“Such an advanced technology.” Why 2022 is a record year for hacking DeFi projects

Cryptocurrencies are still a target for hackers despite a falling market. Crypto assets stolen in the first two weeks of October alone are estimated at $718 million, and 2022 sets an anti-record for the total amount stolen from blockchain projects. According to analytics company Chainalysis, while just two years ago exchanges were the main target of hackers, this year the overwhelming majority of hacks involve decentralized financial services (DeFi).

DeFi algorithms allow using smart contracts for exchanging, trading, and crediting without the need for a centralized intermediary. According to defillama, the total value locked (TVL) in DeFi projects exceeds $54 billion. The impossibility of rolling back transactions and relative anonymity in this area, as well as the lack of cybersecurity standards, make it most attractive to hackers.

“October is now the biggest month in the biggest year ever for hacking activity,” Chainalysis representatives wrote on Twitter, commenting on the published statistics on hacks. Four DeFi projects were hacked in just one day. The Solana blockchain-based platform Mango (SOL) lost $100 million worth of MNGO tokens owned by investors. The hacker used the same tokens to artificially inflate their price and manipulate voting in the service's DAO.

On the same day, as a result of the exploit, $2.3 million in assets were withdrawn from the Temple DAO project, as well as smaller amounts from the ParaSwap and RabbySwap protocols. Amid numerous thefts and hacks, the meme “hacktober” emerged in the cryptocurrency community.

Who was hacked in 2022

The main target of hackers was the so-called cross-chain bridges, which allow exchanging cryptocurrencies between different blockchains. Chainalysis analysts estimate the total amount stolen as a result of bridge hacking at more than $600 million, which is 64% of the DeFi projects losses for the current year.

1/ After four hacks yesterday, October is now the biggest month in the biggest year ever for hacking activity, with more than half the month still to go. So far this month, $718 million has been stolen from #DeFi protocols across 11 different hacks. pic.twitter.com/emz36f6gpK— Chainalysis (@chainalysis) October 12, 2022

The most notorious in 2022 was the attack on the blockchain game Axie Infinity. The hack of its Ronin Network sidechain resulted in the theft of 173,600 ETH and $25.5 million in USDC stablecoins. At the time of the attack in March, the sum of assets was valued at $625 million, which was an absolute anti-record for the entire crypto world.

How a job offer led to the theft of $625 million from the Axie Infinity game. Details of the hack

In 2016, the hack of TheDAO project led to a rollback of the Ethereum blockchain by creating a fork of the main network to return funds to affected users. This caused a great resonance in the community, and led to the emergence of the Ethereum Classic (ETC) cryptocurrency, and Vitalik Buterin and other developers are still reminded of the controversial decision on the fork. In comparison, TheDAO's amount of damage from the hack ($60 million) was ten times less than Axie Infinity's and noticeably lower than the other DeFi services affected in 2022.

As a result of this year's ten largest hacks, hackers were able to withdraw more than $1.8 billion worth of crypto assets. The list includes the aforementioned Ronin Network sidechain ($625 million), Wormhole protocol ($325 million), Nomad bridge ($190 million), Wintermute market maker ($160 million), Binance exchange bridge ($100 million), Harmony project bridge ($100 million), Mango platform ($100 million), Qubit Finance lending protocol ($80 million), Beanstalk protocol ($80 million) and Fei and Rari joint platform pools ($80 million).

How hacks work

There are several possible scenarios for attacks on DeFi protocols. First, a hacker can discover a vulnerability in the internal infrastructure of a project. This could be the blockchain it runs on, elements of the web interface, or tools for dealing with private keys. Attackers often gain access to keys by spreading malware through social engineering, phishing, or fake job offers, as in the case of Axie Infinity.

Another category of hacks involves exploiting vulnerabilities in the smart contract code. A hacker skilled in the necessary programming language (most often, Solidity) can find vulnerabilities in the source code. For example, when sending tokens from a vulnerable project contract to a malicious one, a feature may be activated, which opens the door for the hacker to take out all the tokens in the protocol's security.

Some attackers find errors in the business logic of decentralized applications, allowing them to be used differently than the developers intended. For example, a decentralized exchange (DEX) may incorrectly calculate the value of tokens received in an exchange. An example of an error in the contract logic is the case of the withdrawal of funds from the Nomad bridge. Often, new DeFi projects use someone else's source code by creating a fork, copying errors in the code that can be re-exploited by attackers.

Many attacks are carried out using the interaction mechanisms between multiple applications, for example when a hacker exploits an error in the logic of one protocol while appropriating assets that are credited in another. For example, in so-called flashloans, they can borrow any number of tokens from the liquidity pools of protocols such as Aave without the necessary collateral. This is what happened with the Nereus Finance platform and a number of other projects.

Speaking to Fortune reporters, Erin Plante, vice president of investigations at Chainalysis, says that the first step to solving security problems is that extremely rigorous code audits should be “the gold standard” both for developers who create protocols and investors who evaluate them.

Where is it safer for an investor?

According to a joint report by Chainalysis and Bitfinex Exchange published on October 13, the majority of investors still prefer centralized exchanges (CEX) to store assets. Analysts attribute this, among other things, to the fact that decentralized platforms are more vulnerable to hacking attacks.

3/ Back in 2019, most hacks targeted centralized exchanges, and prioritizing security went a long way. Now a vast majority of targets are #DeFi protocols. pic.twitter.com/efSKCkhnm2— Chainalysis (@chainalysis) October 12, 2022

Researchers note that the amount of money stolen from centralized crypto exchanges fell 58% from 2018, when the amount of damage was estimated at $972 million, to $413 million recorded in 2021. This year, Chainalysis estimates the amount stolen at $80 million.

In a comment for Cointelegraph, Paolo Ardoino, chief technology officer of Bitfinex exchange, also pointed to the growing resilience of centralized exchanges to hacker attacks. At the same time, Ardoino advises using non-custodial and, if possible, hardware wallets to keep funds safe, and including two-factor authentication and other security measures available for the account when working with exchanges.

Despite numerous hacks, Ardoino sees DeFi as an interesting trend that could contribute significantly to the overall growth of cryptocurrencies.

How hackers are being prosecuted

In August, the US Federal Bureau of Investigation (FBI) issued a warning to investors about the risk of cybercrime in DeFi. Representatives of the bureau named three of the most popular attack vectors and urged citizens to carefully examine platforms, protocols, and smart contracts before investing.

That same month, US regulators imposed sanctions on the Tornado Cash cryptocurrency mixer code, which many of the DeFi hackers used to make it harder to track the movement of stolen assets.

In September, US authorities were able to seize $30 million in cryptocurrency that was stolen from the Ronin Network siding by hackers in March 2022. The refund was a record amount for law enforcement agencies in the United States. Some of the stolen assets were traced and frozen on accounts at Binance and other cryptocurrency exchanges.

Despite the investigations, none of the DeFi hackers have been arrested. Law enforcement needs time and resources to create technological solutions to deal with ecosystem vulnerabilities. In an interview with Fortune, Chris Tarbell, co-founder of cybersecurity firm NAXO, says law enforcement is certainly responding to what's happening in DeFi. Tarbell was an FBI agent and was involved in developing the tools to shut down the Silk Road marketplace, which became the prototype for all illegal darknet marketplaces. “It takes time because it's such an advanced technology,” summarizes the former agent.