Dozens of DeFi systems have been hacked over the past year, and the trend doesn’t seem to be abating.
The decentralized finance (DeFi) industry has lost over a billion dollars to hackers in the past couple of months, and the situation seems to be spiraling out of control.
According to the latest statistics, approximately $1.6 billion in cryptocurrencies was stolen from DeFi platforms in the first quarter of 2022. Furthermore, over 90% of all pilfered crypto is from hacked DeFi protocols.
These figures highlight a dire situation that is likely to persist over the long term if ignored.
Why hackers prefer DeFi platforms
In recent years, hackers have ramped up operations targeting DeFi systems. One primary reason as to why these groups are drawn to the sector is the sheer amount of funds that decentralized finance platforms hold. Top DeFi platforms process billions of dollars in transactions each month. As such, the rewards are high for hackers who are able to carry out successful attacks.
The fact that most DeFi protocol codes are open source also makes them even more prone to cybersecurity threats.
This is because open source programs are available for scrutiny by the public and can be audited by anyone with an internet connection. As such, they are easily scoured for exploits. This inherent property allows hackers to analyze DeFi applications for integrity issues and plan heists in advance.
Some DeFi developers have also contributed to the situation by deliberately disregarding platform security audit reports published by certified cybersecurity firms. Some development teams also launch DeFi projects without subjecting them to extensive security analysis. This increases the probability of coding defects.
Another dent in the armor when it comes to DeFi security is the interconnectivity of ecosystems. DeFi platforms are typically interconnected using cross-bridges, which bolster convenience and versatility.
While cross-bridges provide enhanced user experience, these crucial snippets of code connect huge networks of distributed ledgers with varying levels of security. This multiplex configuration allows DeFi hackers to harness the capabilities of multiple platforms to amplify attacks on certain platforms. It also allows them to quickly transfer ill-gotten funds across multiple decentralized networks seamlessly.
Besides the aforementioned risks, DeFi platforms are also prone to insider sabotage.
Hackers are using a wide range of techniques to infiltrate vulnerable DeFi perimeter systems.
Security breaches are a common occurrence in the DeFi sector. According to the 2022 Chainalysis report, approximately 35% of all stolen crypto in the past two years is attributed to security breaches.
Many of them occur due to faulty code. Hackers usually dedicate significant resources to finding systemic coding errors that allow them to carry out these types of attacks and typically utilize advanced bug tracker tools to aid them in this.
Another common tactic used by threat actors to seek out vulnerable platforms is tracking down networks with unpatched security issues that have already been exposed but yet to be implemented.
Hackers behind the recent Wormhole DeFi hack attack that led to the loss of about $325 million in digital tokens are reported to have used this strategy. An analysis of code commits revealed that a vulnerability patch uploaded to the platform’s GitHub repository was exploited before the patch was deployed.
The mistake enabled the intruders to forge a system signature that allowed the minting of 120,000 Wrapped Ether (wETH) coins valued at $325 million. The hackers then sold the wETH for about $250 million in Ether (ETH). The exchanged Ethereum coins were derived from the platform’s settlement reserves, thereby leading to losses.
The Wormhole service acts as a bridge between chains. It allows users to spend deposited cryptocurrencies in wrapped tokens across chains. This is accomplished by minting Wormhole-wrapped tokens, which alleviate the need to swap or convert the deposited coins directly.
Flash loan attacks
Flash loans are unsecured DeFi loans that require no credit checks. They enable investors and traders to borrow funds instantly.
Because of their convenience, flash loans are usually used to take advantage of arbitrage opportunities in connected DeFi ecosystems.
In flash loan attacks, lending protocols are targeted and compromised using price manipulation techniques that create artificial price discrepancies. This allows bad actors to buy assets at hugely discounted rates. Most flash loan attacks take minutes and sometimes seconds to execute and involve several interlinked DeFi protocols.
One way through which attackers manipulate asset prices is by targeting assailable price oracles. DeFi price oracles, for example, draw their rates from external sources such as reputable exchanges and trade sites. Hackers can, for example, manipulate the source sites to trick oracles into momentarily dropping the value of targeted asset rates so that they trade at lower prices compared to the wider market.
Attackers then buy the assets at deflated rates and quickly sell them at their floating exchange rate. Using leveraged tokens obtained through flash loans allows them to magnify the profits.
Besides manipulating prices, some attackers have been able to carry out flash loan attacks by hijacking DeFi voting processes. Most recently, Beanstalk DeFi incurred a $182 million loss after an attacker took advantage of a shortcoming in its governance system.
The Beanstalk development team had included a governance mechanism that allowed participants to vote for platform changes as a core functionality. This setup is popular in the DeFi industry because it upholds democracy. Voting rights on the platform were set to be proportional to the value of native tokens held.
An analysis of the breach revealed that the attackers obtained a flash loan from the Aave DeFi protocol to get almost $1 billion in assets. This enabled them to get a 67% majority in the voting governance system and allowed them to unilaterally approve the transfer of assets to their address. The perpetrators made off with about $80 million in digital currencies after repaying the flash loan and related surcharges.
Approximately $360 million worth of crypto coins was stolen from DeFi platforms in 2021 using flash loans, according to Chainalysis.
Where does stolen crypto go?
For a long time now, hackers have used centralized exchanges to launder stolen funds, but cybercriminals are beginning to ditch them for DeFi platforms. In 2021, cybercriminals sent about 17% of all illicit crypto to DeFi networks, which is a significant jump from 2% in 2020.
Market pundits theorize that the shift to DeFi protocols is because of the wider implementation of more stringent Know Your Customer (KYC) and Anti-Money Laundering (AML) processes. The procedures compromise the anonymity sought after by cybercriminals. Most DeFi platforms forego these crucial processes.
Centralized exchanges are also, now more than ever before, working with authorities to counter cybercrime. In April, the Binance exchange played an instrumental role in the recovery of $5.8 million in stolen cryptocurrencies that was part of a $625 million stash stolen from Axie Infinity. The money had initially been sent to Tornado Cash.
Tornado Cash is a token anonymization service that obfuscates the origin of funds by fragmenting on-chain links that are used to trace transacting addresses.
A portion of the stolen funds was, however, tracked by blockchain analytic firms to Binance. The loot was held in 86 addresses on the exchange.
In the aftermath of the incident, a spokesperson for the United States Treasury Department underlined that crypto exchanges that handle money from blacklisted crypto address risk sanctions.
Tornado Cash also seems to be cooperating with the authorities to stop the transfer of stolen funds to its network. The company has said that it will be implementing a monitoring tool to help identify and block embargoed wallets.
There seems to be some progress in the seizure of nicked assets by the authorities. Earlier this year, the U.S. Department of Justice announced the seizure of $3.6 billion in crypto and arrested two people who were involved in laundering the funds. The money was part of the $4.5 billion purloined from the Bitfinex crypto exchange in 2016.
The crypto seizure was among the biggest ever recorded.
DeFi CEOs speak about the current situation
Speaking exclusively to Cointelegraph earlier this week, Eric Chen, CEO and co-founder of Injective Labs — an interoperable smart contracts platform optimized for decentralized finance applications — said that there is hope that the problems will subside.
“We are seeing the tide continuing to subside, as more robust security standards are put into place. With proper testing and further security infrastructures put into place, DeFi projects will be able to prevent common exploit risks in the future,” he said.
On the measures that his network was taking to avert hack attacks, Chen provided an outline:
“Injective ensures a more tightly defined application-centric security model compared to traditional Ethereum Virtual Machine-based DeFi applications. The design of the blockchain and the logic of core modules protect Injective from common exploits such as re-entrancy, maximum extractable value and flash loans. Applications built on top of Injective are able to benefit from the security measures that are implemented in the blockchain on the consensus level.”
Cointelegraph also had the chance to speak with Konstantin Boyko-Romanovsky, CEO and founder of Allnodes — a non-custodial hosting and staking platform — about the increase in hack incidences. Regarding the main catalysts behind the trend, he said:
“No doubt it will take some time to lower the risk of DeFi hacks. It is unlikely, however, that it will happen overnight. There is a lingering sense of a race in DeFi. Everyone seems to be in a hurry, including the project founders. The market is evolving faster than the speed at which programmers write code. Good players who take every precaution are in the minority.”
He also provided some insight on procedures that would help counteract the problem:
“The code must get better and smart contracts must be thoroughly audited, that’s for sure. In addition, users should be constantly reminded of cautious etiquette online. Identifying any flaws can be attractively incentivized. This, in turn, might promote healthier conduct across a particular protocol.”
The DeFi industry is having a hard time thwarting hack attacks. There is, however, hope that increased monitoring from the authorities and greater cooperation among exchanges will help curb the scourge.