One night in July, panic spread through a small corner of the Web3 music space. Curiously, $6.1 million worth of cryptocurrency started moving from blockchain music service Audius’ company treasury to an unknown wallet. Audius was hacked.
Hackers have found a bug that allows them to control Audius’ treasury, the crypto equivalent of a shared bank account, and transfer the entire fund to their crypto address. The bug has existed in his code for two years.
This year is likely to be the worst ever for cryptocurrency hacks. According to Chainalysiswith more than 125 major hacks totaling over $3 billion, and is expected to exceed $3.2 billion in 2021.
Meanwhile, phishing scams continue to deplete NFT wallets at an alarming rate. Say “everything is incredibly insecure” Sam Williamsfounder of blockchain storage platform Arweave and a self-professed ‘hacker’, though he uses the term as a broad description of coders.
Since the popularity of cryptocurrencies such as NFTs and Bitcoin began in early 2021, things have only gotten worse, creating hacker honeypots. “A lot of fluff was brought in during last year’s hype cycle,” he says Williams. The team scrambled to push the product live to take advantage of the new money flow, with less attention to security.
For music companies and artists entering the space, the consequences of hacking can be immense. Audius said he took a financial hit of $6 million, but it’s not just money. An exploit could undermine the trust of music fans and undermine the entire promise of Web3. Warner Music Group took this dilemma into account when launching the Stickmen Toys NFT collection earlier this year. “No matter how much time, resources, or good faith is put into a project, a security breach can damage the reputation of the project and its team,” he said. Gillian Rothman Vice President of New Business and Ventures, Business Development at Warner.
The risk of hacking is higher on Web3 than on the Internet today, as customers are at direct risk of losing money. Her NFTs or cryptocurrencies of dozens of her community members could be stolen from their wallets if there is a malicious link on the Discord server. If there is a bug in the code, the user can uselessly encrypt and lock his funds.These security community backlash from his incident could be severe and costly, so the Web3 team They often resort to refunding users out of their own pocket. So where are the biggest risks, and what can music companies do to protect themselves and their artists?
Experts say the main vulnerability in the NFT space lies in smart contracts. These are developer-created programs on a blockchain like Ethereum that hold funds and perform transactions such as paying royalties on secondary sales. Say, “Smart contracts have bugs and can be abused.” Nick Carter — Partner at Castle Island Ventures, a VC firm with multiple Web3 music investments. “Things are so new in the crypto space that developers are still learning best practices for safety.”
For example, one NFT project by a former MLB player — Aku mica johnson — A small bug in the code locked $34 million in smart contracts. The money was never recovered.
One way to reduce risk immediately is to operate with transparency. “It should be open source,” Williams says, so that anyone can check and verify the code. “It’s no use trying to hide it. You’d better find it. [bugs] Please fix it as soon as possible. Blockchains like Ethereum are inherently transparent, so hackers will find exploits when companies use buggy code. We recommend testing openly on a so-called testnet before deploying with real money and high stakes. , is a small price to pay for increased security. Additionally, Smarthis contracts must be audited by an external developer.
Second, customers risk having their wallets hacked. “[Crypto wallets are] It’s probably the number one risk,” says Carter. “Poor wallet setup or failed key management — this is probably the biggest cause of money loss.” Companies can help keep communities safe by highlighting the risks and educating music fans who enter the space. I can do it.
Carter recommends that anyone working with cryptocurrencies should use a hardware wallet. This is a USB device that disconnects from your computer and the Internet. Also, he should limit funds in “hot wallets” such as Metamask, which can be easily compromised by malicious links. “The NFT space is being very aggressively targeted by phishing,” he warns. “I think it’s because it got mainstreamed too quickly…that meant a lot of people didn’t have that much experience.” [wallet] management. “He also suggests using his two-factor authentication on all crypto-related accounts and advises against clicking on unknown links.
Warner’s team did this by using the project’s Discord server’s Security page. Users must read this page before entering. Describe best practices and alert the community to how to spot fraud. “In the nascent space, bad actors are preying on unsuspecting members of the community.” Sebastian Simone, Vice President of Audiences and Strategy at Warner. “If people are having a negative experience, it will take time for Web3 to go mainstream.”
Importantly, however, the failure of wallets and smart contracts does not mean the failure of the blockchain itself. “It’s very rare for the blockchain itself to be hacked,” says Carter. It is the code and applications on the blockchain that pose the greatest security threat.
Both Carter and Williams are optimistic that standardized contracts and simpler code will reduce these security problems over the next few years, but the young industry is still learning the hard way. , with each new exploit it learns where vulnerabilities lie and employs safer methods for the future.
As Carter says, “Safety rules are written in blood.”
