I work almost exclusively in blockchain security, and have had exposure to hundreds of stacks, and many very sophisticated and highly targeted attacks.
It -is- a dumpster fire, and major exploits are happening constantly that never go public. Honestly I think the only reasons hacks are not happening faster is because the primary adversaries don't want spook the market with a pile of silmutanious attacks.
I have seen attacks that were several months in the making. They are patient.
I have had multiple conversations with three letter agencies warning my employers/clients which state actor is currently targeting them.
Even still if you suggest the hard changes that will take many classes of risk off the table like auditing critical third party dependencies, removing ingress internet on systems with key material, personal HSMs for ssh and multisig code review signing, custom policy driven multisig signing HSMs, airgapped key management with deterministic processes repeatable my multiple teams to tolerate any one human or system being compromised... most look at you like a crazy person. At best most smile and nod and say they will do it, then never actually prioritize it over actions that increase short term profit.
Many companies are perfectly happy trusting access to tens of millions of dollars with an iPhone app. Nevermind that the market for iPhone sandbox escape 0days is around $50k.
I only work with the few teams that actually get it.
To be honest the only people that tend to get it, are the ones that have been badly compromised before or been close to it.
The message in the episode is probably not that everything is great in the blockchain world, because you're right, there are lots of explits and lots of forks. Lots of what blockchain is doing involves building mistakes on mistakes.
It's possible that blockchain is simply more exposed, because there's so much to gain from an attack, and absolutely no security through obscurity. I think it's also hard to deny that the speed with which the community can respond to many of these problems is improved by how reproducible everything needs to be by design.
interesting discussion at the start about solving specific problems as opposed to paying attention to trajectory. i believe in this wholly, it applies to everything.
It -is- a dumpster fire, and major exploits are happening constantly that never go public. Honestly I think the only reasons hacks are not happening faster is because the primary adversaries don't want spook the market with a pile of silmutanious attacks.
I have seen attacks that were several months in the making. They are patient.
I have had multiple conversations with three letter agencies warning my employers/clients which state actor is currently targeting them.
Even still if you suggest the hard changes that will take many classes of risk off the table like auditing critical third party dependencies, removing ingress internet on systems with key material, personal HSMs for ssh and multisig code review signing, custom policy driven multisig signing HSMs, airgapped key management with deterministic processes repeatable my multiple teams to tolerate any one human or system being compromised... most look at you like a crazy person. At best most smile and nod and say they will do it, then never actually prioritize it over actions that increase short term profit.
Many companies are perfectly happy trusting access to tens of millions of dollars with an iPhone app. Nevermind that the market for iPhone sandbox escape 0days is around $50k.
I only work with the few teams that actually get it.
To be honest the only people that tend to get it, are the ones that have been badly compromised before or been close to it.