The FBI’s public notice this week warning of growing exploits aimed at defrauding cryptocurrency customers was not exactly a surprise for industry experts who have noted the increase in attacks on decentralized finance (DeFi) platforms.
However, it has provided more much-needed fodder in the white-hat battle to add pressure to the industry to provide greater transparency and scrutiny around the opportunities DeFi poses to attackers as losses mount.
“The explosive growth and high returns of the DeFi ecosystem have lured many early adopters to embrace blockchain technologies, such as smart contracts. However, early investors should be wary,” said Michael Oglesby, executive vice president for security services and innovation at Cerberus Sentinel.
“Most DeFi systems have little protection or safety nets in place to prevent catastrophic loss from a fraudulent attack,” Oglesby said. As the FBI reported in its public service announcement, and SC Media reported on Tuesday, fraudsters took at least $1.3 billion in cryptocurrency in the first three months of this year alone, with nearly 97% of that coming from DeFi platforms, based on research from Chainalysis, a U.S.-based blockchain analyst firm.
According to the FBI’s Internet Crime Complaint Center advisory, this represents a significant jump from 72% taken from DeFi platforms last year, and 30% in 2020.
Roger Grimes, data-driven defense evangelist at KnowBe4, pointed out that this is a continuation of a trend that has been growing for a while.
“Many billions of dollars of value have been stolen and scammed from cryptocurrency customers each year for years. This year looks no different," Grimes said. “Most cryptocurrency thefts happen because of two reasons: social engineering and buggy software or contracts.”
Much like many financial cyberattacks, these crypto-threats often begin with simple, old-fashioned social engineering. Indeed, Grimes estimated that seven to nine out of 10 of all successful attacks on cryptocurrency and DeFi platforms begin with social engineering.
“And it isn't just against regular end-users and customers,” Grimes added. “Many times the social engineering is used against a legitimate crypto vendor to compromise their services, which is then used to steal things of value from the compromised vendor's customers.”
Jeff Williams, co-founder and CTO at Contrast Security, pointed out that, “People are putting their faith in crypto algorithms and protocols, and only time will tell if they are right or not. But even if they are perfect, there is a lot more to DeFi platforms than just crypto.”
According to the FBI’s PSA, “Cyber criminals seek to take advantage of investors’ increased interest in cryptocurrencies, as well as the complexity of cross-chain functionality and open-source nature of DeFi platforms.” This has resulted in a number of large, individual attacks in recent months, including a “flash loan” related exploit that caused investors and developers to lose roughly $3 million in one theft reported to the Bureau, and a signature verification vulnerability in a cryptocurrency-bridge that led to a $320 million heist, according to the FBI’s release.
Banks and other enterprises are looking to decentralized systems to update their online and mobile offerings. So, understandably, the financial industry may have concerns that the same attacks that have stolen billions in cryptocurrency might compromise their data and accounts.
“These platforms are just software, and they require high security authentication, access control, input handling, attack detection and response, use of open source, IaC security, and much more,” Williams said. “Unfortunately, even the largest financial institutions struggle with high rates of software vulnerabilities, over 30 serious problems per application on average.”
Oglesby cautioned DeFi investors to scrutinize not only the “financial merits of a project before investing but also carefully review the cyber security practices of the developers and the platform.” Investors should look for well-vetted and independently tested platforms built on proven cybersecurity technologies, he advised.
“Unfortunately, given the relative immaturity of the DeFi space, finding these projects can be difficult,” Oglesby said. “Investors should consider these risks before risking their hard-earned dollars.”