The Federal Bureau of Investigation issued a new warning Monday focused on attacks against decentralized finance (DeFi) platforms, saying that cybercriminals are exploiting vulnerabilities in the smart contracts that govern them.
"Between January and March 2022, cyber criminals stole $1.3 billion in cryptocurrencies, almost 97 percent of which was stolen from DeFi platforms," the agency says, citing an April 2022 report by blockchain analysis firm Chainalysis.
The agency points to three tactics that cybercriminals have used to launch attacks:
- Initiating a flash loan, such as in the case of the November 2021 attack on the Ethereum DeFi Project bZx where thieves made off with $55 million in digital assets.
- Exploiting a vulnerability in the DeFi platform's token bridge, as seen in the case of the Nomad token bridge earlier this month.
- Manipulating cryptocurrency prices by exploiting a series of vulnerabilities, including the use of a single price oracle, such as in the case of the April 2022 Deus Finance exploit where thieves made off with $13.4 million.
"Cybercriminals seek to take advantage of investors' increased interest in cryptocurrencies, as well as the complexity of cross-chain functionality and open source nature of DeFi platforms," the agency says.
Blockchain security firms have long tracked the most frequent vectors used by cybercriminals to compromise smart contracts.
Exploits at this level are dangerous, as "smart contract code usually cannot be changed to patch security flaws, assets that have been stolen from smart contracts are irrecoverable, and stolen assets are extremely difficult to track,” notes the Ethereum Foundation.
DeFi platforms are not the only high-value targets of cybercriminals. Last week, blockchain analysis firm Elliptic published its "NFTs and Financial Crime" report. The report says that over $100 million in NFTs were between July 2021 and July 2022.
For its part, the FBI recommends the careful study of DeFi platforms, protocols, and smart contracts before investing, and being aware of the specific risks involved.
For example, the agency recommends that consumers check to see if the platform has had one or more code audits performed by independent auditors. Also, the FBI recommends caution around investment pools with extremely limited timeframes to join and rapidly deploy smart contracts, especially without the recommended code audit.
In other words, do your own research.
Daily Debrief Newsletter
Start every day with the top news stories right now, plus original features, a podcast, videos and more.