Polygon CSO blames Web2 security vulnerabilities for recent hacks

Polygon Chief Security Officer Mudit Gupta urges Web3 companies to hire traditional security professionals to stop easily preventable hacks, arguing that absolute code and encryption are not enough.

Speaking to Cointelegraph, Gupta explained that some of the recent crypto hacks were ultimately the result of poorly designed blockchain technology due to Web2’s security vulnerabilities, such as private key management and phishing attacks.

Adding to the point, Gupta emphasized that having a certified smart contract security audit without following standard Web2 cybersecurity practices is not enough to protect the protocol and user wallets from being exploited.

“I’ve been pushing every major company to at least get a dedicated security person who knows the importance of key management.”

“You have API keys that have been used for decades and decades. So there are actual best practices and procedures that one should follow. To keep these keys safe. There should be a proper audit trail and proper risk management around these things. But as we have seen these crypto companies ignore everything,” he added.

While blockchains are often decentralized on the backend, “users interact. [applications] on a centralized website,” so care should always be taken to implement traditional cybersecurity measures around things like domain name system (DNS), web hosting and email security, Gupta said.

Gupta also emphasized the importance of private key management, using the $600 million Ronin Bridge hack and the $100 million Horizon Bridge hack as textbook examples of the need to tighten private key security procedures.

“Those hacks had nothing to do with blockchain security. The code was fine. The encryption was fine. Everything was fine. Except for key management. Private keys. […] They are not held securely, and the way the architecture works is that if the keys are compromised, the entire protocol is broken.

While Gupta suggested that blockchain and Web3 companies “fall victim to phishing attacks, that’s your problem,” he argued that “if we want mass adoption,” Web3 companies need to take more responsibility than just playing it safe. Low.

“For us […] We don’t just want the minimum security that protects accountability. We want our product to be safe for users to use […] So we think about what traps they can fall into and try to protect users from them.

Polygon is an interoperable and scalable framework for building Ethereum-compatible blockchains, allowing developers to build scalable and user-friendly decentralized applications.

Related: Cross-chains at the intersection: Hackers need better protection methods

With a team of 10 security professionals now employed by Polygon, Mudit now wants all Web3 companies to follow the same approach.

Following the $190 million Nomad Bridge hack in August, crypto hacks have now surpassed $2 billion, according to blockchain analytics firm Chinalysis.