Let’s face the fact. DeFi exploits and hacks have become rampant. DeFi investors are losing around $70m every week. Something has to be done to stop the rot – and fast too. But before we start debating how to stop them, it is important that we first identify how they happen.
We’ve studied some of the high-profile hacks that happened in the blockchain space. In this article, we will describe the most common methods of DeFi exploits that cybercrime experts have uncovered over the last 3 years. Let’s go.
- The DeFi industry emerged shortly after the creation of Ethereum-based dApps and smart contracts in 2015.
- A vast majority of crypto hacks now occur on DeFi Protocols
- Hackers deploy various methods and tricks to compromise different DeFi protocols and cart away user’s funds.
- DeFi protocols have tried to tighten security architecture through code audits and bug bounty, but the hacks are still on the rise.
- DeFi Insurance has emerged to provide much-needed succor for users of crypto lending, borrowing, investing and other on-chain financial services.
Most Popular DeFi Exploits
In the early days of crypto — say, between 2009 when satoshi published the original Bitcoin whitepaper, until 2015 when Vitalik Buterin launched the Ethereum Introductory paper – majority of the crypto hacks occurred on Exchanges and compromised personal wallets. The Mt. Gox attack ($480 million) in 2011 and Bitfinex ($60 million) in 2016 were some of the earliest high-profile hacks in crypto. Between them, customers lost over $500 million. In fact, it was this flurry of Exchange hacks that led to the popularization of the popular phrase, Not Your Keys, Not Your Coin — encouraging crypto users to move their crypto off exchanges after trading, and look for alternative cold storage methods.
Enter 2022. Vitalik Buterin’s dynamic and composable Ethereum network has ushered in a new era of decentralized financial services (DeFi) rendered through smart contracts and executed by computer applications called “dApps”. Starting at <$100M in 2016, at an all time high in November 2021, the global Total Value Locked (TVL) in DeFi protocols surpassed $100 billion.
Seeing the supersonic growth and massive adoption of DeFi, it is needless to say that the crypto hackers have also now “followed the money”. In fact, CipherTrace reported that 76% of crypto hacks that occurred in 2021, occurred on DeFi protocols. Leading to over 1.9billion in losses. So, how are all these attacks happening? Let’s get in it.
Smart Contract Vulnerability
Smart contract vulnerability is the leading cause of DeFi exploits globally. It can affect virtually all forms of DeFi protocols, including blockchain bridges, DEXs, and lending platforms. It occurs when a hacker discovers a flaw in the underlying code that underpins a specific defi protocol.
All DeFi protocols are fundamentally built upon a set of self-executing instructions called smart contracts. By definition, Smart contracts are specialized programs stored on a blockchain, and typically used to automate the trustless execution of financial transactions.
As innovators, sometimes developers focus too much on the functionality and performance of their dApps and leave the door open to a few minor security flaws. But when it comes to smart contracts deployed on public blockchains, even the smallest vulnerability can be exploited to devastating effect by hackers, causing huge losses to the users and investors of the underlying DeFi services.
Examples of Smart Contract Vulnerability Hacks
A prime example of Smart Contract Vulnerability is the recent Harmony Protocol exploit where the hacker(s) carted away over $100m worth of crypto assets. As far back as April 2022 a cyber security expert had raised concerns about an potential vulnerability in the authorization structure for the Horizon bridge.
The protocol’s multisignature (multisig) wallet had intended for 4 signatures to validate transactions, the user alerted the team, via a twitter post, that it appeard only 2 signatures were required to initiate transactions. Barely 2 months after the vulnerability was discovered, an hacker finally found a way to exploit it.
Dozens of other DeFi protocols have suffered hacks due to Smart Contract vulnerability. Some of the other high-profile once include Meerkat Finance which lost $31 Million, just a day after launch in February 2021, and Grim Finance, a $30 Million hack where Audit firm Solidity Finance had erroneously identified a crucially missing guard as active.
In DeFi the correct execution of the smart contract code does not entirely guarantee the complete safety of the protocol.
Summarily, Phishing is a hacking technique where an attacker sends a series of fraudulent messages, emails or other forms of social engineering techniques to obtain sensitive information. Generally hackers use phishing techniques to obtain passwords, keyphrases, wallet addresses either to initiate transactions, or completely seize control of the victim’s infrastructure by deploying malicious ransomware.
Image Credit: Riki32
Examples of Phishing Hacks in DeFi
The Axie Infinity hack on the Ronin bridge is arguably the most popular phishing hack in DeFi. In March 2022, the Ronin Bridge that connects Axie Infinity’s sidechain to the Ethereum network was drained of 173,600 ETH ($590M) and another 25.5M USDC in what instantly became DeFi’s biggest exploit ever, at the time.
How did it happen? According to various media sources, it all started with a fake Linkedin job offer. The hackers, identified as the notorious North Korea based Lazarus Group, had targeted employees of Sky Mavis, the parent company/developer of Axie Infinity.
They reportedly reached out over LinkedIn and make a fake job offer. When employees took the bait, they proceeded with multiple rounds of fake interviews and capped it off with an “extremely generous” compensation package offer. The hack was set in motion when one Sky Mavis senior engineer clicked a malware-laced PDF document that supposedly containing the official offer.
— At this point hackers compromised the Engineer’s computer, then were able to obtain four of the nine nodes, which they used to validate financial transactions on Sky Mavis’ Ronin blockchain.
The play-to-earn platform instantly suspended activities and later resumed in June 2022.
When it comes to cybercrime, phishing is one of the oldest tricks in book. And it’s no surprise that it has quickly become a major threat to DeFi protocols.
51 percent attack is a popular DeFi exploit whereby an hacker or malicious group seizes control of a crucial decision-making mechanism of the DeFi protocol, by stealthily acquiring sufficient computing (hash power) or voting power.
Image Credit: Peggy und Marco Lachmann-Anke
In Proof of Work DeFi protocols, they do this by acquiring computing power, or encumbering the capacity of other miners. Conversely, on Proof of Stake protocols, they can seize control by systematically acquiring at least 51% of staking/voting power.
After seizing control, hackers typically carry out various inordinate transactions i.e. allocate tokens, alter the network’s transaction history or double-spend tokens – depending on the scope of the hack.
51% attacks are quite rare because they often require multiple actors, and huge amounts of financial and/or technical resources.
Popular 51% Hacks in DeFi
In a bid to forestall recurrence, the team proactively rasied the ETC confirmation number to 500 nodes, launched a new strict 51% detect for enhanced protection and recommended that the the ETC dev team build a new consensus mechanism (PoS for example) to better protect ETC network from a 51% attack in the future..
DeFi exploits have become an existential threat not only to a handful of victims protocols, but the survival of DeFi as a whole. In fact Research shows that susceptibility to fraud is one of the leading reason for slow crypto adoption globally. InsurAce.io is playing a crucial role ensuring that DeFi and user of DeFi protocols are well protected and insulated from any potential losses that may arise from DeFi hacks.
In our next article, we’ll examine the various “Techniques that DeFi protocols can deploy to avoid getting hacked”. Stay in touch, across all our digital channels.
Cover Image Credit: Shakti Shekhawat