A recent Twitter thread led me to write this post:
There are alot of these stories circulating that are related to organizations not following* basic security best practices (like for example multi-factor authentication):
DeFi Protocol Stake Steak: https://coinmarketcap.com/headlines/news/defi-hack-alert-stakesteak-lost-nearly-200000-in-an-exploit-heres-what-happened/ (leaked private key in public Github repo)
- PanCakeSwap: https://blog.alfa.cash/2021/03/15/defi-pancakeswap-cream-compromised-phishing/ (DNS hijack due to poor access control)
However fascinating blockchain security specifics** are, you must not forget that all these 'crypto-native' organizations are still people working with computers. Yes, I am being overly simplistic, but it's true nevertheless.
It essentially boils down to this: you should apply these (seemingly legacy) industry best practices such as NIST Security and Privacy Controls for Information Systems and Organizations. If you don't, well you know, it's an accident waiting to happen...
(*) First of all, it is only human not to do so! I don't follow every best security practice myself (it's the eternal trade-off between convenience and security) but then again I am running a blog. Not a multi-million dollar crypto-operation 😬.
(**) I sometimes get swept away by the insane amount of info that is available with regards to blockchain security. Did you know there is an entire research field dedicated to Miner Extractable Value (MEV): https://github.com/flashbots/mev-research 🤖?