Monday, the Federal Bureau of Investigation (FBI) issued a new warning about attacks on decentralized finance (DeFi) platforms, saying that hackers are taking advantage of holes in the smart contracts that govern these platforms.
Chainalysis, a blockchain research company, released a study in April 2022 that said that between January and March of that year, “cybercriminals stole $1.3 billion in cryptocurrency, of which about 97% was taken on DeFi platforms.”
Officials at the organization point out three things hackers have done in recent attacks:
- Starting an instant loan, like when $55 million worth of digital assets were stolen in November 2021 during an attack on the Ethereum DeFi Project bZx.
- The DeFi platform’s token bridge has been found to have a flaw, just like the Nomad token bridge did earlier this month.
- The theft of $13.4 million from the Deus Finance exchange in April 2022 was caused by a multi-pronged attack that used a single price oracle to change the prices of cryptocurrencies.
The agency warns that cybercriminals are looking to take advantage of investors’ growing interest in cryptocurrencies because DeFi systems are open source and can cross-chain.
Blockchain security companies usually keep track of the entry points that fraudsters use most often to break into smart contracts.
In addition to it being hard to find stolen money, the Ethereum Foundation says that “smart contract code is often unable to be updated to fix security weaknesses.”
Cybercriminals go after many different high-value targets, not just DeFi systems. A blockchain research group called Elliptic put out a paper called “NFTs and Financial Crime” last week. The paper says that between July 2021 and July 2022, NFTs were worth more than $100 million.
Before investing money, the FBI says that people should learn as much as they can about DeFi platforms, protocols, and smart contracts. For example, the agency suggests that users check to see if any independent auditors have checked the code on the site in question. The FBI also warns against investment pools with sign-up periods that are too short and deployment deadlines for smart contracts that are too soon, especially if the necessary code audit hasn’t been done.