There’s always another nightmarish crypto hack around the corner

2 years ago 132

Welcome back to Chain Reaction.

Last week, we looked at the near-term future for crypto gaming as VCs zero in on where to place consumer bets. This week, we’re looking at hardware wallets and the endless journey towards feeling safe in the crypto world.

To get this in your inbox every Thursday, you can subscribe on TechCrunch’s newsletter page.


nowhere to hide

A weekly dispatch from the desk of TechCrunch crypto editor Lucas Matney:

The world of crypto can be a cruel and unforgiving place, and while VCs and crypto hedge funds have been happy to bail out institutions, sometimes consumers dabbling in the space find themselves left out in the cold. This week, a couple of pretty high profile hacks cost crypto investors millions, but it was the smaller, more mysterious one that likely left newbie buyers clutching their private keys and praying for the best.

Putting money anywhere is an exercise of trust, which sometimes makes it funny that the the word “trustless” has been a leading phrase in crypto religious creeds that investors use to gain converts. All a user must do is hold their private key near and dear and they can trust that their money will always be there without having to place any trust in a traditional financial institution. But consumers are discovering some of the long-known fine print to that promise.

This week, thousands of Solana users logged into their crypto wallet apps to discover that all of their funds had disappeared. Many of these users claimed they hadn’t used the wallets in weeks or months, ruling out some sort of mass signature of a malicious contract. While this ended up being a lowly seven-figure hack, the mystery was notable. Early-on, users weren’t sure whether this was an attack on the underlying Solana network or an underlying service provider that multiple wallets relied on. Amid all the confusion, wallets continued to be drained eventually emptying the contents of upwards of 8,000 individual accounts.

Investors in the Solana ecosystem (the network’s founder dropped some choice Twitter retweets) complained that the media was focusing more heavily on the single-digit millions exploit when the Nomad bridge had been hacked for $190 million just a day prior. But it was the nature of the attack that was scarier than the dollar amount.

Apparently a crypto wallet provider was inadvertently logging seed phrases to their event logging server, which lead to someone being able to hack and drain over 8,000 wallets 😬https://t.co/Mah695gQY5

— Marcus Hutchins (@MalwareTechBlog) August 3, 2022

While users across wallets reported the problem, the issue came down to a vulnerability in the Slope wallet which had– unbeknownst to users — been logging their private keys in the backend, leaving them vulnerable to bad actors if they had ever imported keys to the mobile app. This saga probably served as another severing point of trust in the system for new users who might have thought their funds were safer in a wallet than a centralized exchange’s coffers. But long-time crypto users shrugged and signified that this was yet another reason for users to hold their funds in so-called hardware wallets — physical devices which store a user’s private keys and dramatically cut down on the number of attack vectors for hackers outside of human error.

Now, pushing every new user to buy a ~$100 hardware wallet in order to truly secure their assets clearly isn’t the ticket to widespread near-term adoption and yet it seems to be a rule that those deepest in the space still cling to. While plenty of crypto’s richest are holding to strategies that promote security above most anything else, it also seems that plenty of them are investing and promoting projects which emphasize speed and seamless onboarding at the expense of security. Users finding their way onto the rails of flashy consumer apps may find themselves realizing that crypto’s early onboarding hurdles have been steep for a reason and that wealthy users buying air-gapped computers and keeping their keys on piece of papers have plenty of history framing their paranoia.

How people be reacting to the Solana "hack"… pic.twitter.com/NmcIlr9KOD

— joma 🤏 (@jomaoppa) August 3, 2022


the latest pod

Chain Reaction is back again this week and better than ever! We announced two big changes to the pod this week. First and foremost, we have a new co-host, Jacquie Melinek, joining us weekly to talk about the biggest headlines in web3. Jacquie is a great friend of ours and as a reporter for TechCrunch+, she’s eager to get in the weeds to us help demystify all things crypto. 

Second, we’re splitting our weekly show into two separate episodes: a weekly news segment feat. Jacquie, the first of which came out today, and an interview segment hosted by Anita and Lucas. Stay tuned for the latest interview episode to drop next week, in which we talked to Uniswap COO MC Lader.

For this week’s news, we unpacked two high-profile hacks that happened in the first two days of the month (phew). We also discussed Robinhood’s latest round of layoffs and a $30 million fine the company paid to New York regulators.

Subscribe to Chain Reaction on Apple, Spotify or your alternative podcast platform of choice to keep up with us every week.


follow the money

Where startup money is moving in the crypto world:

  1. AO Labs raised $4.5 million from investors including Balaji Srinivasan and Sandeep Nailwal for its Spacebar web3 gaming platform.
  2. “Green” web3 platform OneOf closed an $8 million-plus strategic round from investors including Amex Ventures.
  3. Digital asset derivatives company OrBit raised $4.6 million from Matrixport, Brevan Howard and others.
  4. Crypto credit protocol Debt DAO snagged $3.5 million for its seed round led by Dragonfly Capital.
  5. Center, a crypto infrastructure startup, raised $11 million in a seed round from investors including Thrive Capital, Founders Fund and Volt Capital.
  6. Gary Vaynerchuk’s NFT project, VeeFriends, scored $50 million in an a16z-led financing.
  7. Quasar, a Cosmos-based DeFi protocol, raised $6 millon in seed capital from Polychain, Blockchain Capital and others.
  8. Stadium Live, a fantasy sports metaverse startup, nabbed $10 million for its Series A from KB Partners, Union Square Ventures, Dapper Labs and others.
  9. Decentralized data warehouse provider Space and Time bagged $10 million for its seed round from investors including Framework Ventures and Digital Currency Group.
  10. Play-to-earn fitness app Sweatcoin completed a $13 million fundraise, including a private token sale, from investors including Electric Capital and Jump Crypto.

the week in web3

A weekly window into the thoughts of web3 reporter Anita Ramaswamy:

It seems like a good time to talk about security in crypto in light of the recent hacks affecting both the Nomad crypto bridge and the Solana ecosystem. It’s becoming increasingly clear that no matter how many assurances a crypto company makes about how airtight its security standards are, investors should be watching their backs at all times. The pain can be even more acute for NFT holders, who are at risk of losing millions of dollars of value in one fell swoop if one of their pricey JPEGs gets stolen – just think back to what happened to actor Seth Green and his kidnapped Bored Ape.

There are a few different options for how people can store their crypto securely today, and they all have their tradeoffs. A “hot wallet” is connected to the internet, which leaves it vulnerable to outages or connectivity troubles. Furthermore, plenty of hot wallets are operated by centralized entities such as exchanges that hold users’ keys on their behalf – a transfer of power many crypto users are loathe to grant. A “cold wallet,” meanwhile, is considered far more secure, but involves clunky, hard-to-use hardware that could be misplaced just as easily as a “seed phrase,” which is a password used to unlock a crypto wallet. 

Upstream founder and CEO Alex Taub, who we had on last week’s pod, says his startup has a user-friendly solution that allows people to keep control of their own keys digitally without having to compromise on security. It’s a unique solution coming at a particularly opportune moment. For details on how it works and why it’s different from what’s already on the market, check out my article here


TC+ analysis

Here’s some of this week’s crypto analysis available on our subscription service TC+ from senior reporter Jacquelyn Melinek

Solana’s speedy approach to crypto is attracting developers, despite hiccups
Although the crypto market isn’t always sunshine and flowers, some prominent industry players, including Solana co-founder Raj Gokal, still have an optimistic outlook for growth — at least about their own projects. Despite Solana’s recent issues with 8,000 wallets hacked on Tuesday, the layer-1 blockchain has about 15 million to 20 million monthly active addresses, some of the highest in the crypto industry, Gokal said. “A question we get a lot is how is the market affecting the pace of development and the pace of building?” His answer? It’s not, really.

Why education is key to halting hacks like the $190M Nomad exploit
Following the loss of almost $200 million in a security exploit on crypto protocol Nomad, security experts insisted that more education and security protocols are necessary for protecting web3 communities from hackers. As the crypto ecosystem becomes larger over time, interchain operability will continue to grow, too, “at profound levels with a focus on security and decentralization,” Daniel Keller, co-founder at Flux, said to TechCrunch. “However, attention needs to be given to security and not only speed of development as we push DeFi products to the masses.”

Tiffany and Gucci’s dip into crypto is a balance of reputation and revenue
Are crypto integrations by household name brands and sports teams evidence of increasing use cases for digital assets and cryptocurrencies — or more of a marketing ploy? This week, Tiffany & Co., Gucci and FC Barcelona all dove deeper into the crypto sphere with partnerships in the digital asset world. But do these partnerships truly mean anything for the crypto ecosystem? A number of market players shared their thoughts on the financial upside, risk and business play behind these new integrations. 


Thanks for reading! And — again — to get this in your inbox every Thursday, you can subscribe on TechCrunch’s newsletter page.

Read Entire Article