Not every person whose job title includes “cryptographer” is qualified or skilled enough to produce cryptographic algorithms that actual people employ to safeguard real objects.
Too many Web3 teams are making the same that our predecessors have been warning about for decades: they are developing their own cryptocurrency as the snows of Crypto Winter melt and numerous seed rounds sprout.
In this context, “crypto” refers to cryptography, which includes the mathematical methods and software that safeguard credit cards, the internet, and the well-known Web3 protocols.
What distinguishes cryptography from, example, developing ordinary apps?
Consider it in this manner. If you’ve recently created the trendiest new platform for tech-savvy cats to watch bird videos, you’re probably ecstatic if it functions 99.9% of the time. However, it’s evident that avoiding alleged thefts 99.9% of the time won’t work if you’ve instead created the sexiest new cryptocurrency wallet: Attackers won’t let up until they have taken all of your users’ money. When there is a payout, perseverance is valuable.
Regretfully, “Anyone, from the most clueless amateur to the best cryptographer, can create an algorithm that he himself can’t break,” as computer security icon Bruce Schneier puts it. According to Schneier, creating systems that others can’t defeat is the difficult part. Web3 developers continue developing their own cryptocurrency, encouraged by their inexperience (and busy auditors). What is the outcome?
Faulty cryptographic implementations
The algorithms used in cryptography are quite sensitive. If an algorithm is badly implemented, it can be easily broken, even if it is widely understood and secure.
Think about the hundreds of hundreds of thousands of dollars that were pilfered during the previous two years due to an error in a textbook: producing secret codes in a foreseeable manner that makes guesswork easier for attackers. Although avoiding them is a fundamental principle of cryptography engineering, we still occasionally encounter these problems.
But not every bug is that easy to fix. Not all cryptographers have an engineering background, and others require engineering intuition and knowledge to recognize. Having produced Web2 and Web3 crypto code, and possibly even articles explaining how to write crypto code, applied cryptographers and crypto engineering experts are familiar with subtle implementation issues. Theoretical cryptographers, on the other hand, are knowledgeable in theory but are far less interested in the nuances of codes.
To put it succinctly, beware: Not everyone who claims to be a “cryptographer” is qualified or experienced enough to build cryptographic code that actual people employ to safeguard actual objects.
Reasons why deployment fails of your own crypto
A system can be badly implemented even if it is conceptually sound and well-executed.
Consider the Ronin Bridge, which saw a loss of more than $500 million in 2022. Five-of-nine majority vote was meant to safeguard user finances, but a string of egregiously bad deployment choices ultimately brought it down. Ultimately, one corporation (Sky Mavis) essentially held access of five of the nine voting keys, which made it possible for attackers to steal the bulk of the votes with just one hack.
In addition to cryptography theory and engineering, secure system design and deployment that thwarts attackers is a skill that is sometimes disregarded in Web 3. That’s presumably why pundits who tut-tutted about “more decentralization” in the wake of the Ronin attack totally missed the mark. It was quality, not number, that was the problem.
Detrimental complexity
Lastly, a Web3-specific illness is exacerbating the whole situation: a preoccupation with the needless application of cutting-edge buzzword cryptography, such as “fully homomorphic encryption,” “multi-party computation,” or “zero-knowledge proofs,” to issues that plainly don’t require complex answers. Not only are such polysyllabic crypto heavyweights immature, but they are also more brittle and challenging to use properly. Furthermore, they are typically employed not because they are the best instrument for the job, but rather to draw attention and investment.
What could be wrong with that? You would have some concerns, of course, if a landscaper arrived with a backhoe to plant some orchids and the neighbor’s dog was injured in a small accident. You probably wouldn’t see the landscaper’s jargon-filled response as evidence of his or her profound orchid mastery, either.
In Web3, the same holds true. Ask yourself: Has the group made it clear that they require the big weapons, specifically that nothing simpler could address this problem? This is important to consider when the sales pitch is basically technobabble communicating little more than “we have the strongest cryptography on the block.” The typical response is no.
We’ll tell it once more: Don’t gamble with cryptocurrency! Perhaps before entrusting a project with your cryptographic secrets, or worse, those of your users, start by looking over the “About Us” page.
Additionally, if the team seems to believe that their product is too complex for common people to grasp, or if the responses to your safety inquiries have a poor signal-to-buzzword ratio, you might want to seek elsewhere.