Cybercriminals attack DeFi

Analysts say decentralized finance lost $1.8 billion in cyberattacks last year, and 80% of those events were the result of vulnerable code.

Decentralized funding (DeFi) platforms, which connect various cryptocurrency blockchains to create a decentralized infrastructure for borrowing, trading, and other transactions, promise to replace banks as a safe and convenient way to invest and spend cryptocurrency. But cybercriminals have felt that hordes of new users dreaming of digital wealth are easy prey.

Bishop Fox analysts find that DeFi platforms have lost $1.8 billion in cyberattacks in 2021 alone. According to the report, which recorded 65 events, 90% of the losses were caused by simple attacks, indicating weak cybersecurity practices in the sector.

Analysts found that deFi had an average of five attacks per week last year, with the majority (51%) involving the use of smart contract errors. Smart contracts are essentially transaction records stored on the blockchain.

Other major deFi attack vectors include crypto wallets, flaws in the design of protocols, and so-called fraudulent schemes (where investors are lured into a new cryptocurrency project, which is then shut down, leaving victims with a worthless currency). But taken together, according to the report, 80% of all of these events were caused by the use (or reuse) of erroneous code.

“The desire to develop quickly and save time or, often, just a lazy reluctance to revise or redo their own code very often leads to the use of unverified and, therefore, extremely vulnerable code,” the report says.

Indeed, as users and DeFi platforms themselves try to reinvent banking — and the complex new infrastructure to support it — administrators should not lose sight of it. the importance of security fundamentalsDylan Dubeif, senior security consultant at Bishop Fox, told Dark Reading.

“No matter how innovative or complex your project is, don’t forget about safety by ignoring what seems secondary or elementary,” he says. “Trivial vulnerability can ultimately cost you the most.”

Vulnerabilities of DeFi smart contracts
A prime example is the DeFi breach associated with the BurgerSwap Dex smart contract on May 28, 2021, which resulted in losses of $7.2 million. According to the report, this attack exploited vulnerabilities that are so well known that their exploitation in this case could CAUSE ONLY BEWILDERMENT. According to the report, these include the use of missing x*y≥k** validation and increased re-entry attacks. Weaknesses have allowed attackers to use well-known tactics, such as abusing instant credits and using fake tokens.

“We can’t stress enough that it’s important to maintain a repetitive auditing process and test each piece of code before it goes into production,” the report said. «In decentralized finance, even the shortest line of vulnerable code can lead to the complete loss of project tokens and the collapse of the project.».

Last August, Cream Finance was hit hard by cybercriminals, losing nearly $29 million before the attack was discovered (418,311,571 in Amp Coin and 1,308.09 in Ethereum).

The hack became possible due to the error of re-entering the function of smart contracts caused by the tokens $AMP used by the exchange.

«… The cracking of the Cream Finance platform was facilitated by the last of a long chain of vulnerabilities of smart contracts caused by the human factor (or, possibly, internal attacks),” said Joe Stewart, a researcher at PhishLabs, at the time. “It’s very easy to shoot yourself in the foot just by not including the right function modifier in your code – that’s exactly what happened to the author of the Cream Finance smart contract.”

Stewart added that smart contracts become more difficult to validate code after they start interacting with each other.

“The increasing complexity of DeFi contracts that interact with each other (perhaps even on different blockchains) makes it difficult to predict all possible code paths that could lead to increased privileges and loss of funds locked in contract,” Stewart said.

External DeFi attacks
The code used to create DeFi digital wallets and website interfaces has also proven to be a convenient attack vector for scammers.

In one of the attacks on BadgerDAO last December, analysts said that attackers used the CloudFlare vulnerability to obtain an API key, which then allowed them to configure the site’s source code to redirect funds to wallets under their control, the report explains.

“In late September, users on the Cloudflare community support forum reported that unauthorized users could create accounts and could also create and view (global) API keys (which cannot be deleted or deactivated) until email verification was completed,” Badger said. said in a posthumous statement of violation. “It has been noted that an attacker could wait for the email to be verified and the account creation to be completed, after which they would gain access to the API.”

DeFi attacks with flash credit
As mentioned earlier, another type of DeFi attack involves flash credits. A flash loan is an unsecured loan to buy and then sell a certain cryptocurrency; it can be requested by creating a smart contract on the blockchain. The contract then executes the credit and bidding, all in an instant.

In an attack, cybercriminals can use this feature to manipulate prices. For example, in May last year, the DeFi PancakeBunny project became a victim of this after an attacker mined a large number of tokens $Bunny, and then turned around and immediately sold them. Thus, cybercriminals can not only get rich, but also bring down the value of the entire cryptocurrency market in a matter of minutes.

“Although [это] may seem painfully simple in retrospect, this really had a place with considerable consequences,” the report said.

The PancakeBunny DeFi project became a prey on May 19. The attackers used a bug in the platform and a flash credit to throw the pool off balance and calculate the exchange in favor of the attacker. To make matters worse, just a few days later, two forks (i.e., new DeFi communities developed based on the same blockchain), MerlinLabs and Autoshark, were attacked using the same code and attack methodology.

“Although the teams on both projects were aware that they had copied the PancakeBunny code with very few changes, they nevertheless suffered the same attack five and seven days after the original design, respectively,” the report said.

Researchers warn that servers
DeFi, which stores private keys for crypto wallets, are also a prime target for cybercriminals. The report says that in several cases, wallets have been stolen with stolen keys, sometimes with huge losses; For example, one wallet had about $60 million.

“Financial losses could have been avoided by auditing the companies’ core servers and adding technical and organizational measures (such as multi-signature wallets) with the principles of zero trust and minimum privileges,” the report said.

Preventing DeFi Pwn-apalooza
What to do about so many cybercrimes? To answer this question, the Bishop Fox team gave two important pieces of advice to users trying to navigate this new digital financial frontier. First, don’t trust any system for its security; and second, recognize that investments can evaporate in a second.

The risk to users varies; in some cases, such as the PolyNetwork hack, the attacker stole and then returned $610 million in cryptocurrency, and all made up for their losses. In other cases, hacked DeFi platforms were less fortunate.

Since there is no standard of liability, users must be prepared for the worst. “When we talk about DeFi, we’re talking about investing in a young cryptocurrency financial system that hasn’t yet learned from its mistakes,” the report said.

The researchers acknowledge that with so many pieces of business, securing DeFi platforms is particularly challenging.

“Because the attack surface in DeFi projects is larger than usual,” the report said, “teams must ensure that adequate precautions are taken to protect all assets.”