What’s DeFi?
Decentralised finance is blockchain applications that cut out intermediaries from financial products and services like loans, savings and swaps. It has its rewards but also carries plenty of risks. DeFi fundamentally uses blockchain technology to unlock value that traditional finance cannot. Rather than trusting a middleman like a bank or a fintech firm with their money, people trust “the code”.
DeFi Hacks
DeFi is still in its early stages but has multiplied over the past couple of years. The sector currently has over $108 billion in digital assets flowing through various projects, according to data by DeFi Llama. Same time in 2020, that number was around $1 billion. Hackers have also caught on just as quickly.
Chainalysis’s report showed that seven of the ten largest crypto thefts from January 2021 to March 2022 involved DeFi protocols. Just three targeted centralised exchanges.
According to Chainalysis, more stolen funds flowed to DeFi platforms (51%) in 2021. Centralised exchanges were the top destination of stolen funds and fell out of favour of late, receiving less than 15% of the total. More centralised crypto exchanges now have anti-money laundering and KYC (Know Your Customer) processes, which threaten the anonymity of cybercriminals.
On the other hand, open-source DeFi platforms actively shun these processes and avoid the intermediaries – thus likely to remain the top target of crypto crooks for the foreseeable future.
A list of these breaches and other fraud involving cryptocurrencies can be found in the Map of Security Breaches and Fraud Involving Crypto 2011-2021.
Where it’s heading?
The recent DeFi hacks were carried out by attackers spotting vulnerabilities in protocols and smart contracts, especially flash loan protocols and cross-chain bridges. The rising tide of digital theft impends cryptocurrency’s confidence broadly and brings down regulators’ wrath on a still-nascent industry.
Since the blockchain code is typically public, hackers can view it easier to spot vulnerabilities and manipulate the protocol to exploit them.
Due to code exploits and flash loans, the major shift in exploiting DeFi protocols in 2022, as opposed to the social engineering attacks over the years. This explains why attackers no longer rely on many people falling for phishing scams but can instead attack the DeFi protocols directly.
Cross-chain bridges have become a mark for attackers because a more extensive surface area allows for more attack vectors than a typical single blockchain. Bridges also typically have a smaller developer community, which means a smaller number of validator nodes that must sign off before transactions are recognised. In the Axie Ronin bridge attack, only five out of nine validator nodes needed to be signed, an opportunity the hacker targeted.
As the governments and regulators are increasing the focus on DeFi projects, DeFi companies need to move quickly to ensure that attackers don’t take advantage of open-source code. DeFi projects need to take a proactive, end-to-end approach to their security.
This means having smart contract audits of every line of code, both before launch and any time the code is changed.
Security measures include on-chain monitoring tools to protect smart contracts after deployment and avoid centralisation, another significant attack vector in 2021. Centralisation played a vital role in the Axie hack: The attacker managed to gain control of four Ronin validator nodes in one go through social engineering and gained access to another through a bug.
There is also a need for the community to come together, support each other, protect each other, and attempt to ward off these attackers, leveraging Web3’s community ethos. It will take a collective effort to secure the blockchain — and if the industry doesn’t provide it, Central Banks might step in.
About the Author:
Vinoth is a cybersecurity professional by heart with over two decades of experience in Information Technology and Cybersecurity. He is an Australian Computer Society (ACS) Senior Certified Professional in Cybersecurity and holds various industry-leading cybersecurity credentials. Vinoth loves to write about the latest cybersecurity happenings and blockchain-related articles.
