The Biggest Threat Vectors in Crypto and How Dynamic Protects Against Them
The Growing Security Challenges in Crypto
With innovation comes an evolving set of security threats. Unlike traditional applications, crypto platforms deal with irreversible transactions and user-controlled assets. This makes them prime targets for attackers, whether through phishing scams or supply chain attacks. These threats can compromise wallets, steal funds, and hurt credibility.
As the CTO of Dynamic, security is at the core of everything I work on. We continuously enhance our infrastructure, monitor for threats, and implement features to block and deter bots. We also conduct regular audits, maintain SOC 2 Type II compliance, and run a bug bounty program to identify and address vulnerabilities. In this post, I’ll walk you through the biggest security threats in our industry and how we mitigate them at Dynamic.
Problem 1: Phishing & Social Engineering Attacks
The Threat
Phishing remains the most common attack vector in crypto. Phishing involves malicious actors tricking users into revealing sensitive information by impersonating trusted platforms or sending fraudulent emails. Social engineering attacks are often paired with phishing, manipulating users into granting attackers access to their accounts or wallets. This allows attackers to take full control of a user’s wallet and steal funds.
How We Solve This at Dynamic
- Domain binding and JWT security: We restrict wallet interactions to only approved domains, ensuring JWT tokens cannot be misused on unauthorized platforms.
- Transaction simulation: Our built-in transaction simulation warns users before they confirm transactions, scanning for malicious addresses and ensuring the transaction matches expectations.
- Real-time user warnings: We proactively notify users about risky actions. For example, our developer console includes warnings advising users never to copy and paste code into their browser, and we require explicit user acknowledgment before sensitive actions like exporting wallet data.
- Encouraging MFA and passcodes: We provide developers with tools to enforce MFA or passcodes on their wallets, adding an additional layer of authentication. Importantly, we do not allow SMS as a secondary MFA method.
Problem 2: Cross-Site Scripting (XSS) and Brute-force Attacks
The Threat
XSS attacks allow malicious scripts to be injected into legitimate websites, compromising wallets and authentication credentials. These scripts can execute in a user’s browser without their knowledge, stealing sensitive information or performing unauthorized actions. Additionally, brute-force attacks pose a significant risk by systematically attempting to guess passwords, authentication tokens, or API keys.
How We Solve This at Dynamic
- Content Security Policies (CSP) and iFrames: We enforce strict CSPs to prevent unauthorized scripts from accessing wallet shares or modifying user sessions. Wallet interactions are handled within iFrames, ensuring encrypted data is only accessible to the end-user on their own device.
- Rate limiting and CAPTCHA: We apply rate limits on authentication attempts and support additional measures like hCaptcha to block brute-force attacks.
- Automated threat detection: We actively monitor authentication endpoints and flag any unusual spikes in requests, as well as any suspicious accounts.
- Preparation for high-traffic events: We encourage developers to place sites behind Cloudflare Turnstile during periods of heightened traffic and enforce additional security measures like email domain blocking. If you have a high-traffic event such as a TGE coming up, get in touch with our team to ensure your flows remain uninterrupted.
Problem 3: Man-in-the-Middle (MITM) & Supply Chain Attacks
The Threat
MITM attacks occur when a hacker intercepts communications between a user and a platform, potentially stealing authentication tokens or modifying transactions. Supply chain attacks target software dependencies, inserting malicious code into widely used libraries or services. This allows attackers to distribute malware at scale and impact multiple platforms and users without direct interaction.
How We Solve This at Dynamic
- Strict TLS/SSL enforcement: All network traffic to or from Dynamic’s servers is encrypted to prevent unauthorized interception.
- CORS restrictions: We require CORS for all web apps, blocking unauthorized access and ensuring only authorized domains can interact with wallets.
- Session chaining for embedded wallets: Our embedded wallets go beyond standard security by implementing session key chaining. This ensures that every authenticated request is bound to a properly registered session key, preventing unauthorized access to sensitive wallet actions. For wallets utilizing TSS-MPC, we also use a secure relay mechanism to add an extra encryption layer.
- Automated supply chain monitoring: We continuously scan third-party dependencies for vulnerabilities and enforce integrity checks on all external software components.
- Multi-person review and attestation: Our deployments through Trusted Execution Environments (TEEs) involve multi-person reviews with scanned, signed, and verified artifacts.
Beyond the Basics: How We Use TEEs & Key Share Refreshing
We go beyond standard security measures by leveraging TEEs and key share refreshing to enhance wallet security. TEEs provide a crucial layer of protection by allowing secure computations within AWS secure enclaves, ensuring that sensitive operations take place in an isolated environment. This means that even if the underlying infrastructure is compromised, unauthorized access to cryptographic key shares remains blocked.
We also implement a Threshold Signature Scheme Multi-Party Computation (TSS-MPC) model, eliminating single points of failure in key management. TSS-MPC allows us to offer several options for account recovery and refreshing key shares. Lastly, TSS-MPC gives developers the flexibility to choose between 2/2, 2/3, and 3/5 threshold configurations, allowing them to choose what is best suited for their specific needs.
In the unlikely event that Dynamic is unavailable, users can still independently recover their wallets. This ensures that developers have peace of mind and can focus on building while we handle the rest.
Security Best Practices at Dynamic
Here’s a summary of our security requirements and recommendations:
For more information on how we handle security at Dynamic, check out the following:
Share this article
