Bitcoin DeFi security concerns still lurk, says Fireblocks executive
Fireblocks' new features aim to protect against phishing dApps and rogue insiders.
Share this article
A Bitcoin (BTC) decentralized ecosystem has been in rapid development in 2024, with its total value locked (TVL) jumping 263% so far and surpassing $1 billion, according to data aggregator DefiLlama. Nevertheless, as a nascent sector where builders try to create applications compatible with other blockchains, new security issues might surface while it grows.
Shahar Madar, VP of Security and Trust at Fireblocks, shared with Crypto Briefing his insights on Bitcoin decentralized application risks and how mature the security of the decentralized finance (DeFi) ecosystem is.
Crypto Briefing – Did you find any issues with the different applications built on top of Bitcoin that raised your concern?
Shahar Madar – I would say this is very early on. Although I think there are many conversations about Bitcoin DeFi, I’m not sure we are at the stage where it’s as adopted as it could be. Bitcoin is definitely a staple of the blockchain industry and the blockchain ecosystem. We see Wrapped Bitcoin as one of the important tokens, and our customers use it a lot.
On DeFi over Bitcoin, personally, I feel it’s too early to tell. Usually, the way you see this kind of thing is that you iterate pretty quickly with different implementations. We’ve seen this. We see this even with account abstraction. We see this with some technologies that have been spoken about for a very long time. So because this place is very innovation-driven, there’s going to be usually many iterations.
I don’t know if that’s specific to Bitcoin DeFi, but usually, this kind of thing evolves over time. We only find the core issues or points of pain when people start using it.
Crypto Briefing – Recent studies show that private key compromises are the most recurring and damaging attack vectors in the crypto industry. Do you think it will become an even bigger threat?
Shahar Madar – So since day one, one of the core values that Fireblocks offered for institutions and honestly any organization, any business, is the ability to securely manage their operations, and their keys, and onboard safely and securely to blockchains on one side.
So this part of private key compromise that many people are experiencing, I feel is strongly mitigated by the fact of how we generate keys, and how we store the keys for our customers. The way our self-cultivated platform works is that we leverage MPC and essentially break down the private key into three different parts, each of them being held at a different security safe, so it’s impossible to take out.
I also want to add other significant threats we see today. One of them is the extension of the first one we’re talking about, which is securing custody of keys. And that is the orchestration and management of smart contracts. We are at a point where people trick with social engineering and scam out of private keys from contract managers, owners, and admins. When this security process is done with our tokenization platform on top of Fireblocks, you obviously are in much better shape, because you know everything goes through our security user management, and secure policy engine, which dictates the authorization flow.
If there’s a sensitive operation related to the smart contract you manage, and I’m saying as a DeFi protocol owner, as a token manager, and as a stablecoin issuer, you can do this as well through the Fireblocks platform. I feel this mitigates a lot of this risk for private key compromises.
Another attack vector is rogue employees, insiders either being rogue going against you or being hacked and attackers leveraging their access and privilege against you. This is the extension of the private key management.
We’ve also extended our DeFi security offering, and this is more meant for people who are doing on-chain trading and on-chain operations. Essentially, it extends what we offer to them the ability to authorize sensitive operations with smart contracts and dApps. We’ve extended this because one threat that we’re seeing is phishing dApps, scams that impersonate legitimate decentralized applications, or just plain malicious smart contracts, which are altogether targeting traders.
We’ve launched this new suite of features, essentially scanning every dApp connection you make through the Fireblocks platform, scanning every interaction you have with a smart contract, and simulating every control call that you have, so you can get a sense of what is the expected outcome. You can get more comfortable and you know what’s going to happen once you approve it. And we’ve integrated that into the entire operation flow that we know institutions that use Fireblocks go through.
Crypto Briefing – Do you believe the new institutions entering the crypto market now are aware of how to make proper custody? Do they prefer to have their own custody team, or are they keen to work with companies such as Fireblocks?
Shahar Madar – Absolutely. These institutions understand, they go into a space after a thorough examination and due diligence. They know there’s an opportunity for them, but they also are very educated about cybersecurity in general. A lot of them, when they come to us, they also want to learn.
So they’re looking to partner with someone who’s an expert in this field. They always have a security team, but always, nine out of 10 times, they understand it’s better to partner and leverage existing technology than to build their own.
Most people don’t grow their own tomatoes, they don’t need to invent the wheel. If there’s a great battle-tested technology and Fireblocks is definitely one, you should use it and be on top of it. We do invest a lot and we work very closely with our big enterprise institutions that either examine the market or go all in and use Fireblocks. We help them with education, we help them to understand the best practices we use in Fireblocks and their entire business around that.
Finally, we also listen to them. It’s part of the reason why we offer many customizations and many different deployment models because we understand that what’s fitting for a very small business, a very small startup consisting of three guys and a dog, is not the same thing that suits a big institution.
Crypto Briefing – From the previous bull cycle to this one, which is just starting, do you see any significant developments in crypto security?
Shahar Madar – It’s a cat-and-mouse game with attackers. We are, as Fireblocks and as the industry as a whole, pushing forward for wider adoption, for better security standards. And we’ve gone a very long way since inception. And attackers are always trying to get at us, right? They always try to push forward. They try to find new ways to get in and it’s our job as people who work in a block of security ecosystem to keep chasing them, to keep blocking them, research, and investigate what they do.
I think we are doing overall as an industry better than we were two, three, four, five years ago. But also, on the other hand, we’re seeing the exploiters changing, evolving, and trying to get ahead of the latest protections and defenses that people put out.
It’s a never-ending game. You have to keep researching, tracking, and improving. And to a point about the role of blocking security firms in the space, I think it’s a big part of that. You need to keep and stay on top of the latest threats. And if you’re not, and if you’re just using the same technology you built half a decade ago, you’re not going to keep people secure.
Share this article