These are the flaws that let hackers attack blockchain and DeFi projects

shutterstock-1911837382.jpg

Image: Blue Planet Studio / Shutterstock

The number of decentralized finance (DeFi) and blockchain projects grew massively during the past year, but their increased popularity has also piqued the interest of cyberattackers – who managed to steal at least an estimated $1.8 billion in 2021.

The blockchain is a digital ledger that records transactions in a way that is difficult to tamper with or change. As a result, these technologies have tremendous potential for managing cryptocurrency assets and transactions, as well as for facilitating smart contracts, finance, and legal agreements.

SEE: Microsoft warns: This botnet has new tricks to target Linux and Windows systems

In recent years, the blockchain has led to the emergence of decentralized finance. DeFi financial products and systems are an alternative to traditional banks and financial services, relying on decentralized technologies and smart contracts to operate.

DeFi, NFTs, and cryptocurrencies are now popular targets for threat actors, who take advantage of vulnerabilities, logic errors, and programming flaws – as well as performing phishing campaigns to steal digital funds from their victims.

In May, Microsoft introduced the term ‘cryware’ to the standard dictionary of digital threats, including malware, infostealers, cryptojackers, and ransomware. The new term describes malware designed to harvest and steal information from non-custodial cryptocurrency wallets, otherwise known as ‘hot wallets’.

While the blockchain facilitates the infrastructure digital wallets need for transfers, deposits, and withdrawals, hot wallets are stored locally and so might be susceptible to theft.

On Tuesday, cybersecurity researchers from Bishop Fox published an analysis of the significant blockchain and DeFi heists that occurred in 2021. The cybersecurity firm analyzed $1.8 billion in losses.

There were 65 major ‘events’ examined by the team, of which 90% were considered to be “unsophisticated attacks”.

screenshot-2022-05-24-at-10-08-50.png

Source: Bishop Fox | CryptoSec

According to the researchers, DeFi projects experienced an average of five significant cyberattacks per month, with peaks in May and December.

The main attack vectors in 2021 were:

  • 51%, smart contract vulnerabilities
  • 18%, protocol and design flaws
  • 10%, wallet compromise
  • 6%, rug pull, exit scams
  • 4% key leaks
  • 4%, frontend hacks
  • 3%, arbitrage
  • 2%, cryptocurrency-related bugs
  • 2%, front runs (transactions queued with knowledge of future exchanges)

“We can see that in most cases, the attack came from a vulnerability in smart contracts or in the very logic of the protocol,” the researchers noted. “This is not surprising for a recent technology that may lack a certain technical hindsight on the implementation of security measures.”

When it comes to the types of vulnerabilities exploited in smart contracts, the most common issues exploited by threat actors are well-known bugs, vulnerabilities contained in forks, and sophisticated attacks. Rug pulls and exit scams have also been recorded to a lesser degree.

However, many of these attacks could be avoided with robust auditing and testing before production. Developers using forks, too, should check their codebases regularly for any security issues impacting a DeFi project’s source code.

“We can say without hesitation that DeFi is currently a tasty target that attracts thieves looking for big and fast gains,” Bishop Fox says. “This observation is obvious given the youth of this technology and the fact that it’s all about the money.

“Rare are the technological advances and developments that have never run into problems. In the same way that the first computers were networked without really considering the possibility of spreading a virus, DeFi developers tend to seek innovation in their algorithms more than protection.”

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0