The following insightful piece comes to you as a guest post from Michael Egorov, the innovative Founder of Curve Finance.

The recent security breach experienced by Bybit, detailed in their hack announcement, resulted in a staggering $1.5 billion loss in crypto assets. This incident now holds the unenviable title of the largest hack in the crypto industry’s history. What’s particularly alarming about this event is that the hackers specifically targeted Bybit’s cold storage – traditionally considered the most fortified area of an exchange’s infrastructure. 

While Bybit acted swiftly to replenish their reserves with the help of their partners, this whole episode has understandably left many in the crypto community deeply concerned. It once again throws a spotlight on critical security questions: Just how vulnerable are crypto exchanges, and what crucial lessons should the industry be extracting from this significant breach?

The Growing Risk to CEX Platforms

From my perspective, this isn’t just another cyberattack; it’s more like a loud alarm bell highlighting the inherent security weaknesses within centralized exchanges (CEXs). Despite the implementation of rigorous security protocols, CEX platforms remain highly desirable targets for hackers. Why is this the case? It boils down to their very nature: centralization.

Unlike Decentralized Finance (DeFi), where user funds are spread out across individual self-custodial wallets, centralized exchanges consolidate assets within a controlled infrastructure. This creates a potential single point of failure. If a hacker manages to penetrate just one layer of security, they can gain access to substantial amounts of cryptocurrency. Once that happens, the situation is often dire. Recovering any lost funds then depends heavily on centralized intervention, cooperation from external parties, and a good measure of luck.

A report from Chainalysis clearly indicates that in 2024, centralized services were the primary target for cyberattacks. This marks a noticeable shift, with CeFi experiencing more attacks than DeFi. This trend is supported by data from Hacken’s report which reveals that security breaches in CeFi more than doubled in the previous year, resulting in losses approaching $700 million. Notably, vulnerabilities in access control were identified as a major contributing factor to these breaches.

This data reinforces the idea that exchanges need a serious rethink of their current security strategies.

DeFi’s Alternative Take on Asset Safety

On a brighter note, the very architecture of DeFi platforms inherently mitigates many of the risks we’ve just discussed. Instead of relying on a centralized infrastructure, DeFi protocols utilize smart contracts and robust cryptographic security mechanisms to safeguard assets. This fundamentally eliminates the single point of failure issue – there isn’t a single entity that can be targeted to drain user funds en masse.

However, it’s important to recognize that DeFi isn’t immune to risks. Operating in a permissionless environment means hackers are a constant presence. And because transactions on the blockchain are irreversible, the ultimate safeguard is truly impeccable code. Flawed code creates vulnerabilities, but error-free code effectively prevents hackers from successfully breaching the system.

Hacken’s 2024 security report highlights that smart contract exploits only accounted for around 14% of total crypto losses in 2024. This statistic underscores why I strongly advocate for comprehensive smart contract audits to ensure the highest possible security benchmarks.

AI in Cybersecurity: A Double-Edged Sword

Artificial intelligence is rapidly gaining prominence, and many in the crypto space are curious about its potential role in cybersecurity. Let me share my perspective on this evolving topic.

Firstly, it’s worth noting that AI tools aren’t quite at the sophistication level needed to be consistently effective in complex security tasks just yet. But, as AI technology progresses, it’s highly probable that it will become a powerful force in this domain.

Well-developed AI tools have the potential to be exceptionally valuable in simulating and rigorously analyzing smart contract executions. Essentially, they could become adept at identifying vulnerabilities within smart contracts, enabling developers to proactively patch security loopholes well before malicious actors can exploit them.

Automated testing and AI-driven audits could significantly elevate security standards across both DeFi and CeFi ecosystems, making them more resilient overall. However, it would be imprudent to place complete and unwavering trust in AI for security – even advanced technologies can have blind spots.

Conversely, the same AI tools could also be leveraged by hackers to scan systems and pinpoint exploitable weaknesses at an unprecedented speed. This sets the stage for an ongoing “arms race” between security teams and cybercriminals, forcing platforms into a perpetual state of needing to stay ahead of the curve.

One thing I would strongly caution against is relying on AI to actually write smart contracts—at least for now. Given the current stage of AI development, AI-generated code simply can’t match the quality and security offered by seasoned human developers.

What Should Crypto Exchanges Do Next?

It’s now standard practice for centralized exchanges to implement industry-leading security measures, such as multisignature wallets and other established protocols. However, as the Bybit hack painfully demonstrates, these measures alone are seemingly insufficient.

CEXs, by their very design, create inherent centralized points of vulnerability. While they should absolutely be heavily fortified, their centralized nature still makes them attractive, single-point-of-attack targets for hackers. One possible solution is to explore user-controlled wallets, perhaps with additional oversight mechanisms managed by the exchanges. However, it’s widely recognized that self-custody and managing private keys can be overly complex and inconvenient for the average user, making this approach less universally safe or user-friendly.

So, what alternative steps can exchanges take on their end to enhance security?

Firstly, it’s crucial to recognize that many current security mechanisms employed by these platforms, including multisignature wallets, are built upon Web 2.0 foundations. This means their security isn’t solely reliant on the robustness of smart contracts but is also contingent on the security of web-based frontends – the very user interfaces (UIs) through which users interact and access these smart contracts.

Weaknesses in frontend security can compromise the entire security framework, if hackers manage to exploit them. And ensuring robust security at the frontend is a significant challenge. Web applications often depend on a vast number of dependencies (for instance, Uniswap’s UI has over 4,500 dependencies), each representing a potential entry point for attacks. If even one of these dependencies is compromised, hackers could inject malicious code into the interface, without needing to directly attack the core system at all.

Therefore, developers must prioritize not only the security of their own code but also the security of every piece of software their platform relies upon.

A beneficial step for large exchanges would be to adopt self-hosted Web UIs. These are available, including options like Safe wallet’s UI. An even more effective solution would be to utilize specialized software that entirely bypasses conventional web technologies when interacting with smart contracts. For example, Safe wallets offer an official CLI (command-line interface) tool. This significantly reduces the number of dependencies (by approximately 100 times), markedly decreasing the risk of supply chain attacks.

Furthermore, any signing operations for high-value transactions should be performed on dedicated, isolated machines reserved exclusively for this purpose. This minimizes the risk of human error introducing malware into the signing infrastructure. Another interesting approach might involve utilizing containerized operating systems like QubesOS – while currently less common, they offer enhanced security as a core part of their design.

And of course, while hardware wallets are standard practice, it’s crucial for exchanges to implement mechanisms to thoroughly verify the details of what these wallets are actually signing, especially for high-value transactions. Current hardware wallets don’t make this inherently easy, but there are tools available that can aid in verifying transaction data before it’s executed.

Ultimately, implementing any of these security enhancements is a complex undertaking – a reality we must acknowledge. Perhaps the industry needs to collectively establish formalized security guidelines or even develop specialized operating systems explicitly designed for secure crypto interactions out of the box.

However, one thing is clear: without substantial upgrades to security infrastructure, the risks to CEXs will only continue to escalate.

Mentioned in this article