There isn’t any day when you don’t hear about a new 100s Millions $ hack happening on the blockchain space.
Although when it happens, thousands of people loose a chunk of their saving and protocols (or crypto as whole) loose part of their trust.
There are still some positive aspects in hacking.
Hackers helps to innovate
Nobody came with a great idea straight off. This just doesn’t exist. Instead, innovation comes gradually:
- People have new ideas about solving a problem and expose them to the market.
- The market responds to the idea. (Whether they buy or not, whether to product work as intended …)
- A new idea on top of the first is found given the response of the market.
- And these 2 last steps repeat themselves definitively. (until the product or the idea die)
This is the case for every technology and web3 is not an exception. All the protocols, payments, decentralized games, DEFI, security, an so on… weren’t implemented the first year of the bitcoin birth (2009).
They were instead implemented gradually.
Hacking lies in the part 2 of this Scheme. Some “bad actors” in the market may exploit the system (by abusing it or hack it) , but in part 3 new solutions to these hacks/abuse are found and some of them may be applied outside the scope of the idea.
And this is the case for a lot of new technologies which were invented thanks to hacking like: ZK-nowledge / Decentralisation / and many more
Web2 was very insecure too.
At the beginning, web2 was very insecure too, hacks were very common and were quite easy to exploit (at least if you had the required tools).
At these times, even a teenager, if he wanted to, could harm a website with a little technical knowledge.
Now, although there are still many hacks in web2, the numbers and the gravity of them were highly reduced in proportion of the total number of websites.
The web is now more secure than ever. In fact 10–15 years a go, it was quite simple to “hack” a website:
- The HTTPS protocol which encrypts communications wasn’t that wide spread (before 2015 you must to pay a monthly fee in order to have HTTPS on your website) so intercepting the communication and stealing passwords was easy. (with MITM attacks)
- People coded software by they own instead of using secure frameworks designed by people with more experience than them. (imagine re-coding the ERC20 open-zeppelin library to deploy a token.)
- Most of the developers weren't even aware of basic flaws (like SQL injections, XSS and so on…) and a significant amount of code tutorials were flawed.
▶ Now this is not anymore the case, any (serious) online tutorial or any (serious) university will teach you how to avoid these flaws.
As a result, hackers need to aim for a higher entry level to master web2 security.
This will be the same for web3, at first “easy hacks” (like the lack of onlyOwner, an integer overflow ),were very rewarding.
But as developers are being more and more aware of different pitfalls they can fall on, it won’t be a problem.
Moreover, tools to may become more secure like compilers which will warn you or throw an error in the case of integer overflow and initialized pointers. Thus, these types of flaws are almost impossible to exploit since solidity 0.8.0.
This applies to planes crash too.
The same example can be applied to aviation where every plane crash contributes to reinforce the security of planes (and to development of new technologies in aviation).
As the graph bellow shows, since 1970 causalities on a plane incident decreased by 3–5 times and continue to decrease today.
Hacks make DEFI more secure and help to find better solutions to existing problems.
In 5 or 10 years, here is what hacking/auditing in Blockchain may look like:
- More specialized skills (like math, cryptography, EVM) will be required in order to do audits smart contracts. (especially when ZK-knowledge will be democratized)
- Trivial flaws (Like reentrancy, tx.origin) will almost disappear, this is already the case for integer overflow and not initialized pointers which are almost impossible to exploit since solidity 0.8.0 due to the compiler and the prevention of developers.
- Some auditing tools may perform better than others (as in web2) but it won’t replace a manual audit (even if an AI like chat GPT is involved)
I Hope you’ve enjoyed my article and Happy new year!