“Most blockchain infrastructure was originally designed for a single-user, single-key model, one private key controls everything, and if that key is lost or stolen, all assets disappear instantly. This goes against the basic security principles that traditional finance has relied on for decades: more than one person approving, separation of duties, and multiple layers of defense,” Wu told CoinDesk.
In some ways, the system designed to revolutionize global finance has weaker security than a traditional email account.
Wu added that the number of routes through which an attack can be launched has increased significantly. “Cloud systems, third-party tools, social media accounts and the people who operate them, all of these can become a gateway.”
Both Wu and Fan cited the February 2025 Bybit hack as an example of an expanded attack surface. Attackers compromised the software supply chain of a third-party development tool, allowing them to inject malicious code into the wallet’s web interface and trick executives into unknowingly giving up $1.5 billion in Ethereum.
The Fix
The industry is now working to address the private key vulnerability problem, but unevenly, according to Wu.
“There is progress on several fronts: MPC [multi-party computation] hardware wallets, account abstraction with social recovery, password login, hardware wallet enforcement and proper key management SOPs,” he said. “The problem is that these are often added as optional extras, instead of being built in from the start at the protocol level. Most chains still view security as a feature to be built in, not a fundamental design principle. »
