Blockchain
Ledger CTO on Cryptocurrency Security Challenges
CryptoSlate caught up with Ledger’s CTO Carlo Guillemet at BTC Prague on a range of topics, from what actually happened during ConnectKit Ledgets take advantage of the complex challenges of protecting such a high percentage of the world’s digital assets. Guillemet’s background, deeply rooted in cryptography and hardware security, provides a solid foundation for his role at Ledger. He began his career designing secure integrated circuits, which later resulted in his approach to creating secure elements for Ledger devices.
Security Challenges in Blockchain and Bitcoin
During the interview, Charles Guillemet delved into the distinct security challenges posed by blockchain technology and Bitcoin. His insights were shaped by his extensive experience in secure integrated circuits and cryptography.
Guillemet explained that, in traditional bank cards and passports, the security keys are managed by the bank or the state. However, in blockchain technology, individuals manage their own keys. This fundamental change introduces significant security challenges, as users must ensure their valuables are protected from unauthorized access and loss. She highlighted:
“In accounting devices you manage your keys, while in bank cards and passport this is the secret of your bank or state. This is the big difference.”
Since users own their value, it becomes imperative to protect it, ensuring that it is not lost or accessed by unauthorized parties. This requires robust measures to prevent software malware from entering and to protect against physical attacks.
“Having a dedicated device is the best way to do this. Additionally, you need to prevent an attacker with physical access from accessing your secrets.”
The CTO also highlighted that the immutability of blockchain makes the security challenge even more significant. Ledger technology guarantees over 20% of the market capitalization, equal to approximately $500 billion. This immense responsibility is handled by leveraging the best technology available to ensure safety. Guillemet confidently said that, so far, their approach has been successful, allowing him to sleep well at night despite the high stakes.
Ledger’s response to security breaches and supply chain security
Charles Guillemet addressed Ledger’s approach to handling security breaches, specifically the incident involving Ledger ConnectKit. He described the challenge posed by software supply chain attacks, highlighting the difficulty of completely preventing such attacks.
Discussing the breach, Guillemet recounted how a developer’s account was compromised via a phishing link, leading to an attacker obtaining the API key. This allowed the attacker to inject malicious code into the NPM repository used by websites that integrate Ledger devices. She highlighted Ledger’s quick response to mitigate the impact:
“We noticed the attack very quickly and were able to kill it very, very quickly. From the moment he compromised access and we stopped the attack, only five hours passed ”.
Despite the breach, the damage was limited thanks to Ledger’s prompt action and the inherent security features of their devices, which require users to manually sign transactions, making sure to verify the transaction details.
Guillemet also discussed the broader issue of supply chain security, highlighting the complexity of managing software vulnerabilities. He stressed that while due diligence and best practices can help, completely preventing supply chain attacks remains a significant challenge. You cited an example of a sophisticated supply chain attack:
“LG recently had a package on the UNIX distribution that was backdoored by someone hacking into the open source repository, exploiting SSH servers. It spread to every single server in the world before it was noticed.”
This example illustrates the pervasive nature of supply chain attacks and the difficulty in detecting and mitigating them. Perhaps unsurprisingly, he has advocated the use of hardware wallets for cryptographic security. However, he cleverly explained why, making it clear that they offer a limited attack surface and can be thoroughly controlled.
Human and technical threats to security
Charles Guillemet provided a comprehensive overview of the multifaceted nature of security threats in the blockchain space both human and technical elements. He emphasized that attackers are highly results-oriented and constantly evolve their strategies based on the cost and potential reward of their attacks. Initially, simple phishing attacks that tricked users into entering 24-word recovery phrases prevailed. However, as users became more aware, attackers shifted their tactics towards more sophisticated methods.
Guillemet explained:
“Now attackers are tricking users into signing complex transactions they don’t understand, which leads to their wallets drying up.”
He noted the rise of the organization crypto-drainage operations, in which different parties collaborate to create and exploit crypto drainers, sharing the proceeds at the smart contract level. Guillemet predicted that future attacks could focus on software wallets on phones, exploiting zero-day vulnerabilities that can provide full access to a device without user interaction.
Given the inherent vulnerabilities of mobile devices and desk devices, Guillemet stressed the importance of recognizing that these devices are not secure by default. He advised:
“If you think your data is protected on your desktop or laptop, think again. If there is an attacker determined to extract the data, nothing will stop him from doing so.”
He advised users to avoid storing sensitive information such as seeds or wallet files on their computers, as they are prime targets for attackers.
Balancing security with usability is a significant challenge in the crypto wallet industry. Ledger’s approach prioritizes security as its North Star, continually striving to improve the user experience. Guillemet recognized that similar characteristics Registry recovery, which aim to simplify the user experience, have sparked debate. He explained that while these features are designed to help newcomers more easily manage their 24-word recovery sentences, they are entirely optional:
“We are providing options, giving choice. It is an open platform. If you don’t like a feature, you don’t have to use it.”
The goal is to satisfy a wide range of users, from those who prefer full control over their security to those who need more user-friendly solutions. Guillemet recognized that the problem of mass adoption of digital assets needs to be addressed usability problems without compromising safety. Ledger aims to find this balance by offering flexible options while maintaining the highest security standards.
Mentioned in this article
Markets received nominally good news on Thursday morning, with the US ISM manufacturing PMI for July falling much more than economists expected, sending interest rates to multi-month lows across the board. Additionally, initial jobless claims in the US jumped to their highest level in about a year. Taken together, the data adds to the sentiment that the US is on the verge of a cycle of monetary easing by the Federal Reserve, which is typically seen as bullish for risk assets, including bitcoin.
Please note that our Privacy Policy, terms of use, cookiesAND do not sell my personal information has been updated.
CoinDesk is a awarded press agency that deals with the cryptocurrency sector. Its journalists respect a rigorous set of editorial policiesIn November 2023, CoinDesk has been acquired from the Bullish group, owner of Bullisha regulated digital asset exchange. Bullish Group is majority owned by Block.one; both companies have interests in a variety of blockchain and digital asset businesses and significant digital asset holdings, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial board to protect journalistic independence. CoinDesk employees, including journalists, are eligible to receive options in the Bullish group as part of their compensation.
In the latest news in the blockchain industry, there has been a turn of events that has severely affected Terra and its users and investors, with the company losing $6.8 million. The attack, which exploited a reentry vulnerability in the network’s IBC hooks, raises questions about the security measures of the once celebrated blockchain protocol.
A web3 security company, Cyvers Alerts reported that the exploit occurred on July 31st and caused the company to lose 60 million ASTRO, 3.5 million USDC500,000 USDTand 2. 7 BitcoinThe flaw was discovered in April and allows cybercriminals to make payments non-stop by withdrawing money from the network.
Earth’s response
Subsequently, to the hack employed on the Terra blockchain, its official X platform declared the Suspension network operations for a few hours to apply the emergency measure. Finally in its sendTerra’s official account agreed, sharing that its operations are back online: the core transactions that make up the platform are now possible again.
However, the overall value of the various assets lost in the event was unclear.
Market Impact: ASTRO Crashes!
The hack had an immediate impact on the price of ASTRO, which dropped nearly 60% to $0.0206 following the network shutdown. This sharp decline highlights the vulnerability of token prices to security breaches and the resulting market volatility.
This incident is not the first time Terra has faced serious challenges. Earlier this year, the blockchain encountered significant problems that called into question its long-term viability. These repeated incidents underscore the need for stronger security measures to protect users’ assets and maintain trust in the network.
The recent Terra hack serves as a stark reminder of the ongoing security challenges in the blockchain space. As the platform works to regain stability, the broader crypto community will be watching closely.
Read also: Record Cryptocurrency Theft: Over $1 Billion Stolen in 2024
This is a major setback for Terra. How do you think this will impact the blockchain industry?
On July 24, 2024, the Ministry of Finance proposed Blockchain Bill IVwhich will provide greater flexibility and legal certainty for issuers using Distributed Ledger Technology (DLT). The bill will update three of Luxembourg’s financial laws, the Law of 6 April 2013 on dematerialised securitiesTHE Law of 5 April 1993 on the financial sector and the Law of 23 December 1998 establishing a financial sector supervisory commissionThis bill includes the additional option of a supervisory agent role and the inclusion of equity securities in dematerialized form.
DLT and Luxembourg
DLT is increasingly used in the financial and fund management sector in Luxembourg, offering numerous benefits and transforming various aspects of the industry.
Here are some examples:
- Digital Bonds: Luxembourg has seen multiple digital bond issuances via DLT. For example, the European Investment Bank has issued bonds that are registered, transferred and stored via DLT processes. These bonds are governed by Luxembourg law and registered on proprietary DLT platforms.
- Fund Administration: DLT can streamline fund administration processes, offering new opportunities and efficiencies for intermediaries, and can do the following:
- Automate capital calls and distributions using smart contracts,
- Simplify audits and ensure reporting accuracy through transparent and immutable transaction records.
- Warranty Management: Luxembourg-based DLT platforms allow clients to swap ownership of baskets of securities between different collateral pools at precise times.
- Tokenization: DLT is used to tokenize various assets, including real estate and luxury goods, by representing them in a tokenized and fractionalized format on the blockchain. This process can improve the liquidity and accessibility of traditionally illiquid assets.
- Tokenization of investment funds: DLT is being explored for the tokenization of investment funds, which can streamline the supply chain, reduce costs, and enable faster transactions. DLT can automate various elements of the supply chain, reducing the need for reconciliations between entities such as custodians, administrators, and investment managers.
- Issuance, settlement and payment platforms:Market participants are developing trusted networks using DLT technology to serve as a single source of shared truth among participants in financial instrument investment ecosystems.
- Legal framework: Luxembourg has adapted its legal framework to accommodate DLT, recognising the validity and enforceability of DLT-based financial instruments. This includes the following:
- Allow the use of DLT for the issuance of dematerialized securities,
- Recognize DLT for the circulation of securities,
- Enabling financial collateral arrangements on DLT financial instruments.
- Regulatory compliance: DLT can improve transparency in fund share ownership and regulatory compliance, providing fund managers with new opportunities for liquidity management and operational efficiency.
- Financial inclusion: By leveraging DLT, Luxembourg aims to promote greater financial inclusion and participation, potentially creating a more diverse and resilient financial system.
- Governance and ethics:The implementation of DLT can promote higher standards of governance and ethics, contributing to a more sustainable and responsible financial sector.
Luxembourg’s approach to DLT in finance and fund management is characterised by a principle of technology neutrality, recognising that innovative processes and technologies can contribute to improving financial services. This is exemplified by its commitment to creating a compatible legal and regulatory framework.
Short story
Luxembourg has already enacted three major blockchain-related laws, often referred to as Blockchain I, II and III.
Blockchain Law I (2019): This law, passed on March 1, 2019, was one of the first in the EU to recognize blockchain as equivalent to traditional transactions. It allowed the use of DLT for account registration, transfer, and materialization of securities.
Blockchain Law II (2021): Enacted on 22 January 2021, this law strengthened the Luxembourg legal framework on dematerialised securities. It recognised the possibility of using secure electronic registration mechanisms to issue such securities and expanded access for all credit institutions and investment firms.
Blockchain Act III (2023): Also known as Bill 8055, this is the most recent law in the blockchain field and was passed on March 14, 2023. This law has integrated the Luxembourg DLT framework in the following way:
- Update of the Act of 5 August 2005 on provisions relating to financial collateral to enable the use of electronic DLT as collateral on financial instruments registered in securities accounts,
- Implementation of EU Regulation 2022/858 on a pilot scheme for DLT-based market infrastructures (DLT Pilot Regulation),
- Redefining the notion of financial instruments in Law of 5 April 1993 on the financial sector and the Law of 30 May 2018 on financial instruments markets to align with the corresponding European regulations, including MiFID.
The Blockchain III Act strengthened the collateral rules for digital assets and aimed to increase legal certainty by allowing securities accounts on DLT to be pledged, while maintaining the efficient system of the 2005 Act on Financial Collateral Arrangements.
With the Blockchain IV bill, Luxembourg will build on the foundations laid by previous Blockchain laws and aims to consolidate Luxembourg’s position as a leading hub for financial innovation in Europe.
Blockchain Bill IV
The key provisions of the Blockchain IV bill include the following:
- Expanded scope: The bill expands the Luxembourg DLT legal framework to include equity securities in addition to debt securities. This expansion will allow the fund industry and transfer agents to use DLT to manage registers of shares and units, as well as to process fund shares.
- New role of the control agent: The bill introduces the role of a control agent as an alternative to the central account custodian for the issuance of dematerialised securities via DLT. This control agent can be an EU investment firm or a credit institution chosen by the issuer. This new role does not replace the current central account custodian, but, like all other roles, it must be notified to the Commission de Surveillance du Secteur Financier (CSSF), which is designated as the competent supervisory authority. The notification must be submitted two months after the control agent starts its activities.
- Responsibilities of the control agent: The control agent will manage the securities issuance account, verify the consistency between the securities issued and those registered on the DLT network, and supervise the chain of custody of the securities at the account holder and investor level.
- Simplified payment processesThe bill allows issuers to meet payment obligations under securities (such as interest, dividends or repayments) as soon as they have paid the relevant amounts to the paying agent, settlement agent or central account custodian.
- Simplified issuance and reconciliationThe bill simplifies the process of issuing, holding and reconciling dematerialized securities through DLT, eliminating the need for a central custodian to have a second level of custody and allowing securities to be credited directly to the accounts of investors or their delegates.
- Smart Contract Integration:The new processes can be executed using smart contracts with the assistance of the control agent, potentially increasing efficiency and reducing intermediation.
These changes are expected to bring several benefits to the Luxembourg financial sector, including:
- Fund Operations: Greater efficiency and reduced costs by leveraging DLT for the issuance and transfer of fund shares.
- Financial transactions: Greater transparency and security.
- Transparency of the regulatory environment: Increased attractiveness and competitiveness of the Luxembourg financial centre through greater legal clarity and flexibility for issuers and investors using DLT.
- Smart Contracts: Potential for automation of contractual terms, reduction of intermediaries and improvement of transaction traceability through smart contracts.
Blockchain Bill IV is part of Luxembourg’s ongoing strategy to develop a strong digital ecosystem as part of its economy and maintain its status as a leading hub for financial innovation. Luxembourg is positioning itself at the forefront of Europe’s growing digital financial landscape by constantly updating its regulatory framework.
Local regulations, such as Luxembourg law, complement European regulations by providing a more specific legal framework, adapted to local specificities. These local laws, together with European initiatives, aim to improve both the use and the security of projects involving new technologies. They help establish clear standards and promote consumer trust, while promoting innovation and ensuring better protection against potential risks associated with these emerging technologies. Check out our latest posts on these topics and, for more information on this law, blockchain technology and the tokenization mechanism, do not hesitate to contact us.
We are available to discuss any project related to digital finance, cryptocurrencies and disruptive technologies.
This informational piece, which may be considered advertising under the ethics rules of some jurisdictions, is provided with the understanding that it does not constitute the rendering of legal or other professional advice by Goodwin or its attorneys. Past results do not guarantee a similar outcome.
Trump’s economic plan and skyrocketing markets: are you ready?!
Cryptocurrencies are about to explode!! These predictions are CRAZY!
The United States is about to make Bitcoin history – you won’t believe it!
Crypto News: New High in BTC, Dogecoin, XRP, Aptos Alpha, SUI & More!
Trump’s INSANE new tariffs WILL SHOCK you! Here is the TRUTH
Ripple CTO and Cardano founder clash over XRP’s regulatory challenges ⋆ ZyCrypto
Nancy Pelosi Considers Supporting Republican Crypto Bill FIT21 – London Business News
Cryptocurrency News: Bitcoin, ETH ETF, AI Crypto Rally, AKT, TON & MORE!!
Bitcoin’s future is ‘bleak’ and ripe for regulation, says lead developer
The trader earned $46 million with PEPE after reaching a new ATH
Trump’s economic plan and skyrocketing markets: are you ready?!
Cryptocurrencies are about to explode!! These predictions are CRAZY!
The United States is about to make Bitcoin history – you won’t believe it!
Crypto News: New High in BTC, Dogecoin, XRP, Aptos Alpha, SUI & More!
Trump’s INSANE new tariffs WILL SHOCK you! Here is the TRUTH
-
Regulation7 months agoRipple CTO and Cardano founder clash over XRP’s regulatory challenges ⋆ ZyCrypto
-
Regulation5 months agoNancy Pelosi Considers Supporting Republican Crypto Bill FIT21 – London Business News
-
Videos6 months agoCryptocurrency News: Bitcoin, ETH ETF, AI Crypto Rally, AKT, TON & MORE!!
-
Regulation6 months agoBitcoin’s future is ‘bleak’ and ripe for regulation, says lead developer
-
News6 months agoThe trader earned $46 million with PEPE after reaching a new ATH
-
Blockchain6 months agoSolana ranks the fastest blockchain in the world, surpassing Ethereum, Polygon ⋆ ZyCrypto
-
Blockchain6 months agoSolana Surpasses Ethereum and Polygon as the Fastest Blockchain ⋆ ZyCrypto
-
Regulation6 months ago🔒 Crypto needs regulation to thrive: Tyler Cowen
-
Videos6 months agoWho Really CONTROLS THE MARKETS!! Her plans REVEALED!!
-
Videos7 months agoKucoin safe?? Exchange REVIEW and beginner’s guide!!
-
Blockchain6 months ago“Liquid vesting” is an oxymoronic feature of blockchain that allows early investors to sell without waiting
-
Videos6 months agoInstitutions purchasing MEMECOINS?! Everything you need to know!