Crypto’s security nightmare won’t be solved by ordinary audits
Key takeaways
- Malicious actors, particularly North Korea’s Lazarus Group, have stolen more than $2.2 billion since 2022, prompting the industry to triple its number of code audits within the same period of time.
- But more audits have not translated into fewer losses.
- In other words, there is a real mismatch between the vulnerabilities that traditional audits examine, and the vulnerabilities that attackers exploit.
Malicious actors, particularly North Korea’s Lazarus Group, have stolen more than $2.2 billion since 2022, prompting the industry to triple its number of code audits within the same period of time.
But more audits have not translated into fewer losses. Neither the total number of incidents nor the amount of money stolen is significantly declining. Our research at Oak Security explains this: the majority of successful attacks target human vectors. In fact, when we look at the top causes of exploits, most completely bypass the attack surface protected by audits.
In other words, there is a real mismatch between the vulnerabilities that traditional audits examine, and the vulnerabilities that attackers exploit. The crypto space is likely to continue suffering from steep losses until it erases that mismatch by expanding security measures to include human and operational vectors and by addressing the following points to update the current auditing infrastructure.