Self-custody, a core tenet of cryptocurrency, has led to massive losses due to private key compromises, accounting for $8.5 billion in stolen assets over a decade. A cybersecurity expert argues these losses are preventable, stating projects must prioritize experienced security leadership and proper systems to manage risks effectively. Recent high-profile attacks on Drift and Kelp DAO have intensified scrutiny on the security practices within the decentralized finance sector.
Compromises of the private keys controlling crypto wallets account for nearly half of all onchain hacks over the past 10 years, according to DefiLlama data. This equates to $8.5 billion in stolen assets, challenging the security underpinning the $2.7 trillion industry.
Cybersecurity expert David Schwed, COO at SVRN, stated that self-custody can be built safely with the right precautions. “If you do that, absolutely you can build self-custody,” Schwed said.
He identifies three key issues: projects operate on tight budgets, face pressure to launch quickly, and often view security as an impediment. Projects need to hire seasoned chief information security officers and empower them to build proper security systems.
The industry recently faced a crisis of confidence after North Korean hackers stole a combined $579 million from Drift and Kelp DAO. These attacks exploited security weaknesses in internal systems and third-party infrastructure, not novel code vulnerabilities.
At Drift, hackers used a social engineering campaign to install malware on contributors’ systems. The attack on Kelp DAO involved compromising infrastructure providers within the LayerZero network.
Schwed noted that the competitive nature of crypto incentivizes speed over security, citing early movers like Aave and Uniswap. Establishing a competent security team requires significant investment, often a minimum of three to five experts led by a CISO.
Startup culture can also resist the procedural safeguards a seasoned security leader would impose. Schwed has observed individuals with limited experience transitioning into head of security roles at crypto projects.
“You don’t have that experience to be that leader, to really force certain procedural safeguards,” he said. This lack of experienced leadership contributes to the systemic vulnerabilities being exploited.
