The ongoing digitization of assets poses significant challenges to the security of IT. On the one hand, more cyberattacks can be expected the more asset classes are traded in the form of tokens. On the other hand, the efficient interactions of humans and machines in the execution of transactions and decentralized applications are coming into focus. In addition to the necessary IT security, providers in this environment must focus on the user-friendliness of their applications.
Authors: Benjamin Schaub, Carolyn Guthoff, Andre Meyer
Digital assets are the future. Crypto assets like Bitcoin have paved the way for Distributed Ledger Technology (DLT). Assets such as real estate or art are already being digitized, and other asset classes such as industrial goods will also be digitally tradable in the future. However, due to advancing regulation in Germany and the emergence of the first products, traditional securities in the form of security tokens are also expected to see enormous momentum in the coming years.
What all these digital assets have in common is that they require crypto custody as a central infrastructure. This involves the custody, management and protection of the private keys that owners of crypto assets such as Bitcoin use to authorize or sign transactions. In a decentralized system like the Bitcoin blockchain, whoever holds the private key of an address controls the cryptocurrencies associated with that address. Unauthorized possession of private keys results in irrevocable loss of assets due to the decentralized nature of the network.
BaFin recognized the importance of investor protection in Germany early on and declared the custody of cryptocurrencies to be a financial service requiring a license under the German Banking Act (KWG). In June 2021, Coinbase, an internationally established player in the crypto universe, could receive this license. Kapilendo Custodian AG, which was acquired by Hauck & Aufhäuser in September, and Tangany have only recently received the license.
Technological maturity increases, problems remain
Due to numerous successful attacks on crypto exchanges, vendors in this environment have developed various highly complex technologies for private key custody. As a result, the security of private key custody has increased significantly. The increasing offering of digital assets by established financial firms such as Goldman Sachs and JP Morgan indicates that the technology is now meeting the needs of traditional market participants. While the maturity of the technology allows institutional investors to invest in digital assets, two current issues show that human interaction is still a risk that needs to be minimized by the best possible handling for the benefit of users.
In the spring of this year, German Stefan Thomas gained media attention for forgetting the access data to his wallet, which contained the private keys for 7002 Bitcoin, about 284 million euros.¹ In June of this year, crypto custody technology provider Fireblocks was sued by the StakeHound platform for alleged negligence that led to the loss of Ether worth over $70 million.² Initial indications in this case suggest that it was not a technical error, but that the loss was due to miscommunication between the two parties.
Research findings on usable security reveal vulnerabilities
Both examples show that errors do occur, especially in human interaction with technical products. This is where the topic of usable security comes into play. Usable security aims to combine security and user-friendly applications in the best possible way. This can have many facets and includes research on many different topics related to security, wherever people are involved, from the cryptographer who designs an encryption algorithm, for example, to the developer who implements it, to the end user who uses the developed solutions, for example, via an app.
An example of research on this topic is a 2016 publication that looked at users’ experiences in the Bitcoin ecosystem.³ According to the study, 22.5% of participants have already lost Bitcoin at least once, 43.5% of them even through their own mistakes. Another example is a 2020 study that looks at the mental models of crypto asset users.⁴ The study shows that users have a hard time understanding how private keys and transaction execution are connected. The study’s authors recommend automating key generation and backup creation as much as possible while keeping the processes as transparent as possible. Users must understand that their private key must remain secret and that a key cannot be recovered if lost.
Smart Contracts Also Offer Attack Vectors
In early August, a vulnerability in a Poly Network smart contract was exploited. In the attack, a “harmless” hacker was able to steal over USD 600 million, which was subsequently returned.⁵ Smart contracts are computer programs that, for example, automatically trigger a transaction as soon as previously defined conditions of the contracting parties are met. Since smart contracts also originate from human hands, errors can never be completely avoided in this area either.
To ensure the security of crypto-assets, a so-called “formal verification” is carried out, especially during the development of DLT software. Formal verification can be understood as a mathematical proof in which the requirements of the smart contract are compared with a mathematical model. This approach allows the developer to take into account all program flows that may result from different inputs. Of course, such verification has limited effect and cannot guarantee 100% security.
In addition, the Poly Network is a so-called multi-chain network, which allows users to trade different crypto assets without having to create a separate wallet for each blockchain. However, this functionality requires that the smart contracts created can be accessed outside of the respective network to enable interoperability. This leads to a high degree of complexity, which ultimately created the attack surface in the Poly Network hack case. In the future, the verification of the underlying computer code of smart contracts by auditors will be of great importance in order to eliminate vulnerabilities as far as possible and to make decentralized systems accessible to the masses.
If you like this article, we would appreciate it if you would forward it to your colleagues or share it on social media. If you are an expert in this field and would like to critique or constructively appreciate the article or some of its parts, please send us a private message or leave a comment below or above in the context of the text. We will get back to you.
INTAS.tech is a blockchain consulting firm founded by Frankfurt School and Plutoneo, specifically tailored to the needs of financial firms. INTAS.tech focuses on the integration and handling of digital assets as well as the strategic evaluation of blockchain deployment options and their implementation.
CISPA Helmholtz Center for Information Security is a national research institution of the Federal Republic of Germany within the Helmholtz Association. It researches information security in all its facets.
adesso is one of the leading IT service providers in the German-speaking area and focuses on the core business processes of companies and public administrations with consulting and individual software development. With many years of experience, one focus is on the financial sector. The adesso Group currently employs more than 5,300 employees at more than 40 locations.
Benjamin Schaub is a senior consultant at INTAS.tech. His interests include the development and integration of blockchain use cases in the financial industry as well as crypto custody.
Carolyn Guthoff is a Ph.D. student at the CISPA Helmholtz Center for Information Security. She researches usable security regarding the management of cryptographic keys.
Andre Meyer is a senior software developer at adesso. Previously, Andre worked at an Ethereum blockchain company and gained experience with smart contracts and the implementation of decentralized applications (dApps).