Curve Finance Founder Discusses Latest Hack and DeFi Vulnerabilities
After Curve Finance’s website suffered a major DNS hijack earlier this month, concerns are rising about sophisticated and new ways hackers target crypto firms. From social media compromise to front-end exploits and smart contract vulnerabilities, the web3 ecosystem faces a persistent threat.
As DeFi and crypto become more popular, they’re drawing more malicious eyes. Attacks have now become almost inevitable. So, how is resistance achieved? Michael Egorov, founder of Curve Finance, addressed these topics and more in an exclusive interview with BeInCrypto.
Curve Finance Responds to Hack
The largest theft in crypto history happened this year, and it wasn’t an isolated incident. Sophisticated attacks on the DeFi ecosystem are growing, with insider phishing at Coinbase, protocol-level exploits at zkSync, and a major DNS hack at Curve Finance.
Egorov discussed the Web3 industry’s structural vulnerabilities and how to meet the moment.
“Traditional web security issues aren’t really anything new. The thing is, in the Web2 world, the damage from such issues is often containable, so this wasn’t such a big problem. In crypto, however, the stakes are very different because all transactions become final almost instantly. As a result, the bar for security standards is much higher for this sector, and today’s internet infrastructure just isn’t built to meet these demands,” he claimed.
Curve Finance, a major decentralized exchange, has a strong background in discussing DeFi’s vulnerabilities. Over its long history, Curve has faced and managed critical security incidents on several occasions, forcing the company to continually adapt its security approach.
Yet, earlier this month, the exchange’s website was the latest target. Ultimately, the DEX had to change its official domain. In Egorov’s view, the problem is ultimately intrinsic to the internet as we know it.
“As far as I can see, there was nothing that we could have done better technology-wise. The issue this time was external. In my opinion, there is a fundamental problem with how web applications are built. We need secure desktop applications built from the ground up with safety as the priority,” Egorov stated.
Specifically, he pointed out a few structural vulnerabilities that enabled the Curve attack and other recent hacks. Web3 apps still have to interact with a static website of some ilk, using DNS registrars to connect the site domain name to the front-end hosting.
If attackers trick, hijack, or bribe these servers, it opens a highly effective attack path, a tactic recently used on Curve.
That’s just one of several structural issues with the legacy ‘Web2’ Internet infrastructure today. For example, web pages rely on thousands of JavaScript micro-packages, which are hard to audit individually.
Compromised packages can sneakily and effectively circumvent a DeFi protocol’s security in a wide range of ways. All that is to say, Web3 is vulnerable to many Web2 attacks.
Web3 Problems Require Newer Solutions
Egorov claimed that the crypto industry will need to make major structural changes to permanently address these issues. For example, he mentioned Ethereum Name Service (ENS) as a blockchain-native way to avoid DNS attacks.
If adopted, ENS would be effective, but it doesn’t have enough browser-level support to become mainstream.
Even if Curve got the institutional buy-in to prevent hacks with more Web3-based security measures, the new ecosystem may be somewhat unrecognizable to us.
For example, Egorov mentioned that the whole monetization structure of web traffic would have to change. Instead, major players would have to handle upkeep costs, which would be incentivized by increased security.
“Building such an app would be a lot of work — it would need to re-implement DeFi interfaces, avoiding web technologies altogether and likely without any ability to monetize. But I believe that there is a strong demand for it, especially from institutions handling significant user funds,” he noted.
These solutions are undoubtedly radical, but Egorov stressed that these problems are social, not technological. He only suggested security measures that are possible to build using extant blockchain research, but they would be sufficient.
In other words, if the pace of major attacks keeps increasing, it might create more enthusiasm for these reforms. Curve Finance is ready to build a Web3 future without these vulnerabilities.
But as the current security threats persist, Egorov’s advice for DeFi is to build more dedicated desktop applications.
“As I mentioned before, the current model of building frontend apps is too unsafe and has a very large attack surface. To achieve a better level of security, DeFi interactions should ideally shift to dedicated desktop applications,” the Curve Founder concluded.
Recommended Articles
