At a time when many crypto companies have seen their fortunes plummet, one corner of the industry is thriving.
With criminals including
Their rising fortunes underscore how the industry is waking up to the threat of sophisticated hackers who have stolen
With so much at stake, crypto security services are moving from the "nice to have" spending category to the "must have" bucket, even for bootstrapping startups and community-driven projects.
"We have spent sooooo much money on audits," Paul Frambot, chief executive officer of crypto startup
Morpho has done more than 10 code audits in the past year, according to Frambot.
Investors are taking note of the growing demand for protection. Venture capital firms have poured $257 million into crypto auditing and security companies so far this year, up from $185 million for all of 2021, according to CB Insights.
Rising threat
Crypto thieves have stalked the industry for most of its roughly decade-long existence, from the
But the problem has worsened recently, in part because of a relatively novel part of the ecosystem that's become a juicy target: so-called crypto bridges, software platforms that allow coins designed for one blockchain to be used on another. Hacks on crypto bridges accounted for more than two-thirds of the total value stolen in the first seven months of 2022, Chainalysis estimates.
In March, hackers struck the Ronin Bridge connected to the popular Axie Infinity online game and made off with cryptocurrencies worth about $600 million at the time, one of the biggest hauls to date. The attack has been tied to the North Korean hacker group
Sky Mavis, the developer of Axie Infinity, was forced to
The threat isn't limited to bridges. Hundreds of millions of dollars have vanished in exploits of other projects, like DeFi apps. Many of these efforts rely on so-called smart contracts — code that automatically executes transactions in a way that can't be reversed — so design flaws can be especially costly.
A hack, or even a major coding error, can spell the end of an app developers spent months or years building.
"These protocols are not simply another service that may be disrupted for a while — for example, like not being able to watch TV for a few hours or longer," said Stefano Schiavi, an investor at bitscale.vc, a backer of crypto security firm Immunefi. When crypto protocols fail, "many people lose significant portions of their savings, and often they even lose everything."
The evolution of Web3, a version of today's internet built largely on crypto technology where ownership and control should be more widely distributed, means applications will increasingly be interconnected and span many blockchains, said Lex Sokolin, head economist at ConsenSys, which audits smart-contract code.
"I think the more complicated Web3 becomes, the larger the surface area for these exploits," Sokolin said.
$400,000 salaries
Audits are essentially reviews of code by experienced developers who scrutinize it to identify bugs, security concerns and other issues that could make the technology run in unintended ways. In some cases, the protocol's developer can fix the weaknesses pinpointed, and then have those patches reviewed by the auditor.
Some crypto auditors use automated tools that scan code. Others, like OpenZeppelin, deploy at least two auditors who go through the code, one after another, line by line.
Salaries for experienced blockchain auditors can run as high as $400,000 a year, according to Zeth Couceiro, founder of crypto recruitment firm Plexus Resource Solutions. Their pay is typically around 20% above that of developers focused on Solidity, one of the biggest crypto programming languages.
"The reason for that is the need to come from a coding background but also understand the architecture to establish vulnerabilities," Couceiro said.
Long waits, rising prices
So far this year, 1,161 external projects have asked ConsenSys to audit their smart-contract code, close to the number for all of 2021 and up from 247 requests in 2020, according to the company. Clients can wait in line for audits costing up to $320,000 for as long as nine months.
At rival Trail of Bits, published fees have jumped about 20% to 25% in the last 12 months as rising demand put pressure on lead times, said Nick Selby, a vice president at the company.
There's another constituency benefiting from crypto's increasing need for safety: so-called "white hat" hackers who use their skills to help companies plug security holes, rather than exploit them.
"Most hackers prefer to get clean and well-earned money and ease of mind instead of worrying their whole life if they will be caught for their crimes," said Adrian Hetman, tech lead of triaging at bug bounty hunter site Immunefi, whose clients include DeFi project MakerDAO.
Rewards for identifying significant flaws can run as high as $10 million, Hetman said.