At a time when many crypto companies have seen their fortunes plummet, one corner of the industry is thriving.
With criminals, including North Korean hackers, increasingly targeting the sprawling software infrastructure underpinning the cryptosphere, firms that sift through code for weaknesses and run bug-hunting sites are finding themselves with more business than they can handle. As mass firings become the norm elsewhere in crypto, they’re boosting hiring, raising prices and taking in fresh funding.
Their rising fortunes underscore how the industry is waking up to the threat of sophisticated hackers who have stolen roughly $2 billion from digital-asset protocols this year, according to researcher Chainalysis, which says such attacks show few signs of slowing.
With so much at stake, crypto security services are moving from the “nice to have” spending category to the “must have” bucket, even for bootstrapping start-ups and community-driven projects.
“We have spent sooooo much money on audits,” Paul Frambot, chief executive officer of crypto startup Morpho Labs, said by text message. “Security is, in my opinion, not taken sufficiently seriously in DeFi,” he added, referring to decentralised finance, where people trade, borrow and lend crypto without a central intermediary.
Investors are taking note of the growing demand for protection. Venture capital firms have poured $257 million into crypto auditing and security companies so far this year, up from $185 million for all of 2021, according to CB Insights.
Crypto thieves have stalked the industry for most of its roughly decade-long existence, from the Bitfinex exchange hack in 2016 to last year’s exploit of the PolyNetwork protocol.
But the problem has worsened recently, in part because of a relatively novel part of the ecosystem that’s become a juicy target: so-called crypto bridges, software platforms that allow coins designed for one blockchain to be used on another. Hacks on crypto bridges accounted for more than two-thirds of the total value stolen in the first seven months of 2022, Chainalysis estimates.
In March, hackers struck the Ronin Bridge connected to the popular Axie Infinity online game and made off with cryptocurrencies worth about $600 million at the time, one of the biggest hauls to date.
The threat isn’t limited to bridges. Hundreds of millions of dollars have vanished in exploits of other projects, like DeFi apps. Many of these efforts rely on so-called smart contracts — code that automatically executes transactions in a way that can’t be reversed — so design flaws can be especially costly.
Audits are essentially reviews of code by experienced developers who scrutinise it to identify bugs, security concerns and other issues that could make the technology run in unintended ways. In some cases, the protocol’s developer can fix the weaknesses pinpointed, and then have those patches reviewed by the auditor. Some crypto auditors use automated tools that scan code. Others, like OpenZeppelin, deploy at least two auditors who go through the code, one after another, line by line.
Salaries for experienced blockchain auditors can run as high as $400,000 a year, according to Zeth Couceiro, founder of crypto recruitment firm Plexus Resource Solutions. Their pay is typically around 20 per cent above that of developers focused on Solidity, one of the biggest crypto programming languages. “The reason for that is the need to come from a coding background but also understand the architecture to establish vulnerabilities,” said Zeth Couceiro, founder of crypto recruitment firm Plexus Resource Solutions.