Sleuths who protect crypto from hackers are raking in money

Investors are taking note of the growing demand for protection. PHOTO: REUTERS

PORTLAND, OREGON (BLOOMBERG) - At a time when many crypto companies have seen their fortunes plummet, one corner of the industry is thriving.

With criminals including North Korean hackers increasingly targeting the sprawling software infrastructure underpinning the crypto sphere, firms that sift through code for weaknesses and run bug-hunting sites are finding themselves with more business than they can handle. As mass firings become the norm elsewhere in crypto, they are boosting hiring, raising prices and taking in fresh funding.

Their rising fortunes underscore how the industry is waking up to the threat of sophisticated hackers who have stolen roughly US$2 billion (S$2.8 billion) from digital asset protocols this year, according to researcher Chainalysis, which says such attacks show few signs of slowing.

With so much at stake, crypto-security services are moving from the nice-to-have spending category to the must-have bucket, even for bootstrapping start-ups and community-driven projects.

"We have spent so much money on audits," said Mr Paul Frambot, chief executive officer of crypto start-up Morpho Labs.

"Security is, in my opinion, not taken sufficiently seriously in DeFi," he added, referring to decentralised finance, where people trade, borrow and lend crypto without a central intermediary.

Morpho has done more than 10 code audits in the past year, according to Mr Frambot.

Investors are taking note of the growing demand for protection. Venture capital firms have poured US$257 million into crypto auditing and security companies so far this year, up from US$185 million for all of 2021, according to CB Insights.

Rising threat

Crypto thieves have stalked the industry for most of its roughly decade-long existence, from the Bitfinex exchange hack in 2016 to last year's exploit of the PolyNetwork protocol.

But the problem has worsened recently, in part because of a relatively novel part of the ecosystem that has become a juicy target: so-called crypto bridges, software platforms that allow coins designed for one blockchain to be used on another. Hacks on crypto bridges accounted for more than two-thirds of the total value stolen in the first seven months of 2022, Chainalysis estimated.

In March, hackers struck the Ronin Bridge connected to the popular Axie Infinity online game and made off with cryptocurrencies worth about US$600 million at the time, one of the biggest hauls to date. The attack has been tied to North Korean hacker group Lazarus.

Sky Mavis, the developer of Axie Infinity, was forced to compensate players who lost money. The incident was also a publicity nightmare for Sky Mavis, as many of those whose coins were taken in the hack were gamers in low-income countries like the Philippines who played the game to bolster their modest pay cheques.

The threat is not limited to bridges. Hundreds of millions of dollars have vanished from other projects, like DeFi apps. Many of these efforts rely on so-called smart contracts - code that automatically executes transactions in a way that cannot be reversed - so design flaws can be especially costly.

A hack, or even a major coding error, can spell the end of an app that developers spent months or years building.

"These protocols are not simply another service that may be disrupted for a while - for example, like not being able to watch TV for a few hours or longer," said Mr Stefano Schiavi, an investor at bitscale.vc, a backer of crypto-security firm Immunefi. When crypto protocols fail, "many people lose significant portions of their savings, and often they even lose everything."

The evolution of Web3, a version of today's Internet built largely on crypto technology where ownership and control should be more widely distributed, means applications will increasingly be interconnected and span many blockchains, said Mr Lex Sokolin, head economist at ConsenSys, which audits smart-contract code.

"I think the more complicated Web3 becomes, the larger the surface area for these exploits," Mr Sokolin said.

US$400,000 salaries

Audits are essentially reviews of code by experienced developers who scrutinise it to identify bugs, security concerns and other issues that could make the technology run in unintended ways. In some cases, the protocol's developer can fix the weaknesses pinpointed, and then have those patches reviewed by the auditor.

Some crypto auditors use automated tools that scan code. Others, like OpenZeppelin, deploy at least two auditors who go through the code, one after another, line by line.

Salaries for experienced blockchain auditors can run as high as US$400,000 a year, according to Mr Zeth Couceiro, founder of crypto recruitment firm Plexus Resource Solutions. Their pay is typically around 20 per cent above that of developers focused on Solidity, one of the biggest crypto programming languages.

"The reason for that is the need to come from a coding background but also understand the architecture to establish vulnerabilities," Mr Couceiro said.

Long waits, rising prices

So far this year, 1,161 external projects have asked ConsenSys to audit their smart-contract code, close to the number for all of 2021 and up from 247 requests in 2020, according to the company. Clients can wait in line for audits costing up to US$320,000 for as long as nine months.

At rival Trail of Bits, published fees have jumped about 20 per cent to 25 per cent in the last 12 months as rising demand put pressure on lead times, said Mr Nick Selby, a vice-president at the company.

OpenZeppelin has expanded its workforce by 63 per cent this year, scooping up specialists laid off by other crypto companies in the downturn, said Mr Steve Grant, the company's head of growth. It plans to double its headcount in 2022, according to Mr Grant.

There is another constituency benefiting from crypto's increasing need for safety: so-called "white hat" hackers who use their skills to help companies plug security holes, rather than exploit them.

"Most hackers prefer to get clean and well-earned money and ease of mind instead of worrying their whole life if they will be caught for their crimes," said Mr Adrian Hetman, tech lead at Immunefi, whose clients include DeFi project MakerDAO.

Rewards for identifying significant flaws can run as high as US$10 million, Mr Hetman said.

Follow ST on LinkedIn and stay updated on the latest career news, insights and more.