by auditing firms to the principle of responsible disclosure — the willingness to call out projects that refuse to listen to or act on recommendations — will encourage projects themselves to raise their security standards.

Atomic Wallet’s refusal to heed a February 2022 public disclosure of serious security vulnerabilities by auditor Least Authority resulted in the loss of more than $100 million to hackers in June 2023. 

Newsletter

Subscribe to The Breakdown

At its best, a third-party security audit is a thorough investigation by a skilled team that analyzes every aspect of a system’s design and implementation, seeking out weaknesses and flaws that could affect operations or users — or offer bad actors access to sensitive data or assets. 

A good audit also carefully assesses whether developers and designers have adhered to best practices in a system’s creation and roll-out.

Vulnerabilities come in many forms; incorrect or insufficiently secure cryptography, sensitive information leaks, unprotected system parts, inconsistencies between system design documentation and the code used in implementation.

Weaknesses like these can result in anything from the exposure of sensitive and secret user data to the loss of user and system assets.

That audits are as detailed — and consistent — as possible is therefore essential to both a project and its users’ safety.

There are dozens of firms out there offering audit services, but with no industry standard, quality can and does indeed vary drastically. Even within reputable firms, there is neither consensus on what should be audited nor a consistent set of yardsticks.

There is, of course, no guarantee that even the most experienced auditors will either sniff out every weakness in a system or protect every user from loss. But if they are thoroughly and regularly carried out, security audits have been proven to sharply reduce the risk of a serious vulnerability going undetected.

Read more from our opinion section: It’s time for blockchain security firms to join forces

However, audits can’t stop social engineering attacks — those that involve the manipulation of human beings — such as when North Korean group Lazarus convinced engineers at an unidentified crypto exchange earlier this year to download malware disguised as an arbitrage bot. Preventing that type of attack only comes from vigilance and team training. 

It is true that every audit will be different, just as every project is different. 

But my long experience in the security auditing space has taught me there are specific steps an auditor must take to maximize the effectiveness of the security audit for the benefit of clients, users and the ecosystem.  

What are these requirements? An auditing standard that aims to make decentralized systems more resilient and protect their users from potential losses must include an exhaustive assessment of the following: 

  • The project’s threat model 
  • The security by design 
  • The security of implementation
  • The use of dependencies
  • Testing 
  • Project documentation
  • The scope of the audit, and whether or not it is sufficient.

To ensure that any improvement in standards benefits blockchain as a whole, we also advocate knowledge-sharing and the creation of public goods such as research, tooling and training.

By working together to improve the standards of the security auditing industry as a whole — and thus the decentralized technology sphere — we can go a long way toward stopping the blockchain black hat hackers from breaking 2022’s record for crypto assets stolen.

And that’s one record we don’t want to see broken again.

Hind Kurhan is a Co-Founder of Thesis Defense, a decentralized technology security auditing company whose mission is the facilitation of broad adoption of decentralized technology by improving security and audit consistency throughout the blockchain sphere.

Get the news in your inbox. Explore Blockworks newsletters:

Tags

Newsletter

The Breakdown

Decoding crypto and the markets. Daily, with Byron Gilliam.

Upcoming Events

Digital Asset Summit 2025

Old Billingsgate

Mon - Wed, October 13 - 15, 2025

Blockworks’ Digital Asset Summit (DAS) will feature conversations between the builders, allocators, and legislators who will shape the trajectory of the digital asset ecosystem in the US and abroad.

buy ticketslearn more

recent research

Research Report Templates (20).png

Research

DeFi's Trifecta: Ethena, Pendle, & Aave

The dynamic between Ethena, Pendle and Aave exhibits a mutually-beneficial relationship, where the offerings of each business grows the top lines of every party in this exchange. Pendle sits at the intersection of YBA issuers (Ethena) and money markets (Aave), demonstrating heightened utilization rates of YBAs, where the PTs then exhibit profound utilization as collateral. YBA issuers see Pendle as a premier go-to-market venue, often underwriting incentives for liquidity on the market and solving for Pendle’s supply side, while money markets view PTs as attractive collateral types to lend against, solving for Pendle’s demand side. PTs represent a highly profitable collateral listing for Aave, with depositors maxing out the available borrow capacity. Pendle’s recent launch of Boros may now present the most material growth vector beyond what is currently exhibited on V2 markets, offering the ability to price yield, spreads, and duration risk across various points in time out into the future.

by Luke Leasure

/

news

article-image

DeFiLightspeed Newsletter

Corporations don’t care about your blockchain

Stripe and Circle launch L1 chains

by Donovan Choy /
article-image

Business

DAT-a crunch: Momentum builds around ETH treasury companies

Ether-focused BitMine Immersion saw its daily trading volumes surge this week

by Ben Strack /
article-image

DeFi

Ronin rejoins Ethereum as rollup strategies diverge

From Ronin’s classic L2 pivot to Taiko’s based rollup and Puffer’s ultra-low-latency appchain testnet, Ethereum-aligned architectures are multiplying

by Macauley Peterson /
article-image

The DropWeb3

Winklevoss twins’ crypto exchange launches Gemini Wallet

The Gemini Wallet and Onchain hub are great for total beginners, but have a lot of room to grow

by Kate Irwin /
article-image

The Breakdown

Thursday links: Points, pancakes, DATs and merger arb

Airlines defend their rewards moat, Binance courts favor over breakfast, DAT fees pile up and systematic thinking

by Byron Gilliam /
article-image

DeFiLightspeed Newsletter

The state of Solana in 6 charts

ETF flows slow, REV stagnates, Pump strikes back and Drift punches up

by Donovan Choy /