Balancing Usability and Security in the Wake of a Breach: An Interview With Magpie Protocol's CIO

2 Jul 2024

As the DeFi space continues to grow, security has emerged as a major stumbling block on the road to mainstream adoption. The space may have made strides in recent years to improve security and protect users' funds, but hacks and exploits remain a regular occurrence in the ecosystem.

In late April, Magpie Protocol suffered an attack that resulted in $129,000 value in USD from 221 wallets. I sat down with Ikram Ansari, Co-founder and CIO of Magpie, to get their perspective on the issue as well as Magpie’s experience and lessons learned from getting hacked.

Q: How are DeFi protocols currently alerted about hacks? Does the hacker reach out to gloat? Are there systems in place to alert the team? Does the team wait for users to see if there’s something sketchy going on?

There are real-time monitoring and protection tools that continuously listen to blockchain events and alert teams of any smart contract issues. For example, Cube3AI allows protocols to implement real-time monitoring of their smart contracts. It works by assigning a score – safe, warning, or unsafe – to transactions executed on a contract.

These tools only monitor, though. So, it's up to the protocol to implement an automated pause or any action if an alert is triggered. Cube3AI also offers real-time protection and will block a transaction if triggered by an issue that doesn’t require manual intervention by the team members.

Overall, if a project isn’t utilizing such a tool, it is up to the team to detect any anomalous activity by monitoring their smart contracts. Users will also generally let teams know when something needs looking into.

 Q: Magpie’s response was swift, and users appreciated that. What kind of impact has it had in the short term, and do you think it will continue to hurt the brand in the long term?

Magpie had to temporarily take the dApp offline to fix the exploit. We had the newly updated code tested and verified and received positive feedback on our contracts from our auditor QuillAudits.

In the meantime, however, we had to stop our community campaigns. Spending around a month handling the situation also pushed back the date of the Token Generation Event (TGE) as we could not launch our token during or directly after the exploit.

This may have slowed our momentum in the short term, but we don’t believe it’ll hurt the brand in the long term as the response was swift, the exploited amount low (relative to other exploits), all users were reimbursed, and it all happened before the TGE and its accompanying promotions, campaigns, and PR.

So we actually think it will improve sentiment, as users will see that Magpie has a team dedicated to security and the community. We not only kept going but actively worked to make things better.

Q: DeFi has reached the point where users shrug and say, “Hacks happen.” Some users are so used to it that they don’t even bat an eyelash anymore. What do you think of this desensitization? Was DeFi always doomed to this kind of mentality? What will it take to change it?

DeFi’s adoption and technology are still in the early stages. Most of its users are also what some would call the more serious, or hardcore, crypto users, who may be more accustomed to the “wild-west” nature of DeFi in comparison to centralized finance, but that is not to say that hacks and rug-pulls are enjoyed or welcomed in any way.

We believe that the power users, at least at this time, have become de-sensitized to such hacks as a price for being early adopters of this technology.

But with advancements, such as smart contract wallets, account abstraction, and new security measures, the mentality will change as security is improved.

Q: Your transparency and the efforts you’re making moving forward are commendable. Can you explain in detail how Cube3AI will help secure your project and how it works?

Cube3AI helps our efforts to secure Magpie Protocol by offering real-time protection. This is done by two kinds of products: Detect and Protect.

The Detect suite provides detailed risk scoring for blockchain addresses, assesses cyber threats, fraud, and compliance issues, monitors transactions in real-time on any blockchain, and delivers instant risk scores for new smart contracts across multiple mainnets.

The Protect suite features RASP (Runtime Application Self-Protection), which integrates with smart contracts to provide real-time risk scoring and can revert transactions if security risks are detected.

We currently use Cube3AI for monitoring. Every transaction executed on our contract is given a score, and any issue triggers an alert on Slack. In the next Magpie version, we plan to integrate Cube3AI RASP into our backend, enabling us to receive real-time feedback on transactions before they are executed.

Q: Do you think prioritizing convenience for your users could have had something to do with the vulnerability? Sometimes it seems like the easier things are for users, the more likely a project will be exploited.

In our case, the vulnerability was not due to simplifying the process for users. Prioritizing convenience for users can sometimes lead to vulnerabilities because simplifying processes may involve reducing security measures. Balancing usability and security is essential to protect against potential threats without overly complicating the user experience.