Decentralized finance transactions and their use of smart contracts are examples of where innovation and economic growth in the e-payment space may be outpacing security capabilities and investments, according to crypto experts in the aftermath of the massive hack of Poly Network.
On Aug. 10, a malicious hacker exploited a smart contract in order to steal roughly $611 million in digital coins from Poly, a protocol-based service that allows users to exchange one form of cryptocurrency for another. These peer-to-peer transactions are a form of decentralized finance, or DeFi, which is based on blockchain technology and cuts out intermediary agencies such as banks, brokerages and exchanges.
Most economic growth in crypto is happening in DeFi right now, and hacks of DeFi services have increased alongside the growth of DeFi in general,” said Kim Grauer, director of research at Chainalysis. “There has been more activity, and thus there have been more exploits.”
A CipherTrace report released earlier this month found DeFi hacks were responsible for $361 million in losses from January through July 2021 – a 2.8x increase over all of 2020, while other forms of crypto fraud actually decreased. Among the most recent DeFi hacking victims: cross-chain crypto-swapping protocols Bondly, AnySwap and ThorChain.
So what is it that makes DeFi such a cybercrime hotspot lately?
“The biggest cyber risks associated with DeFi transactions are sloppy and malicious smart contracts that can be exploited to manipulate prices and steal investments,” John Jefferies, chief financial analyst at CipherTrace, told SC Media. Moreover, “the anonymous nature of decentralized finance can present insider risks when there is an overreliance on a single developer or the code lacks adequate peer reviews.”
Smart contracts are essentially computer programs, stored on a blockchain, that are designed to automatically self-execute when the terms of an agreement between two parties is met. Despite their inherent conveniences, “interdependence between smart contracts creates a lot of complexity,” said Jefferies. Moreover, they are “vulnerable to most of the same exploits as other software – but they are very new and few developers have deep experience developing them.”
And because the tech is a newer e-payment innovation, it’s not surprising the crypto security community is now playing catchup as hackers take advantage of these emerging exploits. That’s why “DeFi platforms, like other emerging technologies, need to prioritize security and continually test and investigate the smart contracts and protocols in place,” said Grauer.
Indeed, “I foresee the next wave of cyber innovation taking place specifically in cryptocurrency,” Jeffries said. “We have already witnessed crypto exchanges hardening their security, and I expect security for decentralized exchanges to improve dramatically in the coming months as the space matures and billions of dollars are locked up in smart contracts.”
Additionally, he continued, “audits standards will emerge to improve the security posture of smart contract and DeFi infrastructure. Continuous monitoring will provide anomaly detection to identify these hacks as they happen.”
Jeffries also predicted the further development and emergence of mempool tools “to predict hacks and market manipulation before they even occur.” A mempool provides a cryptocurrency node with a way of storing unconfirmed transactions in a virtual waiting room of sorts until they can be confirmed and added to a block.
Meanwhile, current best practices for key management, said Jeffries, includes “use of split keys and hardware security modules to protect key matter and authentication.”
Jeffries noted that, compared to 30 confirmed DeFi attacks that took place in the first half of 2021, the Poly Networks incident “was considerably more sophisticated.”
“In this case, the attack was against Poly Network’s infrastructure, focusing on the DeFi platform itself and targeting control of the decentralized exchange’s smart contracts. As a result, the main cross-chain contract became completely controlled by the hacker, allowing him to unlock tokens that were supposed to be locked within the contract, send the tokens to addresses under their control, and then repeat the attack across chains… Once the hacker moved funds across chains it made it impossible to freeze those funds on that chain.”
The good news, said Grauer, is that despite the vulnerabilities in smart-contract transactions, the underlying blockchains are transparent, which makes it easier for forensic analysts to trace and monitor an exploit. So even if hackers are able to pull off a heist, they may struggle to get away with it in the long run.
“It would have been very difficult for the attacker to launder and cash out the hacked funds with the eyes of the industry on it,” said Grauer.
Perhaps that’s among the motivations for the hacker ultimately returning all of the stolen $611 million to Poly Network.
Earlier this month, the blockchain ecosystem security company SlowMist composed a technical write-up of the incident and its root cause, while an SC Media report just this week looked at the strange dynamics of the negotiation that took place between the malicious actor and Poly Network.
