Call it Hacktober.
The crypto market suffered a record $760M in exploits in October, according to PeckShield, a blockchain security company which lists MakerDAO, DeFi’s largest protocol, as a customer.
Despite an exploiter’s move to return $50M to users last month, the total value of stolen funds in 2022 surged to almost $3B. That’s nearly double the $1.5B hackers took in 2021 and nearly 12 times the 2020 total.
“I think that October was a very bad month [for] DeFi security,” Stephen Tong, the co-founder of Zellic, a crypto security firm which lists the likes of Solana and Yuga Labs as clients, told The Defiant. “At the same time, it’s part of a growing trend of reality catching up to DeFi.”
Indeed, crypto has always had a freewheeling culture, which may clash with the deliberation required to write secure code. One of DeFi’s pioneers, Andre Cronje, became known for the phrase “test in prod,” which essentially meant that he would test applications after they went live on a blockchain’s mainnet.
And crypto is a colorful place full of pseudonymous founders and anime-picture touting influencers. Yet it’s also a serious market that stores hundreds of millions of dollars in digital assets on blockchains. And that money is only as secure as the code it runs on.
“All smart contract code should be considered as mission critical, but oftentimes we don’t see it that way,” Tong said. “We should be seeing smart contracts the same way that we see code that goes onto planes, cars and space shuttles.”
The Zellic co-founder thinks that more seasoned developers tend to treat smart contract development with appropriate seriousness, but that that mindset should be taught to new programmers, too.
Tong does think that security practices in crypto may have improved in the recent past, but that the increase in the number of would-be exploiters has far outpaced any increased level of safety.
In terms of what developers can do to step up their security practices, Tong said people need to code “defensively” to minimize smart contracts’ attack surface.
“Don’t just think ‘what should this code do,’” he said. “Think about what this code should not do.”