The US FBI has warned that criminals are increasingly exploiting bugs in DeFi platforms to steal investors’ cryptocurrency.
DeFi is a digital financial infrastructure that deeply connected with the evolution of blockchain technologies that evolves with smart contracts. Attackers are increasingly exploiting vulnerabilities in smart contracts to drain cryptocurrencies
A smart contract is a self-executing contract with the terms of the agreement between the buyer and seller written directly into lines of code that exist across a distributed, decentralized blockchain network. Cyber criminals seek to take advantage of investors’ increased interest in cryptocurrencies, as well as the complexity of cross-chain functionality and open source nature of DeFi platformsFBI Statement
The FBI says it has observed cybercriminals defrauding DeFI platforms through individual vulnerabilities affecting smart contracts and signature verification elements, as well as chaining together several flaws to manipulate price pairs. These include:
- Initiating a flash loan that triggered an exploit in the DeFi platform’s smart contracts, causing investors and the project’s developers to lose approximately $3 million in cryptocurrency as a result of the theft.
- Exploiting a signature verification vulnerability in the DeFi platform’s token bridge and withdraw all of the platform’s investments, resulting in approximately $320 million in losses.
- Manipulating cryptocurrency price pairs by exploiting a series of vulnerabilities, including the DeFi platform’s use of a single price oracle and then conducting leveraged trades that bypassed slippage checks and benefited from price calculation errors to steal approximately $35 million in cryptocurrencies.
FBI Warning and notes
- Investors should research platforms, protocols and smart contracts before investing and ensure the platform has conducted a code audit.
- Investors to be watchful of DeFi investment pools with extremely limited timeframes to join and rapid deployment of smart contracts, especially without the recommended code audit.
- Crowdsourced solutions has poses risks to vulnerability identification and patching. Open source code repositories allow unfettered access to all individuals, to include those with nefarious intentions.
Few DeFi Attacks
Hackers stole $80 million from DeFI project Qubit Finance earlier this year by exploiting a vulnerability in its QBridge protocol. Hackers also nabbed $30 million from Grim Finance in late 2021 by exploiting a flaw in its vault contract.
Chainalysis reported that 97% of the $1.3 billion of cryptocurrency stolen in the first quarter of 2022 was from DeFI platforms.