Roll Breach Illustrates Why Security Audits Matter

Last week, Roll announced it had been breached and hackers stole $5.7 million from its hot wallet. This week, Roll still doesn’t know how their system was infiltrated.

Roll, a social currency platform that is barely a year old, announced it suffered a breach last week. Someone infiltrated their systems and stole $5.7 million from its hot wallet. As of the writing of this article, the company still doesn’t know how the attackers gained access. Security is at the forefront of business news today, and has been for the better part of a year. Given that so many businesses are focusing on securing their sensitive data, it seems surprising that there are still no answers and no fix a week later.

Roll’s platform allows creators to mint and distribute Ethereum-based cryptocurrency known as social tokens. The company set up a relief fund to help creators recoup their losses, and the available funds were upped from $500,000 to $750,000 recently. They also indicated they would hire a third-party to audit security infrastructure, something Roll revealed to TechCrunch was never completed prior to the company’s launch.

“We weren’t ready from a security standpoint,” said Roll CEO Bradley Miles.

“This incident was a big setback for us, we will revamp a lot of infrastructure around this that we have in place to prevent something like this from happening again,” said Roll’s chief technology officer Sid Kalla, who oversees cybersecurity because the company does not have dedicated staff.

The executives said while its smart contracts — the technology that underpins the blockchain — were audited by a third-party firm, the rest of the company’s infrastructure was never stress-tested.

“That was a shortcoming on our end, and we should have done this earlier,” said Kalla.”

TechCrunch

They weren’t ready from a security standpoint. That was a shortcoming, they should have done it earlier. These are the words of people who didn’t hire or consult an expert for help. They launched a business without ever seeing what it can really handle and where potential vulnerabilities may lie. Yet, even now, Roll has been unable to land a third-party security investigator to investigate the breach, leaving them to search for answers on their own. Roll uses AWS and says that only a handful of employees have access to its private keyes secured by 2FA. Chainalysis, a forensic blockchain company, reviewed the logs and did not see any logins out of the norm.

There are so many problems with this entire scenario. Roll didn’t have a security audit prior to launch. They don’t have any security personnel on staff, nor do they apparently contract with one to help in these situations. They are trying to diagnose the problem themselves, although they are admittedly not security gurus, which is why they don’t have any answers. They haven’t brought anyone else in to help diagnose the problem. They likely didn’t implement any form of incident response, which means they may have no idea if the hacker is still in their systems or if they were able to leave a backdoor for easy access.

There are so many implications for all of the things improperly handled that it’s impossible to go over all of them. Roll is committed to rebuilding its infrastructure, although no timeline has been released for completion. They will not allow users to make withdrawals until the infrastructure is secure. They say they will bring in a security company to audit the infrastructure changes and it will reduce how many tokens it holds in its hot wallet. They also plan to hire a CISO after its next round of financing closes.

Those are all great steps, things they definitely need to do. Things they should have done from the beginning. The ramifications from the breach followed by the lack of incident response and mitigation will not be known for some time, especially since the problem hasn’t been found to be fixed. 

If you are a business owner or potential business owner, someone verging on entrepreneurship or otherwise in a position of leadership within a company, take note of this breach. Learn from it. Make sure your security teams have what they need, bring in an expert if you don’t have a team. The activity by threat actors increases regularly. Be proactive in your prevention techniques, and make sure you have an incident response plan in place.

About the Author

Pieter VanIperen, Managing Partner of PWV Consultants, leads a boutique group of industry leaders and influencers from the digital tech, security and design industries that acts as trusted technical partners for many Fortune 500 companies, high-visibility startups, universities, defense agencies, and NGOs. He is a 20-year software engineering veteran, who founded or co-founder several companies. He acts as a trusted advisor and mentor to numerous early stage startups, and has held the titles of software and software security executive, consultant and professor. His expert consulting and advisory work spans several industries in finance, media, medical tech, and defense contracting. Has also authored the highly influential precursor HAZL (jADE) programming language.

Contact us

Contact Us About Anything

Need Project Savers, Tech Debt Wranglers, Bleeding Edge Pushers?

Please drop us a note let us know how we can help. If you need help in a crunch make sure to mark your note as Urgent. If we can't help you solve your tech problem, we will help you find someone who can.

1350 Avenue of the Americas, New York City, NY