There is no such thing as a completely safe information system or cyber defense.
Despite blockchain's increasing popularity, there are still many who oppose it. For organizations using blockchain, cyber security controls and standards are one way to minimize vulnerabilities and minimize threat areas.
Recently, we spoke with Dyma Budorin, CEO and Co-Founder of Hacken – a Web3 cybersecurity auditor – who talked us through this strategy and the difficulties it helps tackle.
Tell us about your journey throughout the years. How did the idea of Hacken originate?
Before Hacken, I worked for many years in auditing. I’ve climbed the ranks of the Big 4 to become a Senior Manager at Deloitte, became a certified member of ACCA, and held top managerial positions. I’ve decided to channel my considerable experience in auditing and business development into Web3. I saw an opportunity in this growing global phenomenon.
In 2017, the crypto space resembled the Wild West. I’ve gathered some of the most talented people around the idea of bringing trust and ethics to the rising Web3. This is how Hacken came into life.
In five years, the industry has grown immensely. Billions of dollars move hands using blockchain. At the same time, people using blockchain have more power. Hacken has grown together with a wider industry. We found our place in cybersecurity.
Can you tell us a little bit about what you do? What are your main areas of focus?
I’ll give you a high-level overview of our company. Hacken is a sustainable business ecosystem centered around cybersecurity. Our main areas of focus are:
- Building security infrastructure for blockchain
- Providing protection from cyber threats to other businesses and users who utilize blockchain technology
- Educating individuals on cyber risks helps them remain secure in a rapidly developing digital world
- Developing and maintaining a community of ethical hackers
- Incubating Web3 cybersecurity startups
On a more practical level, we provide cybersecurity services, including Smart Contract Audit, Blockchain Protocol Audit, Penetration Testing, dApp & Cross-Chain Solution Audits, and bug bounty programs, for a range of Web3 projects, such as centralized or decentralized crypto exchanges, wallets, NFT, GameFi, and Metaverse applications.
What tools do you use to assess one’s state of cybersecurity?
When it comes to our flagship product, smart contract security audit, we rely on a robust methodology to discover common and complex vulnerabilities, such as arithmetic over/underflows, default visibilities, entropy illusions, race conditions/front running, DoS, re-entrancy, constructions with care, and transaction origin authentication.
Regarding specific tools, our auditors run automatic tests to check all possible contract states, catch simple issues, and gather more info. Some of the tools are Slither, Mythril, Solgraph, Echidna, and others. For example, Slither conducts a static analysis of Solidity source code, while Mythril offers a reversing and bug-hunting framework for the Ethereum blockchain.
The fine use of automatic tools helps us control the final cost of the audit. However, our audits effectively detect vulnerabilities because we prioritize independent manual code review followed by a separate check by a lead auditor. Second, two separate auditors conduct independent line-to-line code reviews and analyses.
Have you noticed any new cyber threats emerging as a result of the Covid-19 pandemic?
The Covid-19 pandemic was a significant push factor for digitalization. It’s no wonder. Industries and businesses suddenly went online to continue operations under lockdowns. We’ve seen a spike in attention to blockchain due to “work from home/stay at home” orders. Many people who lost their jobs turned to crypto trading and staking to supplement their income loss.
Unfortunately, it also coincided with increased activity from unethical actors, such as scammers and hackers. Some projects were created solely to attract investors' and users' money and pull the rug. So, there’s been an increase in phishing links to untrustworthy projects closing their doors to escape with users’ funds.
In your opinion, what IT and cybersecurity details are often overlooked by new companies?
New companies often overlook high-level security architecture. You should have security as a core of what you are doing. Otherwise, security becomes a burden that your new company won’t be able to carry.
Why do you think a number of companies and individuals still struggle to improve their cybersecurity despite all the solutions and technology available?
My educated guess is that they don’t take security seriously. Projects built on blockchain and DLT operate in a very volatile environment. With low barriers to entry, everyone is trying to impress users with features and marketing claims.
In this environment, many companies forget about issues that are truly important to users. Issues, like the security of their digital assets. That’s why, despite all the technology and expertise, we still see hacks, scams, and other types of exploits.
Talking about organizational cybersecurity, what kinds of checkups and tests should be done regularly?
From an organizational standpoint, the most important measure is penetration testing. This is true for both Web2 and Web3 companies. When conducting pantsing, we identify weak spots in the client’s software by putting their systems against a simulated cyberattack in a safe and controlled environment.
We follow the steps of a potential attacker to see how the system fares against a potential DDoS, insider attack, and social engineering. Because penetration testing is proactive rather than reactive, it is a must-have for organizational cybersecurity.
When talking about blockchain, the most important is a smart contract security audit. A smart contract is an automated code that executes a transaction once conditions are met. Most exploits are linked to vulnerabilities in the smart contract code. When done correctly, a crypto audit eliminates all critical weaknesses leaving little chance for hackers to steal funds. That’s why we have dedicated teams for different blockchains and programming languages.
Once your app is up and running, I also recommend having a bug bounty program. A bug bounty is basically a contest where ethical hackers and security experts look for known and unknown vulnerabilities in your systems. This is a cost-effective solution because you only have to pay for the found bugs.
In your opinion, what kind of attacks are we going to see more of in the next few years? What should average internet users do to protect themselves?
Based on what we see right now, we might expect more attacks on non-Ethereum protocols. In the next few years, the industry will be transitioning towards layer2, so there might be more multiple-layer security threats. From a broader perspective, legacy systems implement or get replaced by blockchain technology.
Traditional Web2 enterprises from banking and finance to energy and healthcare join the DLT. More assets in Web3 mean more funds lost to hacks, exploits, and scams. Thus, we will see more attacks during the transition from Web2 to Web3.
Average internet users should follow basic cybersecurity essentials, especially when it comes to any operations with money. Do not trust unverified social media channels. Double-check screenshots because they are easy to edit. In crypto, scammers usually add their fake wallet addresses. Use a password manager to avoid the disaster of one password for all websites.
Add two-factor verification to your social media accounts, banking apps, and electronic wallets. For those interested in cryptocurrencies, don’t share your private key with anyone and protect it by storing it in a credible digital wallet. Also, be aware of scam coins. Hackers spread phishing links to steal your private key.
Tell us, what’s next for Hacken?
This year, Hacken has celebrated our 5-year anniversary. Throughout these 5 years, we have established ourselves as a trusted security partner. Now, the task is to maintain and increase the level of trust. We can do this by evolving our core product offerings. Hacken has recently added a new service – dApp audit. We now review the off-chain part of decentralized apps to ensure safe and secure blockchain interaction. It’s quite welcoming to see our company having an impact on security practices. Indeed, more projects than ever before are doing smart contract audits, but smart contracts are not enough. dApp, the off-chain component, is the most overlooked part and can lead to costly errors. With audits for dApps and cross-chain solutions Hacken is setting industry standards for security.
We also want to grow based on our expertise together with the industry. Right now, we are in the middle of launching Hacken Observers (working title), a community-based project to monitor smart contract security in real time. It’s a powerful tool for monitoring and analytics. In the future, we plan to extend our expertise in a 360-degree approach to security and roll out Web3 Cybersecurity Software as a Service. The idea is to analyze activities within the blockchain and smart contracts in real time. For example, an all-in-one bundle for exposing suspicious transactions, alerting hacks, detecting rug pulls and flash loans, checking audit relevance, monitoring liquidity, evaluating smart contract safety, and so much more.
We’ll keep growing and improving to make Web3 secure and ethical.