Decentralized finance (DeFi) platforms — which connect various cryptocurrency blockchains to create a decentralized infrastructure for borrowing, trading, and other transactions — promise to replace banks as a secure and convenient way to invest in and spend cryptocurrency. But in addition to attracting hordes of new users with dreams of digital fortune, cybercriminals have discovered them to be an easy target, wiping out wallets to zero balances in a moment, tanking whole markets while profiting, and more, according to a new report.
Analysts with Bishop Fox found that DeFi platforms lost $1.8 billion to cyberattacks in 2021 alone. With a total of 65 events observed, 90% of the losses came from unsophisticated attacks, according to the report, which points to the lax cybersecurity practices of the sector.
DeFi averaged five attacks per week last year, with most of the them (51%) coming from the exploitation of "smart contracts" bugs, the analysts found. Smart contracts are essentially records of transactions, stored on the blockchain.
Other top DeFi attack vectors include cryptowallets, protocol design flaws, and so-called "rug-pull" scams (where investors are lured to a new cryptocurrency project that is then abandoned, leaving targets with a worthless currency). But taken together, 80% of all events were caused by the use (and re-use) of buggy code, according to the report.
"The desire to develop quickly and save time, or perhaps just the lazy disinclination to review or recreate one's own code, too often leads to the use of untested, and therefore ultimately vulnerable, code," the report says.
And indeed, as users and DeFi platforms themselves try to reinvent banking — and a complex new infrastructure to support it — administrators can't overlook the importance of security basics, Dylan Dubeif, senior security consultant at Bishop Fox tells Dark Reading.
"No matter how innovative or sophisticated your project is, don't forget about security by ignoring what seems minor or basic," he says. "A trivial vulnerability can end up costing you the most."
DeFi Smart-Contract Vulns
A prime example is the May 28 BurgerSwap Dex smart-contract-related DeFi breach, which led to a $7.2 million loss. That attack leveraged vulnerabilities that are so well known that their use here seemed confounding, according to the report. These included exploiting a missing x*y≥k check** and mounting re-entrancy attacks, according to the report. The weaknesses allowed attackers to leverage well-known tactics such as flash-loan abuse and the use of fake tokens.
"We can't emphasize it enough — maintain a recurring audit process and test each piece of code before it goes into production," the report says. "In decentralized finance, even the shortest line of vulnerable code can lead to a total loss of project tokens and the collapse of the project."
Last August, Cream Finance took a major financial hit at the hands of cybercriminals, losing nearly $29 million before the attack was discovered (418,311,571 in Amp Coin and 1,308.09 in Ethereum cryptocurrency).
The hack was made possible due to a re-entrancy bug in its smart-contracts function, introduced by the $AMP tokens used by the exchange.
“The … breach of the Cream Finance platform was facilitated by the latest in a long chain of smart-contract vulnerabilities introduced by human error (or possibly insider attacks),” Joe Stewart, a researcher with PhishLabs, noted at the time. "It is very easy to shoot yourself in the foot by something as simple as failing to include the correct function modifier in your code — exactly what happened to the author of the Cream Finance smart contract.”
Smart contracts become trickier to code-audit as well after they start interacting with each other, Stewart added.
“The increasing complexity of DeFi contracts that interact with one another (possibly even across different blockchains) make it difficult to predict all possible code paths that could lead to privilege escalation and loss of funds locked in the contract,” Stewart said.
Front-End DeFi Attacks
The code used to create DeFi digital wallets and website interfaces has also proved to be an easy attack vector for scammers.
In one attack on BadgerDAO last December, analysts said that attackers exploited a CloudFlare vulnerability to get an API key, which then allowed them to tweak the site's source code to divert funds to wallets in their control, the report explains.
"In late September, users on a Cloudflare community support forum reported that unauthorized users were able to create accounts and were also able to create and view (Global) API keys (which cannot be deleted or deactivated) before email verification was completed," Badger said in a post-mortem statement about the breach. "It was noted that an attacker could then wait for the email to be verified, and for the account creation to be completed, and they would then have API access."
Flash-Loan DeFi Attacks
As mentioned earlier, another type of DeFi attack involves flash loans. A flash loan is an unsecured loan for buying and then selling a certain cryptocurrency; it can be requested by building a smart contract on the blockchain. Then the contract executes the loan and the trades, all in a flash.
In an attack, cybercriminals can use this function for price manipulation. For instance, last May the DeFi project PancakeBunny fell victim to this after an attacker mined a large amount of $Bunny tokens and then turned around and immediately sold them off. Not only can the cybercriminals make a fortune in this way, they can also tank the value of an entire cryptocurrency market in minutes.
"Although [this] may seem painfully simple in retrospect, it did occur, with not-insignificant consequences," the report says.
The PancakeBunny DeFi project became prey on May 19. Attackers used a bug in the platform and a flash loan to throw the pool out of balance and miscalculate the exchange in the threat actor's favor. Worse yet, just days later, two forks (i.e., new DeFi communities developed from the same blockchain), MerlinLabs and Autoshark, were targeted using the same code and attack methodology.
"Even though the teams from both projects were aware of having copied the PancakeBunny code with very few modifications, they nevertheless suffered the same attack five and seven days, respectively, after the initial project," the report says.
Servers storing private keys for cryptowallets are also a prime target for cybercriminals, the researchers warn. In several instances, wallets were swiped with stolen keys, the report says, sometimes with devastating losses; one wallet had a balance of about $60 million, for instance.
"Financial loss could have been avoided by auditing the companies’ underlying servers and adding technical and organizational measures (such as multisignature wallets) with zero-trust and least-privilege principles," the report states.
Preventing the DeFi Pwn-apalooza
With so much cybercrime activity, what should be done? To answer that, the Bishop Fox team offered two important pieces of advice for users trying to navigate this new digital financial frontier. One, don't trust any system to be secure; and two, recognize that investments can evaporate in a second.
The risk to users varies; in some cases, like the PolyNetwork breach, an attacker stole, then returned, $610 million in cryptocurrency and everyone recouped their losses. In other instances, hacked DeFi platforms weren't so lucky.
Since there's no standard for responsibility, users should be prepared for the worst. "When we talk about DeFi, we are talking about investing in the fledgling cryptocurrency financial system that has yet to learn from its mistakes," the report states.
The researchers acknowledge that with so many parts of the business, defending DeFi platforms is particularly difficult.
"As the attack surface in DeFi projects is larger than usual," the report says, "teams must ensure that adequate precautions are taken to protect all assets."