The FBI has urged people to be cautious and heavily research a DeFi – decentralized finance – provider before putting your money into it, after more than a billion dollars was stolen from these providers in three months.
In an alert this week, quoting numbers from blockchain research firm Chainalysis, the Feds said $1.3 billion in cryptocurrencies were siphoned in total between January and March 2022 alone, and 97 percent of that was lifted from DeFi outfits. In May, Chainalysis upped that figure to $1.68 billion for the first four months of the year.
The FBI wants folks to realize the risks, get professional financial advice if in doubt, and do their homework on the security and general practices of DeFi providers. And by DeFi provider, we all mean exchanges, marketplaces, and similar sites where you can buy, sell, exchange, and loan cryptocurrencies and other digital assets.
The bureau’s warning comes after a round of cyber-robberies against these sorts of platforms, including a $100 million hit on Harmony (thought to been carried out by North Korea), an estimated $200 million theft from BitMart and a $130 million heist from Cream Finance.
According to Chainalysis, North Koreans have had their biggest year yet for cryptocurrency theft, with a haul of at least $840 million so far in 2022.
“The data goes to show that shoring up DeFi protocols’ defenses against hackers isn’t just a matter of building trust with users so that DeFi can continue to grow,” Chainalysis argued. “It’s also a matter of international security given that cryptocurrency stolen by North Korean hacking groups is used to support the country’s development of weapons of mass destruction.” The biz pointed to a 2019 United Nations document [PDF] to back that argument up.
The FBI’s alert offers advice to investors that starts with generic warnings about conducting due diligence before investing, before suggesting the following:
- Research DeFi platforms, protocols, and smart contracts before investing and be aware of the specific risks involved in DeFi investments.
- Ensure the DeFi investment platform has conducted one or more code audits performed by independent auditors. A code audit typically involves a thorough review and analysis of the platform’s underlying code to identify vulnerabilities or weaknesses in the code that could negatively impact the platform’s performance.
- Be alert to DeFi investment pools with extremely limited timeframes to join and rapid deployment of smart contracts, especially without the recommended code audit.
- Be aware of the potential risk posed by crowdsourced solutions to vulnerability identification and patching. Open source code repositories allow unfettered access to all individuals, to include those with nefarious intentions.
Most DeFi platforms are relatively new, and have attracted big and small investors. They can involve more than just a basic swapping of tokens. For instance, a load of these websites and apps allow users to create and use smart contracts, which are bits of code that run typically to make transactions happen. That means user-generated software bugs are now in the mix, which can be exploited by thieves to steal coins, or just simply cause assets to vanish. Then there are APIs to access holdings and send tokens, which can go wrong. The combination of under-tested or poorly implemented tech and volumes of money have made the scene an attractive target for cybercriminals.
“People are putting their faith in crypto algorithms and protocols, and only time will tell if they are right or not,” Jeff Williams, co-founder and CTO at cybersecurity firm Contract Security, told The Register.
“But even if they are perfect, there is a lot more to DeFi platforms than just crypto. These platforms are just software and they require high security authentication, access control, input handling, attack detection and response, use of open source, IaC [infrastructure-as-code] security, and much more.”
Even the largest established financial institutions struggle with software vulnerabilities, averaging more than 30 serious problems per applications, Williams claimed, thus “fast-moving DeFi companies have an extraordinary challenge to secure their software.”
The FBI said cyber-gangs appear to be targeting smart contracts, which the agency described as self-executing contracts that have the terms of a transaction – agreed upon by a buyer and seller – written directly into lines of code. These contracts run when the conditions in the contract are met, and are replicated across a decentralized and distributed blockchain network.
The agency has already outlined methods used by cybercriminals to defraud DeFi platforms, such as combining smart contracts with flash loans to steal millions in seconds. A DeFi platform called Beanstalk Farms lost $180 million in April in one such an attack. The bureau also pointed to Wormhole, a protocol for connecting blockchains, losing $320 million in Ether in February due to a signature verification vulnerability.
Investors need to be diligent in examining the cybersecurity practices of DeFi platforms and their financial merits and rely on well-vetted and independently tested platforms, according to Michael Oglesby, executive vice president of security services at cybersecurity vendor Cerberus Sentinel.
“The explosive growth and high returns of the DeFi ecosystem have lured many early adopters to embrace blockchain technologies, such as smart contracts,” Oglesby told The Register. “However, early investors should be wary. Most DeFi systems have little protection or safety nets in place to prevent catastrophic loss from a fraudulent attack.”
DeFi platform operators need to institute real-time analytics, monitoring and testing of code, and develop incident response plans that includes alerting investors, the FBI said.
Warnings from the Feds are fine, but netizens “really need far more transparency around the security protections that these companies have in place,” Williams said. “This would be a great use case for the new consumer software security label scheme created by NIST per the [US President’s] cybersecurity executive order.” ®
