Promises and pitfalls

Amid the current enthusiasm for all things crypto, interest in decentralized finance (DeFi) has exploded. Proponents think it will help democratize finance. But fraud is running rampant in this corner of the market. Here’s how it works and why fraud examiners should be paying attention.

On Oct. 14, 2021, Andean Medjedovic, a teenage math whiz studying at the University of Waterloo in Canada, exploited a flaw in the coding of Indexed Finance, a decentralized application for passive portfolio investments. In the process he lifted close to $16 million in token assets, shocking the founders of the startup and setting the stage for a legal fight over what constitutes fraud and the reach of law enforcement in the digital asset world.

In a complex twist on what’s known as a flash-loan attack, Medjedovic exploited a particular function related to how new assets are introduced to tokenized portfolios, or pools, to distort the price difference between the value of two crypto indices and their underlying net asset values (NAVs). He used a $159 million short-term, collateral-free loan (the flash loan) to sink the value of a pool of assets, which the company alleges he bought at “a tiny fraction of their true value,” and cashed out for a cool $15.8 million. To hide his tracks, Medjedovic ran the token assets he used to pay for the transaction through Tornado Cash, a so-called obfuscator that can allow users to hide their digital trail, according to court documents. [See “ Dillon Kellar and Laurence Day (Plaintiffs) and Andean Medjedovic (Defendant)," Ontario Superior Court, Dec. 17, 2021, and “Teenage Suspect in $16M DeFi Hack Wanted for Arrest in Canada,” by Andrew Thurman, yahoo!, Dec. 22, 2021.]

That wasn’t enough to evade detection, however. Indexed Finance’s co-founder Dillon Kellar and his team soon identified the culprit, who to their amazement was an 18-year-old student living with his parents. Sensitive to the young age of Medjedovic, Kellar reportedly messaged him to say that they knew he was the attacker and would report him to law enforcement if he failed to return the money. But Medjedovic balked at the suggestion, and Indexed Finance told the police. (See “Inside the War Room: How Indexed Finance Traced Its $16M Hacker,” by Stefan Stankovic, Crypto Briefing, Nov. 3, 2021.)

This has set the stage for an interesting legal test case. (See “Code is law, or is it?” at the end of this article.) But it also serves as an example of how fraudsters are increasingly finding opportunities in what some are calling the Wild West frontier of finance. The flash loan and the obfuscator used in the Indexed Finance case are just some of the tools fraudsters employ to steal millions of dollars of crypto assets from decentralized finance (DeFi) platforms and apps, which still have little or no regulatory oversight.

“DeFi is pretty much unregulated right now, and anything goes, and that makes it challenging,” says Christopher DeAngelis, CFE, a senior director of fraud strategy at consumer banking company Sallie Mae.

It’s also a growing area of interest for fraud examiners who’ve been seeking to keep abreast of how criminals are exploiting what has been a bit of a regulatory no-man’s land.

“We have seen a huge demand for cryptocurrency fraud investigations in the last two years,” says John Powers, CFE, president of Hudson Intelligence, a private investigation firm specializing in asset searches and investigations of complex frauds and financial crimes.

“CFEs with an eye on the future — and those who want to maintain relevance in today’s fast-evolving, technology-driven economy — cannot afford to ignore cryptocurrency and decentralized finance,” Powers says.

Defining DeFi

But what exactly is DeFi? In short, it’s a way for individuals to carry out financial transactions directly with each other through decentralized applications (a type of app known as a DApp) using smart contracts (computer-coded instructions). Ethereum, a decentralized blockchain powered by a cryptocurrency called ether, has been the dominant player in the DeFi DApp space. Indexed Finance, for instance, provides investors with access to passive indices — not unlike investing in an index such the S&P 500 or exchange-traded funds (ETFs) in traditional finance — but in this case through a smart contract on Ethereum’s open-source blockchain.

The idea behind DeFi is that anyone with an internet connection can participate in the world of financial services without the regulatory barriers or traditional gatekeepers, such as banks, insurance companies and brokers. For instance, an individual can act as a bank and lend to another person directly or by contributing to a pool of liquidity, and neither party need provide personal information. This is often done through what’s called yield farming or liquidity mining, which in its simplest terms is when people (the lenders or liquidity providers) deposit tokens in a liquidity pool on a DApp whose lending protocols (rules) are determined by a smart contract. Much like earning interest in a savings account, lenders receive a passive income, often in the form of tokens or fees, and borrowers in turn can access the liquidity pool for loans. [See “What Is Yield Farming in Decentralized Finance (DeFi)?” Binance Academy, updated March 22, 2022.]

Borrowers usually require substantial amounts of collateral, but those with technical savvy like Medjedovic can forego providing collateral through flash loans, which as the name infers are started and completed in seconds. (See “What are flash loans in DeFi?” by Marcel Deer, Cointelegraph, January 22, 2022.) Fraud risks and other dangers caused by human error are diminished as this is all managed through the code written into the smart contract that’s available for all to see. Or so the logic goes.

The movement is touted as democratizing the world of money as it lowers the barriers of entry for many people who’ve traditionally been excluded from the financial system. Users can take full control of their finances without a third-party service, and assets can only be moved through instructions encoded on the DApps. [See “Decentralized finance (DeFi),” Ethereum, and “What are Decentralized Apps (Dapps)?” by Matt Hussey, Scott Chipolina and Joseph O’Neill, Decrypt, April 29, 2022.]

This technology has allowed individuals like the founders of Indexed Finance to set up what are called decentralized autonomous organizations (DAOs), which have no physical offices or headquarters and are governed by a community of members through governance tokens. “A DAO is basically a social or business organization embodied by the rules integrated into a computer-coded contract, which is under the control of organization members,” says David Utzke, Ph.D., CFE, senior director of cryptocurrency technology at MasterCard. (Until late last year, Utzke also worked at the IRS’s cybercrime unit as an expert in distributed ledger technology and digital assets.)

A myriad of businesses based on this new technology have sprung up over the last few years, throwing up a whole range of products and services. These include decentralized exchanges (DEXs) such as Uniswap and Opensea, where you can trade fiat money, cryptocurrencies and non-fungible tokens (NFTs); asset management DApps like Indexed Finance; algorithmic stablecoins pegged to a “stable” asset like the U.S. dollar; and even prediction markets where anyone can bet on whatever outcome they please.

Fraud fault lines

But as with all new technology, especially ones that are outside the understanding of the vast majority of the population and involve large sums of money, opportunities for fraud abound. The decentralized nature of DeFi and the anonymity it affords participants creates some pitfalls that work to the advantage of the criminally minded. (See “5 common DeFi scams and how to protect your crypto,” by Heidi Unrau, Hardbacon, Cryptocurrency, January 19, 2022.)

“[DeFi] isn’t going to ask for proof of your identity, it isn’t going to conduct know-your-client compliance, and there isn’t someone you can call if you need customer support,” says Powers. And as the popularity of all things crypto grows, and in turn DeFi, so have the number of different scams associated with it. Close to 97% of all cryptocurrency stolen in the first three months of 2022 were taken from DeFi protocols, up 72% from 2021, according to blockchain data platform company Chainanalysis. The theft of cryptocurrencies hit $3.2 billion last year, up six-fold from 2020, and $2.3 billion of that came from DeFi platforms, says Chainanalysis. And Elliptic puts losses from fraud and theft on DeFi platforms last year at an even higher $10.5 billion, up from $1.5 billion in 2020 (See “The 2022 Crypto Crime Report,” Chainanalysis, February 2022, and “DeFi: Risk, Regulation, and the Rise of DeCrime,” Elliptic.)

DeFi scams come in all shapes and sizes. And in some cases, they take the form of a traditional hack. Take the Lazarus Group, a North Korean state hacking group, which managed to steal about $615 million worth of transitional digital tokens in the form of ether and stablecoin from the Ronin network that supports Axie Infinity, a popular play-to-earn game. The attack marked the largest hack to date in the DeFi space and spurred the U.S. Department of Treasury to sanction for the first time a virtual currency mixer, which illicit actors use to hide their tracks. In the Ronin case, the North Korean hackers simply stole the victim’s keys (a code similar to a password) to gain access to their network in what Chainanalysis describes as a form of digital pickpocketing. (See “U.S. Treasury Issues First-Ever Sanctions on a Virtual Currency Mixer, Targets DPRK Cyber Threats,” U.S. Department of the Treasury, May 6, 2022; “U.S. officials link North Korean hackers to $615 million cryptocurrency heist” by Ryan Browne, CNBC, April 15, 2022; and “Defi Hacks Are on the Rise,” Chainanalysis, April 14, 2022.)

Because of DeFi’s voguish attraction, it’s all too easy to lure investors and play on their fear of missing out (FOMO), raising fears that traditional scams, such as Ponzi schemes, are likely to thrive in this market as they have in other similar situations in the past.

“As we have seen among other technological innovations that attract exuberant investors, DeFi has also become a buzzword that has been exploited to promote fraudulent schemes,” says Powers.

Experts have been raising alarms about the potential for fraud in this space and these dangers may become even more apparent as crypto starts to lose its luster in the recent sell-off. (See “Is DeFi a $10 billion Ponzi scheme?” by Angie Lau, Forkast, Oct. 8, 2020, and “How The DeFi Space Has Become A Massive Breeding Ground For Crypto Ponzi Schemes,” by Rufas Kamau, Forbes, May 17, 2022.)

Rug pulls and other scams

The “rug pull” is a scam that’s thrived during the massive rally in crypto assets and played on people’s FOMO and the hype surrounding DeFi. As the name suggests, fraudsters pull the rug from under victims’ feet.

Fraudsters lure investors with new and exciting DeFi projects and ask them to provide liquidity in the form of tokens. As the tokens’ prices skyrocket amid the hype, fraudsters cash in, either with their own tokens or ones they’ve stolen from investors. Either way, their actions leave any existing tokens with little if any value after the fraudsters pack up and disappear. (See “Rug pull,” Binance Academy.)

Rug pulls have increasingly hit the headlines, but in this new frontier where dramatic swings in asset prices are common and the technology is new, it’s sometimes hard to tell what’s a scam and what isn’t. Take billionaire and star of Shark Tank Mark Cuban, who was caught off guard when he invested in a DeFi token called Titan, which last year suddenly sank from $65 to a few thousandths of a cent in a matter of hours. At the time, many thought it was a rug pull, but later reports blamed it on flaws in the code of the smart contract following the sudden sell-off by large holders of the token known as whales. Iron Finance, the creators of the coin, called it the “world’s first large-scale crypto bank run.” Even so, the incident heightened focus on such rug pulls and the risks associated with DeFi. (“Why the crash of crypto token ‘titan’ that burned Mark Cuban may not foretell a bitcoin plunge,” by MacKenzie Sigalos, CNBC, June 24, 2021, and “Iron Finance Post-Mortem,” Iron Finance, June 17, 2021.)

Indeed, it was only a few months later that a true rug-pull con unfolded — and on a grand scale. People who bought a crypto token called SQUID, inspired by the popular Netflix program “Squid Game,” found themselves victims of a rug-pull dodge. Anonymous scammers with no connection to Netflix created the pay-to-play token to be used as payment to participate in a similar game that would result in a winner-take-all scenario. The token, which began trading on a decentralized exchange called PancakeSwap, soared to hit a high of $2,861 only to fall to zero after the creators of the token cashed in and made off with a reported $3.3 million in funds. Like Medjedovic, the perpetrators also reportedly used Tornado Cash to cover their tracks. Experts say the telltale signs of a possible con in the works were the anonymity of founders, typos in its white paper (a type of prospectus), unusual activity on its Twitter account and reports of difficulty in selling the token. But that did little to discourage users from buying into the project. (See “Squid Game Crypto Creators Steal Millions in Rug Pull. Here’s How to Avoid Scams,” by Emma Newbery, the ascent, Motley Fool, Nov. 3, 2021, and “ How a Squid Game Crypto Scam Got Away With Millions ,” by Chris Stokel-Walker, Wired, Nov. 2, 2021.)

“We always say if it is too good to be true, it probably is,” says Katerina Gaebel, CFE, a forensic accountant at CPA firm Citrin Cooperman, who specializes, among other things, in cryptocurrency tracing and DeFi.

“It is all in the smart contract and the white paper, so you really need to look into the company before you invest those funds. Be very careful and make sure you really do your research,” Gaebel says.

The SQUID protocol was built on Binance’s Smart Chain (BSC), a blockchain designed for the development of decentralized applications. Binance said it has worked to identify and blacklist the address of the developers and is trying to help law enforcement track down the perpetrators. But the company’s co-founder and CEO Changpeng Zhao was quick to point out that the decentralized nature of DeFi makes it difficult for Binance to prevent these types of frauds

“The truth is, SQUID won’t be the first or last DeFi scam,” he says on Binance’s blog. “I think it’s important here to explain that blockchains like Binance Smart Chain (BSC) and Ethereum are open source. We don’t have any control or influence over projects that are built on the network. Because BSC is entirely community driven, governance-related decisions would need to be coordinated by the community.” (See “Avoiding Cryptocurrency Scams: Squid Game Token and Other Defi Risks,” by CZ, Binance, Nov. 4, 2021.)

Outsmarting smart contracts

Even so, sometimes it’s just victims’ blind faith in the technology that provides an opening for fraudsters. Powers recalls one recent scheme where the fraudster solicited investors to participate in a liquidity mining program with Tether tokens, a stablecoin backed by U.S. dollars. As described earlier, this is a way for holders of tokens to receive a passive income by contributing to the liquidity pool of a DeFi project. In this case, investors were instructed to pay a “miner’s fee” equivalent to around $20 by transferring some of their Tether tokens from their cryptocurrency wallet to a contract address. They soon started receiving payments, which were deposited into their wallets.

“It seemed like easy money, and it seemed secure, because all of their assets were still being held in their private wallet at a well-known commercial cryptocurrency exchange,” says Powers. But investors didn’t realize, until it was too late, that the smart contract designed to execute the transfer of the miner’s fee was also coded to allow the fraudster to make unlimited withdrawals of Tether tokens from their digital wallets without permission.

“After the victims of this scheme had emptied their personal bank accounts and borrowed as much money as possible from family members — pouring their life savings into crypto — the fraudsters used the unlimited allowance contract to instantly empty their wallets of every last Tether token,” Powers recalls.

As this example shows, smart contracts, while providing the foundation of the automated DeFi ecosystem, can also be used in nefarious ways, especially among people who can’t read code or necessarily understand the mechanics of DeFi.

“The fact that there was a smart contract involved does elevate this case at some level to decentralized finance activity,” says Powers. “But other than the ripcord the fraudsters used to pull the funds, there wasn’t much there that was actually DeFi in this case.”

The puported liquidity pool never existed. The fraudsters’ pitch to investors was really just a setup for simple larceny, says Powers. If the victims could’ve read the code in the contract, they’d have saved themselves a lot of grief. Gaining access to the code in a smart contract is typically easy, as it’s open source and available on the web (See “etherscan.io” for example) or in the white paper that’s released with a DeFi project. However, short of taking a course, the average person lacks the understanding to read even the most basic code.

In contrast, fraudsters have the time and the incentives to become skilled in the art of coding or at least can find an expert to help them on the darknet. “It is a different unique skill set to find those vulnerabilities (in the code), but more and more fraudsters are moving on from the older more traditional ways of doing fraud because this might be more lucrative,” says DeAngelis.

While touted as being accurate, transparent and secure, smart contracts and the code that instructs them to carry out certain tasks are far from fail-safe. Indeed, smart contracts aren’t necessarily that smart and are often simpler than some people might expect. Computer scientist and cryptographer Nick Szabo, who came up with the term smart contract in the mid-1990s, equated the process to a vending machine that honors the terms of a contract when someone inserts the right of amount of money into it. And the people who write the code for the smart contracts that run the DApps in DeFi systems aren’t necessarily skilled in the security aspects of the technology.

As the tokens’ prices skyrocket amid the hype, fraudsters cash in, either with their own tokens or ones they’ve stolen from investors. Either way, their actions leave any existing tokens with little if any value after the fraudsters pack up and disappear.

“The vulnerabilities are usually in the contracts themselves, not the tokens,” says Utzke. “Part of the problem is that contract development has become so easy, and you have these old web developers who have seen the opportunity to make a lot of money by developing these smart contracts. They have a development environment that helps them code, but they don’t understand blockchain and the security issues in creating these smart contracts. That is where we are getting a lot of these security vulnerabilities.”

Indexed Finance is a more sophisticated example of how fraudsters can exploit the code that runs DeFi exchanges and other business. But there are multiple other cases, where poorly constructed smart contracts were easily exploited. In one example, hackers stole over $31 million in digital tokens from DeFi project MonoX last year when they found a loophole in the smart contracts to increase the prices of its token and cash out. “Days like yesterday are horrible, there is no sugar coating the harsh reality of a contract being exploited and people losing money,” MonoX said at the time. (See “Exploit: Post Mortem,” MonoX, Dec. 1, 2021, and “Really stupid ‘smart contract’ bug let hackers steal $31 million in digital coin,” by Dan Goodin, Ars Technica, Dec. 1, 2021.)

Regulators close in

The rise of fraud and other criminal activities connected to DeFi have spurred regulators and law enforcement to intensify scrutiny of this growing corner of the financial market, which still has little oversight except for the code that runs the system. Last year, the Securities and Exchange Commission (SEC) signed a contract with cybersecurity firm AnChain.AI to help it analyze and trace smart contracts. In January, it released a proposal that market participants thought would expand its regulatory oversight of exchanges, including certain DeFi protocols. And in May, the SEC nearly doubled the size of its newly named Crypto Assets and Cyber Unit to around 50 dedicated positions. (See “AnChain.AI Raises $10 Million and Wins SEC Contract to Monitor Crypto and Digital Assets,” AnChain.AI, PRNewsire, Sept. 1, 2021; “SEC Proposes Rules That Could Regulate DeFi, Extend to Aspects of Centralized Crypto Exchanges,” Goodwin, JD Supra, January 31, 2022; and “SEC Nearly Doubles Size of Enforcement’s Crypto Assets and Cyber Unit,” SEC, press release, May 3, 2022.)

“Right now, we just don’t have enough investor protection in crypto. Frankly, at this time, it’s more like the Wild West,” SEC Chair Gary Gensler said in August last year. “This asset class is rife with fraud, scams, and abuse in certain applications.” (See “Remarks Before the Aspen Security Forum,” by Gary Gensler, SEC, Aug. 3, 2021.)

That same month, the SEC charged two Florida men for the unregistered sale of over $30 million of securities using a smart contract, marking the regulator’s first-ever case tied to DeFi technology. Markets players saw this as a significant move as the SEC determined that the tokens issued by the company DeFi Money Markets were assets and hence come under its remit, and in this case broke the law and committed fraud. That decision defied a common assumption in the crypto world that because DeFi is decentralized and automated by code, it’s a no-go area for regulators. (See “SEC Charges Decentralized Finance Lender and Top Executives for Raising $30 Million Through Fraudulent Offerings. Case,” SEC, Aug. 6, 2021, and “SEC Defies ‘DeFi’ Market Convention and Advances Chairman Gary Gensler’s ‘Duck Test,’” by Michael Zuppone and Paul Hastings, Aug. 11, 2021.)

Lawmakers in Europe are also cracking down on crypto assets. Earlier this year two committees in the European Union parliament voted to prohibit anonymous crypto-asset transactions. (See “EU committees support legislation that would ban anonymous crypto-asset transactions,” by Duncan Riley, SiliconANGLE, March 31, 2022.)

“Even though DeFi is not heavily regulated yet, it is going to head there, and as it heads there nobody wants to be caught in the crosshairs,” says Ken Matz, CFE, director of solutions development at IT consulting and services firm Zencos. “It is just a matter of time for this to catch on with the regulators.”

Indeed, as DeFi increasingly comes under the spotlight, the demand for cryptocurrency fraud investigation skills will only grow, opening opportunities for CFEs with the right skills to understand this burgeoning corner of the finance market.

Paul Kilby is former editor-in-chief of Fraud Magazine. Contact him at pkilby@ACFE.com.

Code is law, or is it?

When Indexed Finance tracked down Andean Medjedovic and accused him of fraudulently exploiting its decentralized investment portfolio platform, the 18-year-old hacker balked and leaned on an unusual defense, but one commonly propounded by some in the online community.

Medjedovic has been claiming the “code is law” defense. It posits that computer code sets the rules of the digital world, and any action to exploit a vulnerable code is lawful. Unsurprisingly, regulators and lawyers take umbrage at this notion. “I disagree with this fundamental premise. Case law, statutes, and regulations are the law,” Brian D. Quintenz, then-Commissioner of the Commodities Futures Trading Commission (CFTC), said in 2018. “They apply to the code, just as they apply to other activities, contracts, or agreements.” (See “Remarks of Commissioner Brian D. Quintenz at the 38th Annual GITEX Technology Week Conference,” CFTC, Oct. 16, 2018.)

Dillon Kellar, Indexed Finance’s co-founder, and Laurence Day, a software engineer at the company, aren’t buying the theory either and have called Medjedovic’s actions civil fraud. They argue in court documents that Medjedovic knowingly made a false representation by deliberately manipulating the value of the index, and as a result he caused tokenholders significant losses by buying their tokens at deflated prices. And while the case might not match the traditional definition of fraudulent misrepresentation as it involved the manipulation of smart contracts, it involved computer deception and market manipulation, according to court documents. [See “Dillon Kellar and Laurence Day (Plaintiffs) and Andean Medjedovic (Defendant)," Ontario Superior Court, Dec. 17, 2021.]

Indexed Finance customers have filed charges against Medjedovic and have taken out a so-called Anton Piller search order to locate passwords and other evidence to find the stolen tokens, the first time this has ever happened in a cryptocurrency case. Indeed, in Canada legal experts see this as a test case for the defense of “code is law.” (See “A legal case involving the hack of crypto platform Indexed Finance will be first to challenge the ‘code is law’ defence,” Bitcoin Insider, May 19, 2022.)