DeFi platforms are advised to conduct real-time analytics and monitoring alongside “rigorous testing of code”.
The Federal Bureau of Investigation (FBI) has issued a warning about the increase in cybercrimes targeted at DeFi platforms. The bureau issued a PSA on Monday directed at investors, warning them of the increased risk as well as urging them to contact its Internet Crime Compliant Center or a local field office if they suspected that they had been victims of DeFi-related cybercrime.
The #FBI warns that cyber criminals are increasingly exploiting vulnerabilities in decentralized finance (DeFi) platforms to steal investors cryptocurrency. If you think you are the victim of this, contact your local FBI field office or IC3. Learn more: https://t.co/fboL1N17JN pic.twitter.com/VKdbpbmEU1
— FBI (@FBI) August 29, 2022
In outlining the threat, the FBI noted that criminals are exploiting vulnerabilities in smart contracts to steal crypto from DeFi platforms. The bureau attributed this increase in DeFi attacks to heightened investor interest in cryptocurrencies as well as “the complexity of cross-chain functionality and open source nature of DeFi platforms”. Citing data from blockchain analysis firm Chainalysis, the FBI revealed that in the first quarter of this year alone, $1.3 billion in cryptocurrencies was stolen by cybercriminals, 97 percent of which was stolen from DeFi platforms, an increase from 72 percent in 2021 and 30 percent in 2020.
Common Tactics in DeFi Attacks According to the FBI
The bureau has observed hackers defraud DeFi platforms by doing the following:
“Initiating a flash loan that triggered an exploit in the DeFi platform’s smart contracts, causing investors and the project’s developers to lose approximately $3 million in cryptocurrency as a result of the theft.
Exploiting a signature verification vulnerability in the DeFi platform’s token bridge and withdraw all of the platform’s investments, resulting in approximately $320 million in losses.
Manipulating cryptocurrency price pairs by exploiting a series of vulnerabilities, including the DeFi platform’s use of a single price oracle,a and then conducting leveraged trades that bypassed slippage checks and benefited from price calculation errors to steal approximately $35 million in cryptocurrencies.”
FBI’s Advice to Investors and DeFi Platforms: DYOR and ‘Rigorous Code Testing’
While all investment involves a level of risk, the risks associated with investing in digital assets are unique and as such, require a unique set of safeguards. The FBI recommends that when uncertain, investors should solicit the advice of a licensed financial advisor. It also advises investors to educate themselves of the risks involved in such investments. Knowledge of DeFi platforms, protocols, smart contracts and how they operate is also encouraged. Investors should also check that the DeFi platform they plan to use has conducted one or more audits by independent auditors. In this case, code audits involve the meticulous analysis of a platform’s code to identify possible vulnerabilities. Concerning DeFi investment pools and open source services the FBI warns:
“Be alert to DeFi investment pools with extremely limited timeframes to join and rapid deployment of smart contracts, especially without the recommended code audit.
Be aware of the potential risk posed by crowdsourced solutions to vulnerability identification and patching. Open source code repositories allow unfettered access to all individuals, to include those with nefarious intentions.”
DeFi platforms, on the other hand, are advised to conduct real-time analytics and monitoring alongside “rigorous testing of code”. This will increase the likelihood of noting vulnerabilities in the code and responding to signs of suspicious on-chain activity quicker. Platforms should also put in place incident response plans that will alert investors in the event of smart contract exploitation and other such vulnerabilities.