Top Security Risks for Digital Asset Treasury Companies

DAT companies face a variety of potential security risks. Some of the most significant include the following:

DAT companies are responsible for properly securing access to the cryptocurrencies held within their treasuries. Attackers who gain access to the company’s blockchain accounts can potentially drain these treasuries, significantly impacting the company’s valuation and share price.

Access control vulnerabilities could occur at multiple levels. If the organization improperly secures access to private keys, an attacker may be able to gain access to these keys and use them to digitally sign transactions that transfer assets from the company’s accounts.

The organization also needs to properly manage passwords and other authentication credentials for accounts with access to these private keys. For example, a compromised password may grant access to an account with the company’s digital asset custodian, that manages the private keys and can digitally sign transactions on their behalf.

DAT companies operate in the DeFi space, where they interact with a complex infrastructure stack. Some technical and infrastructure risks that these organizations face include:

• Smart Contract Vulnerabilities: Smart contracts can contain code errors, access control issues, and business logic errors that make them vulnerable to manipulation and attack. Exploitation of these issues could cause lost funds and similar issues.

• Cross-Chain Bridges: DAT companies may have holdings on multiple blockchains, making them reliant on cross-chain bridges to move assets between them. These bridges may contain vulnerabilities that lead to breaches, and several of the biggest DeFi hacks in history have involved these cross-chain bridges.

• Endpoint Security: Corporate systems may be infected with malware that collects private keys or passwords or manipulates transaction data. This could result in cryptocurrency being stolen from the DAT company’s account.

• Supply Chain Attacks: Attackers may tamper with software that an organization relies upon to manage or secure its digital assets, leading to breaches. For example, the Bybit hack, which was the biggest DeFi hack to date, involved malicious functionality inserted into the software used to manage the company’s multi-signature wallet.

DAT companies must comply with the legal requirements of the jurisdiction where they operate. Their pool of potential investors may also be impacted by regulations that limit who can hold shares of a company or an organization’s exposure to cryptocurrencies and other digital assets.

Regulatory compliance for DAT companies is complicated by the lack of cohesive global regulation of the Web3 space. Blockchain networks are global systems; however, different jurisdictions have varying — and often contradictory — laws and regulations regarding them (if any such laws exist in the first place). Complying with Know Your Customer and anti-money laundering (KYC/AML) regulations and other applicable laws across multiple jurisdictions may be complex, and DAT companies also must stay abreast of policy shifts in the space.

DAT companies also face challenges related to data privacy and security. All transactions recorded on-chain are publicly visible, potentially allowing an attacker to monitor an organization’s trading activity and attempt to manipulate it to their benefit. Companies are also subject to the requirements of GDPR and other data privacy laws to properly protect the customer information entrusted to them.

The introduction of AI tools into critical workflows also creates new risks to data privacy and security. AI tools with access to sensitive business or customer data may leak it to unauthorized parties. Additionally, an attacker with access to AI systems or training data may be able to poison the data or manipulate the AI model in a way that negatively impacts the organization’s trading strategy or causes it to make undesirable transactions on-chain.

In addition to a wide array of software solutions, DAT companies also rely on humans to manage their operations and digital treasuries. This opens up the potential for attacks that target human users via social engineering or that exploit mistakes.

For example, attackers may target employees or contractors with phishing attacks designed to gain access to the organization’s environment via compromised passwords or malware. If successful, this might lead to assets being stolen via compromised private keys or takeovers of key accounts.

DAT companies offer a way for individuals and organizations to gain exposure to cryptocurrency and other digital assets without the need to hold them directly. This has numerous potential benefits, as it can help to reduce the level of risk exposure and add a layer of regulatory oversight, as investment in corporate stocks often has clearer, stricter, and more consistent regulatory protections than cryptocurrency trading.

However, DAT companies are exposed to various forms of risk that they must manage, ranging from the technical to the operational. To manage these risks, these organizations should perform threat modeling to identify top threats and implement the corresponding security best practices. For example, the risk of compromised private keys leading to loss of funds can be reduced by using multi-sig wallets to distribute the risk of compromised keys and cold storage to reduce the threat of unauthorized access to private keys.

Halborn offers advisory and auditing services designed to help place companies on the right path toward security and to identify and close security gaps in code before it is deployed on-chain. To learn more about how your organization can enhance its Web3 security posture with Halborn, get in touch.