Decentralized finance (DeFi) platforms — which connect various cryptocurrency blockchains to create a decentralized infrastructure for borrowing, trading, and other transactions — promise to replace banks as a secure and convenient way to invest in and spend cryptocurrency. But in addition to attracting hordes of new users with dreams of digital fortune, cybercriminals have discovered them to be an easy target, wiping out wallets to zero balances in a moment, tanking whole markets while profiting, and more, according to a new report.
Analysts with Bishop Fox found that DeFi platforms lost $1.8 billion to cyberattacks in 2021 alone. With a total of 65 events observed, 90% of the losses came from unsophisticated attacks, according to the report, which points to the lax cybersecurity practices of the sector.
DeFi averaged five attacks per week last year, with most of them (51%) coming from the exploitation of “smart contracts” bugs, the analysts found. Smart contracts are essentially records of transactions, stored on the blockchain.
Other top DeFi attack vectors include crypto wallets, protocol design flaws, and so-called “rug-pull” scams (where investors are lured to a new cryptocurrency project that is then abandoned, leaving targets with a worthless currency). But taken together, 80% of all events were caused by the use (and re-use) of buggy code, according to the report.
“The desire to develop quickly and save time, or perhaps just the lazy disinclination to review or recreate one’s own code, too often leads to the use of untested, and therefore ultimately vulnerable, code,” the report says.
And indeed, as users and DeFi platforms themselves try to reinvent banking — and a complex new infrastructure to support it — administrators can’t overlook the importance of security basics, Dylan Dubeif, senior security consultant at Bishop Fox tells Dark Reading.
“No matter how innovative or sophisticated your project is, don’t forget about security by ignoring what seems minor or basic,” he says. “A trivial vulnerability can end up costing you the most.”
DeFi Smart-Contract Vulns
A prime example is the May 28 BurgerSwap Dex smart-contract-related DeFi breach, which led to a $7.2 million loss. That attack leveraged vulnerabilities that are so well known that their use here seemed confounding, according to the report. These included exploiting a missing x*y≥k check** and mounting re-entrancy attacks, according to the report. The weaknesses allowed attackers to leverage well-known tactics such as flash-loan abuse and the use of fake tokens.
“We can’t emphasize it enough — maintain a recurring audit process and test each piece of code before it goes into production,” the report says. “In decentralized finance, even the shortest line of vulnerable code can lead to a total loss of project tokens and the collapse of the project.”
Last August, Cream Finance took a major financial hit at the hands of cybercriminals, losing nearly $29 million before the attack was discovered (418,311,571 in Amp Coin and 1,308.09 in Ethereum cryptocurrency).
The hack was made possible due to a re-entrancy bug in its smart-contracts function, introduced by the $AMP tokens used by the exchange.
“The … breach of the Cream Finance platform was facilitated by the latest in a long chain of smart-contract vulnerabilities introduced by human error (or possibly insider attacks),” Joe Stewart, a researcher with PhishLabs, noted at the time. “It is very easy to shoot yourself in the foot by something as simple as failing to include the correct function modifier in your code — exactly what happened to the author of the Cream Finance smart contract.”
Smart contracts become trickier to code-audit as well after they start interacting with each other, Stewart added.
“The increasing complexity of DeFi contracts that interact with one another (possibly even across different blockchains) make it difficult to predict all possible code paths that could lead to privilege escalation and loss of funds locked in the contract,” Stewart said.
Front-End DeFi Attacks
The code used to create DeFi digital wallets and website interfaces have also proved to be an easy attack vector for scammers.
In one attack on BadgerDAO last December, analysts said that attackers exploited a CloudFlare vulnerability to get an API key, which then allowed them to tweak the site’s source code to divert funds to wallets in their control, the report explains.
“In late September, users on a Cloudflare community support forum reported that unauthorized users were able to create accounts and were also able to create and view (Global) API keys (which cannot be deleted or deactivated) before email verification was completed,” Badger said in a post-mortem statement about the breach. “It was noted that an attacker could then wait for the email to be verified, and for the account creation to be completed, and they would then have API access.”
Flash-Loan DeFi Attacks
As mentioned earlier, another type of DeFi attack involves flash loans. A flash loan is an unsecured loan for buying and then selling a certain cryptocurrency; it can be requested by building a smart contract on the blockchain. Then the contract executes the loan and the trades, all in a flash.
In an attack, cybercriminals can use this function for price manipulation. For instance, last May the DeFi project PancakeBunny fell victim to this after an attacker mined a large amount of $Bunny tokens and then turned around and immediately sold them off. Not only can cybercriminals make a fortune in this way, they can also tank the value of an entire cryptocurrency market in minutes.
“Although [this] may seem painfully simple in retrospect, it did occur, with not-insignificant consequences,” the report says. Read more: https://bit.ly/3GkuxSN
You can also read this: Cybercriminals Using New Malware Loader ‘Bumblebee’ in the Wild