In a recent research report, Token Terminal finds that there are three root causes of DeFi exploits, and removing smart contract vulnerabilities is by far the most challenging of the three.
Since interest in decentralized finance has skyrocketed, so have the hacks and rug pulls in the segment with an estimated 105 on-chain exploits resulting in the theft of almost $4.2 billion from various protocols.
Interestingly, the research finds that the biggest hacks, on average, come via cross-chain bridges and central exchange (CEX) wallets, whereas yield aggregators and lending protocols are most frequently abused.
“The largest exploits tend to be across multiple chains or on major ecosystem bridges.”
FBI raises new DeFi warning for investors and platforms
The three largest DeFi exploits to date, Ronin Network ($624 million), Poly Network ($611 million), and Wormhole ($326 million), are all cross-chain bridges that dominate the list of the largest exploits. Bridges typically lost over $188 million in every hack, the report noted.
Recently, the US Federal Bureau of Investigation (FBI) cautioned the investors and platforms about these risks in DeFi in a public service announcement.
“Cyber criminals are increasingly exploiting vulnerabilities in the smart contracts governing DeFi platforms to steal cryptocurrency, causing investors to lose money,” the agency noted. “Cyber criminals seek to take advantage of investors’ increased interest in cryptocurrencies, as well as the complexity of cross-chain functionality and open source nature of DeFi platforms.”
Conversely, yield aggregators and lending protocols are the most frequently targeted systems by attacks, however, they frequently result in smaller financial losses per attack as per Token Terminal. In general, yield aggregators and lending protocols were abused more frequently, while bridges and CEXs typically suffer the biggest losses per exploit. Cross-chain bridges and CEX hot wallets account for $2.2 billion in stolen assets, or over 52% of the total amount compromised.
Safe-keeping of private keys is the simplest rescue plan
The most common causes of these exploits have been roughly categorized into smart contract loopholes, compromised private keys, and protocol frontend spoofing. Notably, loopholes in smart contracts, frequently associated with flash loans and oracle manipulation, reportedly accounted for 73% of all hacks since September 2020. But, automated formal verification and DeFi security audits are the two primary techniques for managing these smart contract risks.
The report also finds that the largest hacks, averaging $91 million each, are caused by compromised private keys, which are often obtained using spear-phishing attempts. Ironically, this attack vector is also the most avoidable by better securing the private keys and using different platforms for storage.
Lastly, frontend spoofing is an attack method that goes against specific users rather than the funds that the protocol controls, like in the case of the BadgerDAO exploit. Typically, this entails using techniques like DNS cache poisoning to replace the real protocol website’s IP address with a phony lookalike.
Meanwhile, exploiters are also reportedly looking for new options now that the standard means of cashing out ill-gotten gains, through Tornado Cash, has been discontinued via sanctions. Be[In]Crypto had reported that following the penalties against Tornado Cash, a small but rising number of decentralized finance (DeFi) projects, including dYdX, Liquidity, GMX, Kwenta, and others, are developing decentralized frontends (DeFe) instead.
With that, the FBI also recommends that DeFi platforms institute real-time analytics, monitoring, and rigorous testing apart from developing an incident response to avoid such exploits.
However, Aztec Network, an Ethereum-based rollup that offers private transactions using zero-knowledge technology, is one possible substitute to Tornado Cash as per the research report.