After a run of thefts from Decentralized Finance (DeFI) platforms, the Federal Bureau of Investigations (FBI) has warned that criminals are increasingly exploiting bugs in these platforms to steal investors’ cryptocurrency.
The FBI has issued a warning to investors who pour money into DeFI platforms that they could be exposing themselves to financial losses due to vulnerabilities in the smart contracts governing the platforms.
DeFi is an emerging digital financial infrastructure that theoretically eliminates the need for a central bank or government agency to approve financial transactions, and is deeply connected with the evolution of blockchain technologies.
But now the FBI warns that investors are getting burned by attackers exploiting vulnerabilities in smart contracts.
“A smart contract is a self-executing contract with the terms of the agreement between the buyer and seller written directly into lines of code that exist across a distributed, decentralized blockchain network. Cyber criminals seek to take advantage of investors’ increased interest in cryptocurrencies, as well as the complexity of cross-chain functionality and open source nature of DeFi platforms,” the FBI states.
Researchers from UK penetration testing firm Bishop Fox found that 51% of attacks on DeFI projects in 2021 exploited vulnerabilities in smart contracts, followed by platform protocol and design flaws at 18%. Most of the attacks were deemed unsophisticated.
Hackers stole $80 million from DeFI project Qubit Finance earlier this year by exploiting a vulnerability in its QBridge protocol. Hackers also nabbed $30 million from Grim Finance in late 2021 by exploiting a flaw in its vault contract.
US blockchain analysis firm Chainalysis reported that 97% of the $1.3 billion of cryptocurrency stolen in the first quarter of 2022 was from DeFI platforms. Thefts from DeFI platforms took off in 2021 when DeFI platform hacks made up 71% of financial losses, whereas previously most cryptocurrency theft targeted individual wallets or crypto exchanges.
The FBI says it has observed cybercriminals defrauding DeFI platforms through individual vulnerabilities affecting smart contracts and signature verification elements, as well as chaining together several flaws to manipulate price pairs. These include:
- Initiating a flash loan that triggered an exploit in the DeFi platform’s smart contracts, causing investors and the project’s developers to lose approximately $3 million in cryptocurrency as a result of the theft.
- Exploiting a signature verification vulnerability in the DeFi platform’s token bridge and withdraw all of the platform’s investments, resulting in approximately $320 million in losses.
- Manipulating cryptocurrency price pairs by exploiting a series of vulnerabilities, including the DeFi platform’s use of a single price oracle and then conducting leveraged trades that bypassed slippage checks and benefited from price calculation errors to steal approximately $35 million in cryptocurrencies.
The FBI is urging investors to treat DeFI platforms with caution but also acknowledges that investment involves risk. Investors should research platforms, protocols and smart contracts before investing and ensure the platform has conducted a code audit.
The FBI also warns investors to be watchful of “DeFi investment pools with extremely limited timeframes to join and rapid deployment of smart contracts, especially without the recommended code audit.”
And it warns projects to be aware of the potential risk posed by crowdsourced solutions to vulnerability identification and patching.”Open source code repositories allow unfettered access to all individuals, to include those with nefarious intentions,” it notes.
