Technology Security, Pillar 03
Your smart contracts and protocol logic run on infrastructure that is itself a target. Validator nodes, RPC endpoints, cloud servers, and container orchestration layers all have attack surfaces that can be exploited independently of your on-chain code, and the consequences can be just as severe.
Blockchain protocols operate on infrastructure that is subject to the same attack surface as any networked system, and then some. Validator nodes process consensus-critical operations and hold validator keys. RPC endpoints are the interface between users and on-chain state, and their availability and integrity are directly tied to protocol function. Cloud infrastructure, container orchestration, and CI/CD pipelines all represent paths an attacker can use to compromise the protocol layer above them, even if every smart contract has been audited.
Our infrastructure and node security review assesses the full technology stack that your protocol depends on: node configuration and hardening, network security architecture, access controls, secrets handling, container and cloud security, and the monitoring and alerting coverage that determines whether an intrusion is detected at all. We apply network security service methodology developed for high-value blockchain operations, where downtime or compromise has immediate financial consequences.
Work is delivered through our internal consultancy team and a curated network of specialist partner firms, rigorously vetted for technical depth and professional integrity in the Web3 space.
5 of 9 Validator Keys. $625M. Six Days Undetected.
“The Ronin Bridge hack compromised five of the bridge’s nine validator private keys. Four were taken via spear phishing of a Sky Mavis developer, malware installed from a fraudulent PDF gave Lazarus Group persistent access to the infrastructure. The fifth key belonged to the Axie DAO validator, which had been granted emergency RPC access to Sky Mavis’s node during a period of high traffic, access that was never revoked. With five keys, the attackers forged the withdrawal signatures needed to drain $625M. The bridge’s own monitoring did not detect the unauthorised transactions for six days.”
Never-Revoked Emergency Access. The Fifth Key.
“One of the five Ronin validator keys used in the $625M breach had not been actively compromised by the attacker, it was simply still accessible. The Axie DAO had been granted temporary emergency access to a Sky Mavis RPC node to help manage transaction throughput during a high-traffic period in late 2021. That access included validator permissions. The emergency passed. The access was never revoked. The attackers found it through infrastructure reconnaissance months later. Temporary infrastructure access that becomes permanent is one of the most common findings in node security reviews.”
Cybersecurity infrastructure review for blockchain operations requires network security consulting experience that spans both traditional infrastructure hardening and the Web3-specific components: execution clients (Geth, Nethermind), consensus clients (Lighthouse, Prysm), MEV infrastructure (MEV-Boost, relayers), and the RPC layer that connects them to users and applications.
The Review Areas
Web3 infrastructure security spans from the physical host layer to the network boundary and the software stack running on it. Our review covers all four layers that determine whether your infrastructure is a target or a foundation.
OS-level configuration of the hosts running blockchain clients: SSH hardening, firewall rules, unnecessary services, package management, automatic updates, and user privilege design. Execution and consensus client configuration, peer limits, exposed APIs, client-specific hardening options, and the key storage arrangements for validator keys and operational credentials.
Network segmentation between public-facing services, internal infrastructure, and high-security components. Firewall rule review, inter-service authentication, RPC endpoint access controls, and load balancer configuration. Identification of lateral movement paths, the routes an attacker who compromises a lower-privilege component could use to reach higher-value targets.
Cloud provider security configuration, IAM role bindings, security group rules, public S3/GCS bucket exposure, CloudTrail coverage, and logging gaps. Kubernetes security: pod security standards, network policies, RBAC, secrets management, and image supply chain. CI/CD pipeline configuration and the privilege level of deployment credentials across environments.
The capability to detect a compromise that is already in progress. Log aggregation coverage across all infrastructure components, alerting on anomalous node behaviour (unexpected peer connections, unusual RPC call patterns, key usage outside normal windows), and the documented response path from alert to action. Detection gap analysis identifies the conditions under which an attacker could operate undetected.
