For months, the crypto community awaited “the Merge” – a high-profile upgrade to the Ethereum network – with bated breath. There was a lot on the line. The Merge was envisaged as making the network much more scalable and energy-efficient, by replacing a proof-of-work (PoW) mechanism with a proof-of-stake (PoS) model. The Ethereum foundation predicted prior to the event that the Merge would reduce Ethereum’s energy consumption by around 99.95%.
But there was also a lot at stake with regards to the network’s security. The Merge is, after all, one of the biggest technological and engineering projects in years. While Vitalik Buterin was adamant that it would be a seamless experience for users, there were inevitably going to be security implications behind the scenes. This is something that Hugh Brooks has been working closely on. Hugh is the Director of Security Operations at CertiK, a leading security-focused ranking platform that analyses and monitors blockchain protocols and DeFi projects. We caught up with him to see if any security issues have arisen in the aftermath of the Merge.
The Merge was widely considered to be a success. The upgrade achieved its main targets: becoming much more energy efficient, with few technological hiccups. Many had feared this might not necessarily be the case. CertiK put together a briefing paper just hours before the Merge took place, warning about some of the potential negative outcomes.
They warned that “ChainID Replay Attacks” were one possible threat. This would’ve involved users unknowingly compromising their assets on Ethereum’s main chain through activity on a forked chain that shares the same ChainID. A more fundamental threat was also the network failing to reach finalisation – the network being left in limbo with validators unable to use the new PoS regime – although this was always unlikely. However, Hugh told DisruptionBanking that “the Merge went off without any issues and all of the worst-case scenarios didn’t happen.”
“Things are looking pretty good,” he added. “We are seeing a reduction in gas fees, and we haven’t seen any kind of broad manipulation that could have potentially emerged from the Merge. Overall, things are good.”
While Hugh was keen to emphasise that the Merge went very successfully, he did note that CertiK has noticed an uptick in some kinds of fraudulent activity on the Ethereum network, particularly scams. With the Web3 industry “cooling a bit” after last year’s hype, and the reduction in traffic around the time of the Merge as people waited for it to happen, gas fees have gone down. In turn, this has made the network a cheaper, more attractive option for those seeking to use crypto to undertake criminal activity like money laundering:
“What we’re seeing now is a general downturn in crypto markets, and things have quieted down in general. But what we’ve seen instead is really low-level scams taking place. A lot of it, we believe, is simply money laundering – people trying to get round things like OFAC sanctions.
“What we’re seeing is these tokens being created, having liquidity added, and then that liquidity being removed and passed onto another user very quickly. We’ve seen an uptick in these – but we’re talking small numbers. I think it’s just money laundering; people are trying to move money around and find different ways to move money with lower gas fees to get around regulations or sanctions.”
There is another issue, though, that Hugh touched on – one that goes wider than just the Merge or the Ethereum network. That is the capacity of law enforcement officials globally to get to grips with the technology and monitor it sufficiently. Given how complex the technology is at times, particularly for those unversed in the crypto and DeFi space, it’s questionable how able the authorities are to deal with security issues as and when they arise.
Hugh believes “they’re starting to move in that direction” and said “there’s certainly been a lot of hiring and job posting placed up, looking for cryptocurrency experts – but they’re still few and far between.”
“At CertiK, we are crypto security experts. We have the ability to monitor and trace all these types of scans, transactions, and other things happening on the network, where we’re looking for nefarious behaviour.
“But that’s a highly specialised knowledge built on our years of experience of auditing and looking at crypto transactions and doing on-chain forensics – all things like that. So to think that a government institution is going to be able to come in and just say “we’re gonna do this now” is a difficult tasks – it will take them years to do.”
What’s the solution then? Hugh believes the authorities should be interacting with “community specialists” and those that have a stake in “keeping the network secure.” Only by engaging with experts, like CertiK, can the authorities possibly hope to enforce the law on networks like Ethereum, and prevent malicious actors from using crypto to launch scams or undertake money laundering.
“There’s going to need to be back and forth communication between security experts that are in the thick of it like us,” Hugh said. “And the regulators and lawmakers who are trying to make the crypto and Web3 world more secure.”
Author: Harry Clynch