The decentralized finance (DeFi) industry has lost over a billion dollars to hackers in the past few months and the situation seems to be spiraling out of control.
According to the latest statistics, about $1.6 billion worth of cryptocurrencies were stolen from DeFi platforms in the first quarter of 2022. Additionally, over 90% of all stolen cryptos come from hacked DeFi protocols.
These numbers highlight a dire situation that is likely to persist in the long term if ignored.
Why hackers prefer DeFi platforms
In recent years, hackers have ramped up operations targeting DeFi schemes. A key reason these groups are drawn to the industry is the sheer volume of funds that decentralized finance platforms hold. Top DeFi platforms process billions of dollars in transactions every month. Accordingly, the rewards for hackers who are able to carry out successful attacks are high.
The fact that most DeFi protocol codes are open source also makes them even more vulnerable to cybersecurity threats.
This is because open source programs are available for public examination and can be examined by anyone with an internet connection. As such, they can be easily searched for exploits. This inherent property allows hackers to analyze DeFi applications for integrity issues and plan raids in advance.
Some DeFi developers have also contributed to the situation by deliberately disregarding platform security audit reports published by certified cybersecurity firms. Some development teams are also launching DeFi projects without subjecting them to a comprehensive security analysis. This increases the likelihood of coding errors.
Another dent in the armor when it comes to DeFi security is ecosystem interconnectivity. DeFi platforms are typically connected to each other via cross bridges, adding convenience and versatility.
While cross-bridges provide an enhanced user experience, these crucial snippets of code connect vast networks of distributed ledgers with varying levels of security. This multiplexed configuration allows DeFi hackers to leverage the capabilities of multiple platforms to amplify attacks on specific platforms. It also allows them to quickly and seamlessly transfer ill-gotten funds across multiple decentralized networks.
Besides the above risks, DeFi platforms are also vulnerable to insider sabotage.
Hackers use a variety of techniques to infiltrate vulnerable DeFi perimeter systems.
Security breaches are commonplace in the DeFi sector. According to the 2022 Chainalysis report, about 35% of all stolen cryptos in the last two years are attributed to security breaches.
Many of them occur due to buggy code. Hackers typically expend significant resources to find systemic coding errors that allow them to carry out these types of attacks, and typically use advanced bug tracker tools to help them do so.
Another common tactic used by threat actors to find vulnerable platforms is to find networks with unpatched security issues that have already been discovered but have yet to be implemented.
Hackers behind the recent Wormhole DeFi hack attack that resulted in the loss of approximately $325 million in digital tokens are said to have used this strategy. An analysis of code commits revealed that a vulnerability patch uploaded to the platform’s GitHub repository was exploited before the patch was deployed.
The flaw allowed the intruders to forge a system signature that enabled the minting of 120,000 Wrapped Ether (wETH) coins worth $325 million. The hackers then sold the wETH into ether (ETH) for around $250 million. The exchanged Ethereum coins were mined from the platform’s settlement reserves, which resulted in losses.
The wormhole service acts as a bridge between chains. It allows users to spend deposited cryptocurrencies in wrapped tokens across chains. This is achieved by minting wormhole-wrapped tokens that reduce the need to exchange or convert deposited coins directly.
Current: How blockchain archives can change the way we record history in times of war
Flash Loan Attacks
Flash loans are unsecured DeFi loans that do not require a credit check. They allow investors and traders to borrow money instantly.
Due to their convenience, flash loans are typically used to take advantage of arbitrage opportunities in connected DeFi ecosystems.
Flash lending attacks attack lending protocols and compromise them with price manipulation techniques that create artificial price differentials. This allows bad actors to buy assets at heavily discounted prices. Most flash loan attacks take minutes and sometimes seconds to execute and involve multiple interconnected DeFi protocols.
One way attackers manipulate asset prices is by targeting vulnerable price oracles. For example, DeFi price oracles get their prices from external sources such as reputable exchanges and trading sites. For example, hackers can manipulate source sites to trick oracles into temporarily lowering the value of targeted asset rates in order for them to trade at lower prices relative to the broader market.
Attackers then buy the assets at deflated rates and quickly sell them at their floating exchange rate. Using leveraged tokens obtained through flash loans allows them to increase profits.
In addition to manipulating prices, some attackers have been able to perform flash lending attacks by hijacking DeFi voting processes. Most recently, Beanstalk DeFi suffered a $182 million loss after an attacker exploited a flaw in its governance system.
The Beanstalk development team had built in a governance mechanism that allowed participants to vote for platform changes as core functionality. This setup is popular in the DeFi industry because it upholds democracy. The voting rights on the platform were set proportionally to the value of the native tokens held.
An analysis of the breach revealed that the attackers received a lightning loan from the Aave DeFi protocol to obtain nearly $1 billion in assets. This enabled them to obtain a 67 percent majority in the voting governance system and unilaterally authorize the transfer of assets to their address. The perpetrators made off with approximately $80 million in digital currencies after repaying the flash loan and associated surcharges.
According to Chainalysis, around $360 million worth of cryptocoins were stolen from DeFi platforms using flash loans in 2021.
Where does stolen crypto go?
Hackers have long used centralized exchanges to launder stolen funds, but cybercriminals are starting to dump them for DeFi platforms. In 2021, cybercriminals sent about 17% of all illicit cryptos to DeFi networks, a significant increase from 2% in 2020.
Market experts posit that the shift to DeFi protocols is due to the broader implementation of stricter Know Your Customer (KYC) and Anti-Money Laundering (AML) processes. The procedures jeopardize the anonymity sought by cybercriminals. Most DeFi platforms forego these crucial processes.
cooperation with the authorities
Now more than ever, centralized exchanges are collaborating with authorities to fight cybercrime. In April, the Binance exchange played a pivotal role in recovering $5.8 million worth of stolen cryptocurrencies that were part of a $625 million stash stolen by Axie Infinity. The money was initially transferred to Tornado Cash.
Tornado Cash is a token anonymization service that obfuscates the origin of funds by fragmenting on-chain links used to track transaction addresses.
However, some of the stolen funds were traced back to Binance by blockchain analysis firms. The loot was kept at 86 addresses on the exchange.
After the incident, a US Treasury Department spokesman emphasized that crypto exchanges trading funds from blacklisted cryptos risk sanctions.
Tornado Cash also appears to be working with authorities to stop the transfer of stolen funds to its network. The company has announced that it will implement a monitoring tool to identify and block embargoed wallets.
There seems to be some progress in the authorities’ seizure of stolen assets. Earlier this year, the US Department of Justice announced the seizure of $3.6 billion worth of crypto and arrested two people involved in the money laundering. The money was part of the $4.5 billion stolen from the Bitfinex crypto exchange in 2016.
The crypto seizure was among the largest on record.
DeFi CEOs talk about the current situation
In an exclusive chat with Cointelegraph earlier this week, Eric Chen, CEO and co-founder of Injective Labs — an interoperable smart contract platform optimized for decentralized finance applications — said there was hope the issues were easing.
“We are seeing the tide continue to subside as more robust safety standards are put in place. With proper testing and further security infrastructure, DeFi projects will be able to prevent common exploit risks in the future,” he said.