“Most blockchain infrastructure was originally built for a single-user, single-key model, one private key controls everything, and if that key is lost or stolen, all assets are gone immediately. This goes against the basic security principles that traditional finance has relied on for decades: more than one person to authorize, segregation of duties, and multiple layers of defense,” Wu told CoinDesk.
In a sense, the system built to revolutionize global finance has weaker security than a typical email account.
Wu added that the number of routes through which an attack can be launched has increased significantly. “Cloud systems, third-party tools, social media accounts and the people who operate them, all of these can become a way in.”
Both Wu and Fan pointed to the February 2025 Bybit hack as an example of an expanded attack surface. Attackers compromised the software supply chain in a third-party developer tool, allowing them to inject malicious code into the wallet’s web interface and trick managers into unwittingly signing $1.5 billion in Ethereum.
The correction
The industry is now moving to address the private key vulnerability, though not smoothly, according to Wu.
“There is progress on many fronts: MPC [multi-party computation] wallets, account abstraction with social recovery, access key-based login, hardware wallet enforcement and proper key management SOPs,” he said. “The problem is that these are often added as optional extras, rather than built in from the start at the protocol level. Most chains still treat security as a feature to bolt on, not as a core design principle.”
