Cybercriminals are increasingly targeting decentralised finance (DeFi) platforms to steal cryptocurrency from investors, the FBI has warned. In an alert the agency says cybercriminals are exploiting vulnerabilities in smart contracts that govern these services.
Smart contracts contain the terms of any agreement between a buyer and seller written directly into lines of code and are self-executing. As the code controls the execution, they are trackable and irreversible once triggered. They allow for trusted transactions and agreements between anonymous parties without the need for a central authority.
The FBI warned that criminals were taking advantage of increased interest in cryptocurrencies, as well as the complexity of transactions and functionality of DeFi platforms.
This is a growing problem. A study by blockchain analysis company Chainalysis found that, between January and March this year, $1.3bn in cryptocurrencies was stolen and 97% of it came from DeFi platforms, compared with 72% in 2021 and 30% in 2020.
Flash loans were also a problem for DeFi platforms. This is where a scammer borrows a large amount of cryptocurrency for a short time and uses it to manipulate the value of a certain token, allowing them to then buy up all the governance tokens and vote to withdraw any money available for that DeFi project to their own crypto wallet.
In the past year the FBI has observed cybercriminals defraud DeFi platforms in a number of different ways, including one flash loan that triggered an exploit in a DeFi platform’s smart contracts resulting in the loss of about $3m worth of cryptocurrency.
DeFi projects a growing target for hackers
Beanstalk Farms became one of the largest victims of this type of attack in April this year. The decentralised finance project was hit by an attacker who mounted the hostile takeover by buying up enough tokens in the project to take control, then voting to transfer tokens worth $182m to their own crypto wallet.
Another instance of a DeFi attack saw cybercriminals exploit a signature verification vulnerability in an unnamed DeFi platform’s token bridge and withdraw all of the investments, resulting in approximately $320m in losses.
Manipulating cryptocurrency price pairs by exploiting a series of vulnerabilities was another area of attack seen by FBI investigators. This included conducting leveraged trades that bypassed checks so that it benefited from price calculation errors as a result of the DeFi platform’s use of a single price oracle. This attack led to the loss of about $35m in cryptocurrency, according to the FBI.
In total web3 projects, including DeFi platforms are thought to have lost about $2b to hacks and scams since the start of this year. That is based on a report by web3 security company CertiK, finding that often these attacks are from nation state-backed groups.
DeFi: keeping crypto wallets safe
“Investors should make their own investment decisions based on their financial objectives and financial resources and, if in any doubt, should seek advice from a licensed financial adviser,” the FBI suggests, adding that its important to research the DeFi platform, its protocols and smart contracts before investing to be aware of any specific risks involved.
Agency officials also warn potential investors to check the platform has conducted one or more code audits and had that audit carried out by an independent auditor. These typically require a thorough review and analysis of its underlying code to look for vulnerabilities and weaknesses that could impact its performance.
It also warns to “be aware of the potential risk posed by crowdsourced solutions to vulnerability identification and patching. Open source code repositories allow unfettered access to all individuals, to include those with nefarious intentions”.
The FBI also recommended a number of precautions that DeFi platforms could take to reduce the risk of attacks and scams and protect investors.
This included a need to “institute real time analytics, monitoring, and rigorous testing of code in order to more quickly identify vulnerabilities and respond to indicators of suspicious activity” and “develop and implement an incident response plan that includes alerting investors when smart contract exploitation, vulnerabilities, or other suspicious activity is detected”.