In Brief
The Trust Project is an international consortium of news organizations building standards of transparency.
In a recent research report, Token Terminal finds that there are three root causes of DeFi exploits, and removing smart contract vulnerabilities is by far the most challenging of the three.
Since interest in decentralized finance has skyrocketed, so have the hacks and rug pulls in the segment with an estimated 105 on-chain exploits resulting in the theft of almost $4.2 billion from various protocols.
Interestingly, the research finds that the biggest hacks, on average, come via cross-chain bridges and central exchange (CEX) wallets, whereas yield aggregators and lending protocols are most frequently abused.
“The largest exploits tend to be across multiple chains or on major ecosystem bridges.”
FBI raises new DeFi warning for investors and platforms
The three largest DeFi exploits to date, Ronin Network ($624 million), Poly Network ($611 million), and Wormhole ($326 million), are all cross-chain bridges that dominate the list of the largest exploits. Bridges typically lost over $188 million in every hack, the report noted.
Recently, the US Federal Bureau of Investigation (FBI) cautioned the investors and platforms about these risks in DeFi in a public service announcement.
“Cyber criminals are increasingly exploiting vulnerabilities in the smart contracts governing DeFi platforms to steal cryptocurrency, causing investors to lose money,” the agency noted. “Cyber criminals seek to take advantage of investors’ increased interest in cryptocurrencies, as well as the complexity of cross-chain functionality and open source nature of DeFi platforms.”
Conversely, yield aggregators and lending protocols are the most frequently targeted systems by attacks, however, they frequently result in smaller financial losses per attack as per Token Terminal. In general, yield aggregators and lending protocols were abused more frequently, while bridges and CEXs typically suffer the biggest losses per exploit. Cross-chain bridges and CEX hot wallets account for $2.2 billion in stolen assets, or over 52% of the total amount compromised.
Safe-keeping of private keys is the simplest rescue plan
The most common causes of these exploits have been roughly categorized into smart contract loopholes, compromised private keys, and protocol frontend spoofing. Notably, loopholes in smart contracts, frequently associated with flash loans and oracle manipulation, reportedly accounted for 73% of all hacks since September 2020. But, automated formal verification and DeFi security audits are the two primary techniques for managing these smart contract risks.
The report also finds that the largest hacks, averaging $91 million each, are caused by compromised private keys, which are often obtained using spear-phishing attempts. Ironically, this attack vector is also the most avoidable by better securing the private keys and using different platforms for storage.
Lastly, frontend spoofing is an attack method that goes against specific users rather than the funds that the protocol controls, like in the case of the BadgerDAO exploit. Typically, this entails using techniques like DNS cache poisoning to replace the real protocol website’s IP address with a phony lookalike.
Meanwhile, exploiters are also reportedly looking for new options now that the standard means of cashing out ill-gotten gains, through Tornado Cash, has been discontinued via sanctions. Be[In]Crypto had reported that following the penalties against Tornado Cash, a small but rising number of decentralized finance (DeFi) projects, including dYdX, Liquidity, GMX, Kwenta, and others, are developing decentralized frontends (DeFe) instead.
With that, the FBI also recommends that DeFi platforms institute real-time analytics, monitoring, and rigorous testing apart from developing an incident response to avoid such exploits.
However, Aztec Network, an Ethereum-based rollup that offers private transactions using zero-knowledge technology, is one possible substitute to Tornado Cash as per the research report.
For Be[In]Crypto’s latest Bitcoin (BTC) analysis, click here.
Disclaimer
All the information contained on our website is published in good faith and for general information purposes only. Any action the reader takes upon the information found on our website is strictly at their own risk.
Share Article
Related topics
Shraddha Sharma
Shraddha is an India-based journalist who worked in business and financial news before diving into the crypto space. As an investment enthusiast, she has also has a keen interest in understanding crypto from a personal finance standpoint.
Follow Author
More Articles
RELATED NEWS
MarketsOpinion
DeFi in the Future: Will My Young Son Even Want a Bank Account?
11 mins ago
MarketsNews Report
Restriction Reference Period for Mt. Gox Bitcoin Repayment Process Will Start Mid-September
39 mins ago
MarketsFeature
BlackPink Take Award for Best Metaverse Concert at the VMAs
3 hours ago
MarketsFeature
Carlossy: New Memecoin is a Spinoff of the Caterpillar Cake Wars
7 hours ago
MarketsNews Report
Reddit Co-Founder Ohanian to Raise Money for New Crypto Fund
9 hours ago
A London man has denied charges of running an illegal cryptocurrency ATM business and laundering £300,000 without FCA authorisation. Currently out on bail, his next hearing is slated for 7 November.
CatherineA cryptocurrency entity linked to Continue Capital lost over $36 million in wrapped Ethereum tokens due to a phishing attack that tricked users into signing a malicious transaction. This incident caused a drastic price drop of more than 95% in fwDETH, highlighting the ongoing risk of phishing attacks in the crypto space.
AnaisIsrael's economy minister said Iran must be attacked, including its nuclear capabilities, and Iran warned that Tehran might change its nuclear policy if its nuclear infrastructure was attacked. Gold hit a short-term high of $2,646, and Bitcoin tried to regain the unexpected loss of US CPI.
AlexOKX announced a grant to the 2140 Foundation to support the foundation’s multi-year efforts to promote the long-term security, resilience, and maintainability of the Bitcoin network.
MiyukiThe Trump family announced that the financial revolution protocol of World Liberty Financial project will allow the adoption of large-scale institutional capital. The project disclosed in its roadmap that it plans to raise $300 million at a valuation of $1.5 billion.
WeiliangUber is using AI, powered by ChatGPT, to help drivers transition to electric vehicles by providing personalised guidance and local information on incentives and charging options. This initiative aligns with Uber's sustainability goals and reflects the growing influence of AI in the automotive industry.
WeatherlyIn this meme craze, SunDog, a star project of the TRON ecosystem, has become the focus of global investors with its strong market performance and unique application scenarios, and has quickly become one of the top projects in the meme track.
AlexCoNET has launched a new mini-game referral program to attract real users to join its decentralized ecosystem. By sharing the referral link, users can get CONET tokens as rewards. All referral rewards will be recorded on the chain to ensure fairness and transparency, and the plan starts on October 10.
MiyukiArkham Intelligence, a blockchain data company backed by OpenAI founder Sam Altman, is about to launch a cryptocurrency derivatives exchange, with plans to set up a new venue in the Dominican Republic. As the crypto market changes, Arkham hopes to seize market share through technological advantages and global expansion, challenging industry giants such as Binance.
WeiliangBitcoin's global interest has dropped to its lowest in a year, while memecoins are gaining popularity with significant search and trading activity. Despite concerns about their risks, memecoins continue to dominate the crypto market in 2024.
Anais