Large-Scale Hacks Illustrate DeFi Vulnerabilities

While DeFi might hold a lot of promise for proponents of cryptocurrency and whatever Web 3.0 becomes, these large-scale losses show that the platforms and apps feature several serious, exploitable fraud risks.

The term decentralized finance, or DeFi, is a buzzword appearing recently as a significant component of the Web 3.0 future of the internet that many seem to believe is inevitable. As with cryptocurrency technology before widespread adoption, DeFi can seem novel and promising, yet ultimately confusing to those unfamiliar with the associated concepts. However, that has not stopped the rapid growth of the industry backed by massive amounts of funding in a race to stake claims on the essential infrastructure of the supposed next phase of the internet. 
Unfortunately, new and complex technologies operated by companies looking to establish themselves quickly are often targeted by cyber fraudsters who understand the technology enough to identify vulnerabilities and exploit them. The losses caused by these exploitations can reach staggering figures — and already have on several occasions in 2022. 

There are many different functions and designs when it comes to DeFi, but some common characteristics and concepts can confuse unfamiliar parties. Here are some of the notable terms and technologies explained.

What is DeFi?
According to the website of Ethereum blockchain, which many DeFi platforms operate on or interact with, DeFi is “an open and global financial system built for the internet age — an alternative to a system that’s opaque, tightly controlled and held together by decades-old infrastructure and processes … DeFi products open up financial services to anyone with an internet connection and they’re largely owned and maintained by their users.” DeFi platforms or applications operate on public blockchains and are designed to use cryptocurrencies. 
The financial services that DeFi platforms offer include, but are not limited to:

• International and domestic transfers
• Lending
• Asset trading
• Derivatives trading
• Interest-earning savings accounts
• Insurance

The decentralization aspect — more specifically, the lack of a central authority that oversees, manages and has ultimate responsibility over an organization or system — appeals to many who are disenfranchised or dissatisfied with legacy financial systems; but it also provides little recourse for users when errors or exploits occur.

What is a smart contract?
A smart contract is program on a blockchain that automatically initiates a transaction once certain conditions are met, removing the need for an intermediary. The most popular blockchain for smart contracts is the Ethereum blockchain. The most simplistic analogy for a smart contract is a vending machine: if someone puts in a dollar and selects a snack using a keypad, the vending machine drops the snack; no intermediary, such as a cashier, is required for this transaction to occur.

What are bridge protocols?
Public blockchains are generally self-contained and not designed to interact with other blockchains. For example, the Bitcoin and Ethereum blockchains are independent; a user can’t send bitcoin to another user on the Ethereum blockchain, just like a user can’t send ether to an address on the Bitcoin blockchain. 

Blockchain bridges, which feature unique bridge protocol coding or programming, allow people to move digital assets from one blockchain to another. Many DeFi platforms or apps are designed to facilitate such a transfer of assets through novel communication protocols.

What is wrapped cryptocurrency?
Wrapped cryptocurrency is a means for using one cryptocurrency on a different blockchain by converting an amount of cryptocurrency into a token whose value is pegged to that of another cryptocurrency or asset. This requires a custodian to essentially underwrite these transactions and have enough cryptocurrency reserves to support the pegged values of the tokens — DeFi platforms or apps serve as that custodian to facilitate cross-chain transactions. 

So, a DeFi application might allow a vendor who has been paid in bitcoin for a service to “wrap” that amount of bitcoin and transfer that value to the Ethereum blockchain so that they can purchase a digital asset that exists only on the Ethereum blockchain.

What is a flash loan?
This financial product is a recent phenomenon that was first offered through DeFi platforms in 2020. It is essentially an uncollateralized loan that must be repaid almost immediately. Flash loans use smart contracts to stipulate both the lending and repayment of the loan and are generally used for quick trading of cryptocurrency assets — often to take advantage of different valuations of cryptocurrency assets on different exchanges. 

So, a flash loan contract might stipulate a loan to purchase 1 coin valued at $5 on platform A, the sale of the same coin on platform B where it is valued at $6, and the repayment of the original loan, with the flash loan recipient pocketing the $1 difference. 

What is a stablecoin?
A stablecoin is a type of cryptocurrency that attempts to peg its value to a reserve asset, often a fiat currency such as the U.S. dollar, to reduce the volatility in price typical of many other cryptocurrencies.

Major DeFi Hacks in 2022
In early February, attackers targeted a vulnerability in the design of Wormhole, a platform designed to serve as a communication bridge between the Solana blockchain and other DeFi blockchain networks. The attackers transferred out 120,000 “wrapped ether” (wETH) cryptocurrency assets belonging to Wormhole, which were worth approximately $320 million at the time of the theft.

In March, Ronin Network, another bridge protocol, set a record for the costliest DeFi hack in history. Cryptocurrency assets valued at approximately $625 million at the time they were stolen as a result of a security breach. According to the company, the attackers used social engineering to acquire private keys and credentials they used to forge fake withdrawals of the cryptocurrency assets. The Ronin Network serves as a critical component of the popular Axie Infinity blockchain-based game that allows users to collect and breed digital creatures, then sell them to other users. The company said it would work with “law enforcement officials, forensic cryptographers and our investors to make sure there is no loss of user funds.” Blockchain analysts and U.S. authorities attributed the attack to the North Korean state-sponsored hacker group Lazarus.

In April, Beanstalk Farms, another DeFi project, had cryptocurrency assets valued at approximately $182 million stolen after an attacker used a flash loan through a different DeFi platform to acquire nearly $1 billion worth of cryptocurrency assets — and then used those assets to acquire a majority voting stake in Beanstalk Farms. With the supermajority secured, the attacker exploited the Beanstalk Farms’ majority vote governance system to authorize a transfer of cryptocurrency assets to a wallet they controlled, then instantly repaid the flash loan with approximately $80 million of cryptocurrency assets left as profit. The attack prompted the value of the Beanstalk stablecoin BEAN to drop approximately 86% once the company confirmed the loss.
What this could mean for the future

These three high-profile attacks totaled more than $1.1 billion in cryptocurrency asset losses based on the values at the time of the attacks. They utilized three different tactics to quickly extract large sums of cryptocurrency: exploitation of a security vulnerability, social engineering and exploitation of a flaw in a blockchain’s design.
While DeFi might hold a lot of promise for proponents of cryptocurrency and whatever Web 3.0 becomes, these large-scale losses show that the platforms and apps feature several serious, exploitable fraud risks. This high level of fraud risk should be acknowledged and accounted for in any transactions or business dealings that involve DeFi platforms or apps until best practices for security and/or design are established, and a larger pool of experts capable of auditing DeFi platforms’ programming is developed.