One evening in July, panic spread in a small corner of the Web3 music space. Mysteriously, $6.1 million worth of cryptocurrency began moving out of blockchain music service Audius’ company treasury into an unknown wallet. Audius was being hacked.
The hacker discovered a bug that allowed them to take control of the Audius treasury — the crypto equivalent of a shared bank account — and transfer the entire funds to their own crypto address. The bug had lived in the code for two years.
This is shaping up to be the worst-ever year for crypto hacks, according to Chainalysis, with over 125 major hacks surpassing $3 billion in total, and on track to surpass the $3.2 billion in 2021.
Meanwhile, phishing scams continue to drain NFT wallets at an alarming rate. “Everything is unbelievably insecure,” says Sam Williams, founder of blockchain storage platform Arweave and a self-proclaimed “hacker,” though he uses the term as a broad description for coders. “We’re in the hackers’ Wild West of Web3 right now.”
Since the popularity of NFTs and cryptocurrencies like Bitcoin took off in early 2021, things have only gotten worse, creating a honeypot for hackers. “There was a lot of fluff brought in during the hype cycle last year,” Williams says, “and that typically lowers security standards for a period.” Teams scrambled to push products live to capitalize on the stream of new money paying too little attention to security.
For music companies or artists entering the space, the consequence of a hack could be enormous. Audius took a $6 million financial hit but it’s more than just money. Exploits can also damage the trust of music fans and undermine the entire promise of Web3. Warner Music Group considered this dilemma when launching its Stickmen Toys NFT collection earlier this year. “No matter how much time, how many resources, or how good of intentions go into a project, if there is a security breach, it can harm the project and its team’s reputation,” says Jillian Rothman, Warner’s vp of new business & ventures, business development.
The stakes of hacking are higher in Web3 than in today’s internet because customers are at direct risk of losing their money. If there’s a malicious link in a Discord server, dozens of community members could have their NFTs or cryptocurrency stolen from their wallet. If there’s a bug in the code, users could have their funds cryptographically locked with no recourse. The community backlash from these security incidents can be severe and costly that Web3 teams often resort to refunding users out of their own pocket. So, where are the biggest risks and what can music companies do to protect themselves and their artists?
Experts say the main vulnerabilities for the NFT space lie in smart contracts. These are programs written by developers on top of blockchains like Ethereum that hold funds and execute transactions — such as paying out royalties on secondary sales. “Smart contracts are just buggy and can be exploited,” says Nic Carter — partner at Castle Island Ventures, a VC firm with several Web3 music investments. “Things are so new in the crypto space that developers are still learning the best practices for safety.”
One NFT project, for example — Aku, by former MLB player Micah Johnson — got $34 million locked in a smart contract due a small bug in the code. The money was never recovered.
One way to immediately lower the risk is operating with transparency. “It should be damn open source,” says Williams, so that anyone can check and verify the code. “There’s no point trying to hide it. Better you find [bugs] early so you can fix them.” Blockchains like Ethereum are transparent by nature so hackers will find exploits if companies go live with buggy code. Better to test it in the open on so-called test-nets before deploying with real money and high stakes. While building publicly might take away an element of surprise in terms of marketing, it’s a small price to pay for added security. Additionally, smart contracts should be audited by external developers.
Next, there’s the risk of customers getting their wallets hacked. “[Crypto wallets are] probably the No. 1 risk,” for newcomers, says Carter. “A poor wallet setup or a failure of key management — that’s probably been responsible for the greatest loss of funds.” Companies can keep the community safe by highlighting the risks and educating music fans entering the space.
Carter recommends that anyone interacting with crypto use a hardware wallet — a USB device that disconnects from your computer and the internet. And they should limit the funds on a “hot wallet,” such as Metamask, which can be easily compromised through malicious links. “The NFT space is really aggressively targeted by phishing,” he cautions. “I think because it was mainstreamed so quickly… It meant a lot of people didn’t have as much experience in [wallet] management.” He also suggests using two-factor authentication on all crypto-related accounts and advises against clicking unknown links.
The team at Warner put this into practice using a “security” page on their projects’ Discord servers. Users have to read this page before entering. It explains the best practices and warns the community how to spot scams. “In a nascent space, bad actors prey on unsuspecting community members,” says Sebastian Simone, Warner’s vp of audience & strategy. “It will take longer for Web3 to go mainstream if people have negative experiences.”
Importantly, however, the failure of wallets and smart contracts does not imply a failure of the blockchain itself. “It’s extremely rare to have the blockchain itself be hacked,” says Carter. It is the code and applications on top of the blockchains that pose the biggest security threat.
Carter and Williams are both optimistic that these security issues will decline over the coming years through standardized contracts and simpler code, but the young industry is still learning the hard way. With every new exploit, developers are learning where the vulnerabilities are and adopting safer practices for the future.
As Carter puts it, “Safety rules are written in blood.”