In the fast growing field of decentralised finance (DeFi), meticulous risk management measures have never been more important. Following a series of high-profile security breaches, such as the Nomad hack, the risks inherent in digital asset structures, such as cross-chain bridges, have been highlighted, as has the crucial obligation for comprehensive and holistic risk oversight in the administration of digital assets. The concept of cross chain, in the context of digital assets, is what allows various assets to be “transferred” from one wallet to another on different blockchains. This vital piece of infrastructure is what powers the underlying technology behind the movement of digital assets across blockchains without the use of third parties. The mechanism is one of the key backbones of the functionality and interoperability of different blockchains.
Understanding Bridge and DAO Vulnerabilities
Cross-chain bridges allow asset and information movement across different blockchains, enhancing interoperability, but they also introduce complex security challenges and a highly attractive opportunity for hacks. This is due to the intricate logic of smart contracts essential for these operations, which can inadvertently introduce vulnerabilities, as seen in the Nomad exploit. This 2016 incident, resulting in over $190 million in losses, occurred due to a flaw in the bridge’s message validation process, highlighting the risks of inadequate code security and oversight.
Similarly, decentralised autonomous organisations (DAOs) like “The DAO” represent significant advances in blockchain-based governance but also contain an inherent susceptibility to smart contract vulnerabilities similar to those of cross chain protocols. In 2016 The DAO, an Ethereum blockchain based Tokenised Messaging platform suffered a substantial financial loss due to a code flaw exploited by attackers, exposing the risks these structures face and the implications for investors.
Case Study: The Nomad Exploit
The Nomad Bridge exploit serves as a critical case study for both cybersecurity and digital asset risk managers. In this incident, attackers capitalised on a compromised message validation protocol to illegally withdraw millions in digital assets. This breach not only led to significant financial losses but also damaged investor confidence in the sector in general and also raised questions about the security practices of decentralised platforms. The hack occurred when an automated validation system was updated and automatically approved messages on the Ethereum chain. Essentially a cross-chain transfer would have been automatically approved and assets sent to a wallet rather than the assets in the smart contract being confirmed to be there. This allowed the hackers to receive transfers without having to validate the existence of the counter transaction (prove they had deposited the asset in the smart contract).
Key Lessons for Digital Asset Managers:
- Verification: Third-party reviews and formal verification/auditing of smart contracts are required to maintain code integrity and prevent future vulnerabilities.
- Incident Response Planning: Establishing an effective incident response strategy minimises the impact of financial and reputational risks that could potentially be caused by such breaches. The Nomad hack lasted two hours and if there had been an immediate response team the losses may have been minimised.
- Awareness: It is critical to raise awareness amongst investors about the inherent risks of using new technology while remaining transparent about the security measures in place within the company. Understanding platform risk allows investors to be more mindful.
Risk Management Strategies for Digital Asset Managers
As asset managers navigate the opportunities and risks of on-chain asset management, a comprehensive and adaptive security approach becomes paramount. Key strategies include:
- Smart Contract Risk Mitigation: Third-party audits of smart contracts remain critical for high-value bridges and other contracts where there is substantial financial value held such as Uniswap or Aave. Formal verification technologies such as biometrics and KYC, where computationally and financially possible, offer another layer by formally verifying code correctness. This intersection of traditional compliance risk management and cybersecurity risk management techniques creates an intrinsic mitigating mechanism in the product.
- Secure Development Lifecycle (SDLC): Embedding security from a project’s inception, including proactive threat modelling, adherence to best practices in secure coding, and extensive testing, reduces the likelihood of vulnerabilities making it into the final product environment. Engaging a Cybersecurity specialist at every stage of product development allows a qualified “Devil’s Advocate” perspective.
- Bug Bounty Programs and Incident Response: Incentivising ethical hackers to proactively pen-test platforms and specifically the high value chains through bug bounty programs encourages responsible disclosure. Alongside this, a well-defined, efficient threat response program minimises the financial and reputational implications of any external attacks that do occur.
- Risk Modelling in a Composable World: As projects integrate with cross-chain platforms and DeFi protocols, digital asset risk managers must develop risk models that capture cascading dependencies and systemic risks. Understanding how the failure of a single component might cascade into broader events is crucial.
The Evolving Security Landscape and Asset Management
The ever changing world of blockchain technology and the rapid growth of tokenised assets demand adaptability in security and risk management. Proactive strategies for asset managers include:
- Collaboration on Threat Intelligence: Participation in industry forums for threat intelligence and incident analysis improves the overall communities resilience and allows proactive risk modelling.
- Adaptable Frameworks: Traditional risk management models must evolve to account for the unique challenges of decentralised technologies and tokenization strategies, including specific operational risks associated with managing keys, custody solutions and the understanding that traditional infrastructure needs to evolve alongside the evolution of assets.
The Nomad exploit and lessons from the DAO highlight the vigilance required for the long-term, sustainable growth of cross-chain technologies and tokenisation within the evolution of asset management. By embracing newer and more robust strategies, digital asset managers, blockchain developers, and investors alike can create a safer, more secure environment, promoting innovation and the responsible adoption of tokenised assets in more domains.
Conclusion
The lessons from the Nomad exploit and other similar incidents provide a foundation for developing more secure asset management practices in the blockchain era. By adopting rigorous security measures, ongoing educational initiatives, and transparent communication strategies, digital asset managers will safeguard investments while fostering innovation and trust in the burgeoning field of tokenised assets.
An investor’s confidence in digital and tokenised assets will increase in turn growing the sector. For investors it is furthermore essential to assess the capacity of their Digital Asset managers to provide a secure framework for their assets. The symbiotic relationship of investors and Digital Assets managers will provide a secure first line of defence on cross chain transactions and on a broader scale the digital asset market.
As fund managers explore the intricacies of tokenisation and blockchain investments, the value of partnering with an established expert becomes clear. With extensive experience in navigating the evolving landscape of digital assets, Lima Capital specialises in creating secure and compliant frameworks for digital asset management. We leverage our expertise and bolster our commitment to rigorous security practices and mitigation strategies, significantly enhancing our investor confidence and security when navigating the complex world of Digital Asset investments and ensures the integrity of our investment strategies. Contact us today to learn how we can help you to structure your fund and manage your digital assets enabling you to achieve your investment goals.