Crypto projects losing millions due to exploits and hacks are becoming almost daily headlines. So much so that some of this news had almost become background noise.
While hacks are a big deal in the tech industry, the problem leading to these exploits in crypto isn't the technology itself; rather, it's the compromised "private key."
Blockchain projects have lost a total of $16.69 billion to hacks, DeFi exploits, and bridge attacks, according to data source DeFiLlama. About 40% of that amount is tied to someone obtaining a private key, rather than to a flaw in blockchain technology or a smart contract vulnerability.
In simple terms, private keys are like passwords. Think of online banking. The core infrastructure and systems that actually move and store users' money in traditional banks rarely get breached directly. But passwords get leaked or hacked, and malicious actors can gain access to millions of dollars online. That's the equivalent of the blockchain and smart contract code, and it's generally been solid. What's been compromised, again and again, is the private key or the equivalent of a password.
"We are observing that operational security incidents are rising while smart contract exploits are declining, reflecting that attackers typically target the weakest points. As projects have focused their security investments on smart contracts, other critical areas have been left exposed," CertiK, one of the leading blockchain and Web3 security firms, told CoinDesk.
Every crypto wallet has two key numbers. One is public, like a bank account number, which users share to receive money. The other is private, a string of characters like a user's bank password, that proves ownership of funds in their wallet and lets them spend them.
But here is where it gets more complicated. If a user loses this private key, there is no bank-like option to reset it, no private banker to help access funds, and no fraud department to file a claim. Whoever holds that key holds the funds, regardless of the tech or code behind that protocol.
Private key hacks fall into two categories: brute-force attacks, where attackers guess or brute-force their way to a user's private key. The second is the unknown method, in which the private key is leaked, but nobody is entirely sure how it happened.
These two methods account for roughly 40% of all crypto hack losses to date, underscoring that the majority of these exploits are not due to blockchain infrastructure but to vulnerabilities outside it.
Le Fan, founder and CEO of ZK Proof Layer Cysic, put it bluntly: "Private key hacks aren't a cryptography failure - they're a key-management failure the industry keeps mislabeling. The curve math is unbreakable."
Another problem with a private key is similar to the problem with a password. If a password is created and never used, and never written down anywhere, the chance of a hacker stealing it is virtually zero. But once used to log into devices or written down, the chances of those passwords being leaked or stolen increase.
The same logic applies to the private key. The moment they are used, stored, or shared, there is a risk they will be lost or stolen.
Source
This article is syndicated for educational reading. For the latest updates, visit the original publisher.
Read on coindesk.com
