A decentralized finance (DeFi) platform that connects various cryptocurrency blockchains to create a decentralized infrastructure for borrowing, trading, and other transactions is secure for investing and using cryptocurrencies. We promise to replace banks as a convenient way. But according to a new report, cybercriminals, in addition to attracting hordes of new users with digital fortune dreams, found them to be easy targets and wiped their wallets to zero balance in an instant. And put the whole market in the tank while making a profit.
Bishop Fox analysts have discovered that the DeFi platform lost $ 1.8 billion in a cyberattack in 2021 alone. According to the report, a total of 65 events were observed, 90% of the losses were due to unsophisticated attacks, indicating loose cybersecurity practices in this sector.
According to analysts, DeFi made an average of five attacks a week last year, most of which (51%) were due to the exploitation of “smart contract” bugs. Smart contracts are basically transaction records and are stored on the blockchain.
Other top DeFi attack vectors include cryptocurrencies, protocol design flaws, and so-called “rag-pull” scams (investors are seduced by new cryptocurrency projects, then abandoned, and have no value to their targets. Remains). However, according to reports, 80% of all events were due to the use (and reuse) of buggy code.
“The desire to develop quickly and save time, or the lazy aversion to review or rewrite your code, is often untested and therefore ultimately leads to the use of vulnerable code. There is, “says the report.
In fact, as users and the DeFi platform itself are reinventing the banking business, and as a complex new infrastructure to support it, administrators cannot overlook the importance of the basics of security.
“No matter how innovative or sophisticated your project is, ignore the minor or basic ones and don’t forget about security,” he says. “Minor vulnerabilities can cost you the most.”
DeFi smart contract vulnerabilities
A prime example is the May 28 Burger Swap Dex smart contract-related DeFi violation, which resulted in a loss of $ 7.2 million. According to reports, this attack exploited a very well-known vulnerability, so its use here was confusing. According to the report, these included the exploitation of the missing x * y ≥ k check ** and the implementation of a reentrant attack. This weakness allowed attackers to take advantage of well-known tactics such as flash loan abuse and the use of fake tokens.
“I can’t really emphasize that. Keep a regular auditing process and test each code before moving to production,” the report said. “In decentralized finance, even the shortest line of vulnerable code can lead to a complete loss of project tokens and a project collapse.”
Last august Cream finance has been hit hard It fell into the hands of cybercriminals and lost about $ 29 million before the attack was discovered (418,311,571 for Amp Coin and 1,308.09 for Ethereum cryptocurrencies).
This hack was made possible due to a reentrant bug in the smart contract feature introduced by the $ AMP token used on the exchange.
“… The CreamFinance platform breach was fueled by the latest in a long chain of smart contract vulnerabilities caused by human error (or perhaps insider attacks),” said Phish Labs researcher Joe Stewart at the time. I am. “It’s very easy to shoot your feet by not including the correct function qualifiers in your code. That’s exactly what happened to the creators of the CreamFinance smart contracts.”
Stewart added that smart contracts make code auditing difficult even after the interaction has begun.
“With increasing complexity of interacting DeFi contracts (perhaps even between different blockchains), it’s difficult to predict all code paths that could lead to privilege escalation or loss of funds fixed to the contract. “It will be,” said Stewart.
Front-end DeFi attack
The code used to create an interface between a DeFi digital wallet and a website has also proven to be a simple attack vector for scammers.
In a December attack on Badger DAO, analysts exploited a vulnerability in CloudFlare to obtain an API key, tweak the site’s source code, and put it in a wallet under their control. He said he was able to direct the money.
“In late September, Cloudflare Community Support Forum users will be able to create and view (global) API keys (which cannot be deleted or deactivated) before unauthorized users can create accounts and complete email verification. “I reported,” said Badger. He stated in his posthumous statement about the breach. “Note that an attacker could wait for the email to be verified and the account creation to complete before gaining access to the API.”
Flash loan DeFi attack
As mentioned earlier, another type of DeFi attack involves a flash loan. Flash loans are unsecured loans for buying and selling specific cryptocurrencies. You can request it by building a smart contract on the blockchain. The contract then executes all the loans and transactions in an instant.
In an attack, cybercriminals can use this feature to manipulate prices. For example, in May last year, the DeFi project Pancake Bunny was the victim of this after an attacker mined a large number of $ Bunny tokens, looked back and sold them immediately. Not only can cybercriminals make big bucks this way, but they can also reduce the value of the entire crypto market in minutes.
“nevertheless [this] In retrospect, it may seem painfully simple. Did it It happens and has non-significant consequences, “the report said.
The PancakeBunny DeFi project became a prey on May 19th. Attackers used platform bugs and flash loans to unbalance the pool and miscalculate exchanges in favor of the attacker. To make matters worse, just a few days later, two forks (that is, a new DeFi community developed from the same blockchain), Merlin Labs and Autoshark, were targeted using the same code and attack methods.
“”The teams in both projects were aware that they copied the Pancake Bunny code with little modification, but they were still hit by the same attack 5 and 7 days after the first project, respectively. ” I am saying.
DeFi server
Researchers warn that servers storing crypto wallet private keys are also a major target for cybercriminals. In some cases, the stolen key swiped the wallet, sometimes causing catastrophic losses, the report said. For example, the balance of one wallet was about $ 60 million.
“By auditing the underlying servers of the enterprise and adding technical and organizational measures (such as multi-signature wallets) using the principles of zero trust and least privileges, we should have been able to avoid financial loss. “The report states.
DeFiPwn Prevention-apalooza
There is so much cybercrime activity, what should we do? To answer this, the Bishop Fox team has provided two important pieces of advice to users looking to navigate this new digital financial frontier. One is that you don’t trust your system to be safe. Second, we recognize that investments can evaporate in a second.
The risks to users vary. In some cases, like the PolyNetwork breach, after an attacker stole, they returned $ 610 million of cryptocurrencies and everyone recovered their losses. In another example, the hacked DeFi platform wasn’t very lucky.
With no standards of responsibility, users need to be prepared for the worst. “When we talk about DeFi, we’re talking about investing in a new cryptocurrency financial system that we haven’t learned from that mistake,” the report said.
Researchers admit that defending the DeFi platform is particularly difficult for so many parts of the business.
“The attack surface of the DeFi project is larger than usual, so teams need to take appropriate precautions to protect all their assets,” the report said.
