“Most blockchain infrastructure was originally built for a single-user, single-key model, a private key controls everything, and if that key is lost or stolen, all assets are instantly gone. This goes against the basic security principles that traditional finance has relied on for decades: more than one person approving, separation of duties, and multiple layers of defense,” Wu told CoinDesk.
In some ways, the system created to revolutionize global finance has weaker security than a typical email account.
Wu added that the number of routes through which an attack can be launched has increased significantly. “Cloud systems, third-party tools, social media accounts and the people who operate them can all become a way in.”
Both Wu and Fan pointed to the February 2025 Bybit hack as an example of an increasing attack surface. The attackers compromised the software supply chain of a third-party development tool, allowing them to inject malicious code into the wallet’s web interface and trick executives into unknowingly giving away $1.5 billion in Ethereum.
The solution
The industry is now taking steps to address the private key vulnerability issue, although not uniformly, according to Wu.
“There is progress on many fronts: MPC [multi-party computation] wallets, account abstraction with social recovery, passkey-based login, applying hardware wallets and proper key management SOPs,” he said. “The problem is that these are often added as optional extras, rather than being built in from the start at the protocol level. “Most chains still treat security as a feature to be built in, not a core design principle.”
