Attack Patterns Produce Growing Losses Targeting Mutual Vulnerabilities Endemic to Decentralized Finance

Please fol­low and like us:
Pin Share

de-fi-blog

Synopsis

In 2021 cryp­tocur­ren­cy sur­passed $1 tril­lion in total mar­ket val­ue for the first time (1). Along with that legit­i­mate growth, the raw val­ue of illic­it trans­ac­tion vol­ume report­ed­ly reached its high­est lev­el ever (2). Threat actors are hom­ing in on Decen­tral­ized Finance (DeFi) as a source of prof­it. In this report, Eclec­ti­cIQ ana­lysts iden­ti­fy the attack pat­terns emerg­ing in cyber­at­tacks that have pro­duced the high­est returns. The analy­sis iden­ti­fies areas sub­ject to repeat­ing attack pat­terns, where secu­ri­ty resource devel­op­ment will be most effective.

In 2021 cyber­at­tacks pro­duced approx­i­mate­ly $3.2 bil­lion USD in stolen cryp­tocur­ren­cy assets. The cur­rent total esti­mat­ed val­ue of stolen funds sit­ting in wal­let address­es is over $10 bil­lion (2, 3). Dur­ing 2021, the total stolen in cryp­tocur­ren­cy assets increased 1330% from 2020, when an esti­mat­ed $160 mil­lion worth of cryp­tocur­ren­cy was stolen, and the 2020 total rep­re­sents a 335% increase over the 2019 total stolen. Many of the largest attacks took place since the start of the COVID-19 pan­dem­ic, when users began adopt­ing cryp­tocur­ren­cy at much high­er rates. 2021 saw a 912% jump in DeFi trans­ac­tion vol­ume (1, 4). As DeFi sys­tems increase assets, the risk and impact of these attack vec­tors increas­es. An analy­sis of the largest cyber­at­tacks against decen­tral­ized finance plat­forms pro­vides strate­gic val­ue by describ­ing the Tac­tics, Tech­niques, and Pro­ce­dures (TTPs) that are the most impact­ful and pop­u­lar attack vec­tors. The appli­ca­tion of IT secu­ri­ty resource devel­op­ment towards weak areas of the DeFi ecosys­tem that enable the pat­terns described here will have great­est impact on future large scale cyberattacks.

Record-set­ting attacks against DeFi sys­tems between 2020 and 2022 (5, 6)

DeFi Orga­ni­za­tion Amount at Attack Date
Poly Net­work $611,000,000 08.10.2021
Ronin Bridge $540,000,000 03.23.2022
Worm­hole Bridge $325,000,000 01.13.2022
Bit­Mart $196,000,000 12.04.2021
Com­pound $147,000,000 09.29.2021
Vul­can Forged $140,000,000 12.13.2021
Cream Finance $130,000,000 10.27.2021
Bad­ger­Dao $120,000,000 12.02.2021
Ascen­dex $77,000,000 12.12.2021
Easy­Fi $59,000,000 04.19.2021
Ura­ni­um Finance $57,000,000 04.28.2021
bZx $55,000,000 11.05.2021
Pan­cake­Bun­ny $45,000,000 05.19.2021
Kucoin $45,000,000 09.29.2020

 

Oth­er notable large-scale attacks pri­or to 2020

Coincheck $532,000,000 01.2018
MT GOX $470,000,000 06.2011
Bit­Grail $150,000,000 02.2010

 

Strategic Primary Goals for DeFi Attacks: Price Manipulation and Key Exposure

Attack­ing Defi sys­tems to manip­u­late pric­ing for mali­cious out­comes, also known as price boost­ing, remains the most com­mon goal for threat actors in large heists. Price manip­u­la­tion can occur in many ways; sev­er­al of the most com­mon meth­ods are described below. Anoth­er strate­gic attack focus includes dis­cov­ery and exploita­tion of sys­tems pro­vid­ing priv­i­leged access either to impor­tant sys­tems, or keys to access wallets.

Four Attack Patterns Support Strategic Goals of DeFi Cyberattacks

The pri­ma­ry TTPs suc­cess­ful­ly lever­aged by threat actors in major heists against DeFi include smart con­tract exploita­tion, flash loan exploita­tion, and com­pro­mise of crit­i­cal sys­tems. Fraud attacks that rely on social engi­neer­ing and more famil­iar cyber­at­tack com­po­nents are also high­ly impactful.

SMART CONTRACT EXPLOITATION

Smart con­tract exploita­tion involves a pro­gram­mat­ic weak­ness or vul­ner­a­bil­i­ty in one or more smart con­tracts that allows data to be mod­i­fied in a way that is not con­gru­ous with the smart contract’s intent. Smart con­tracts are com­prised of code that func­tion as pro­grams. Smart con­tract exploita­tion can involve one or more vul­ner­a­bil­i­ties that affect a com­plex chain of smart con­tracts tied togeth­er to pro­duce a mali­cious out­come. This attack vec­tor in largescale DeFi attacks has led to the great­est losses.

Tools Called Oracles Are Very Often Involved in Smart Contract And Flash Loan Attacks

Ora­cle attacks involve manip­u­lat­ing ser­vices that sup­ply exter­nal data inputs to DeFi envi­ron­ments. Ora­cles are legit­i­mate third-par­ty auto­mat­ed ser­vices that retrieve infor­ma­tion from out­side the blockchain to be incor­po­rat­ed as fur­ther data inputs for DeFi sys­tems. Pro­vid­ing pric­ing data of exter­nal assets tied to the val­ue of a par­tic­u­lar cryp­tocur­ren­cy is a com­mon ora­cle role and one of many (10). If ora­cles are incor­po­rat­ed as cen­tral­ized, sin­gle points of fail­ure their manip­u­la­tion may affect oth­er vari­ables inside smart con­tracts reliant upon ora­cle data fetch­ing, pro­duc­ing a water­fall effect or a pos­i­tive feed­back loop with­in a transaction.

The Largest Hack to Date Leveraged Smart Contracts

Poly Net­work was exploit­ed through a cod­ing error in the EthCross­Chain­Man­ag­er smart con­tract. The con­tract con­tained a vul­ner­a­ble func­tion (ver­i­fy­HeaderAn­dEx­e­cuteTx) that could be exe­cut­ed by a non-priv­i­leged user. With­in the pro­to­col, the func­tion call exe­cute­Cross­Chain­Tx calls to the tar­get con­tract EthCross­Chain­Man­ag­er, which calls the EthCross­Chain­Da­ta con­tract. EthCross­Chain­Da­ta only used the first four hash bytes in a passed call to iden­ti­fy the call­ing con­tract and it accept­ed user input for the ‘ID data’ sec­tion. A threat actor reverse engi­neered the embed­ded vul­ner­a­ble func­tion in EthCross­Chain­Da­ta and exploit­ed the relat­ed con­tracts to exfil­trate a large vol­ume of assets to an attack­er-con­trolled wal­let. The hack­er, claim­ing to be an indi­vid­ual, returned up to $600 mil­lion worth of cryp­to assets after a nego­ti­a­tion ini­ti­at­ed by the threat actor (12).

Simple Numerical Errors Present in Code Allow Threat Actors to Exploit Math-Based Vulnerabilities

Ura­ni­um Finance was exploit­ed through smart con­tract code that con­tained reused source code (known as a fork) from anoth­er DeFi project. Forked code is a branch of a par­tic­u­lar orig­i­nal open-source code that has been down­loaded and recon­fig­ured into a new project. In this case, the reused or shared code was not prop­er­ly test­ed and checked. Through the forked code, based on Uniswap v2 code, a loop­hole was intro­duced unno­ticed for 10 days. The bug allowed threat actors to exploit a com­pu­ta­tion­al error by chang­ing two numer­i­cal val­ues inside a smart con­tract. This allowed them to swap one input token for 98% of the total bal­ance of the out­put token with­in the smart con­tract and cash out, per­form­ing fraud against the token val­ue (13).

FLASH LOAN EXPLOITS

Flash loan exploits involve mis­con­fig­u­ra­tions in bank­ing fea­tures of DeFi plat­forms. A flash loan is a trans­ac­tion where a loan and repay­ment occur instan­ta­neous­ly. Flash loans are anoth­er inte­gral fea­ture of DeFi plat­forms. They allow users to oper­ate with­out col­lat­er­al, enabling fur­ther decen­tral­iza­tion and flex­i­bil­i­ty for trans­ac­tions. Flash loan exploita­tion can involve com­plex nest­ed trans­fers between mul­ti­ple dif­fer­ent cryp­tocur­ren­cy coins. Flash loan exploits have been lever­aged in con­junc­tion with all oth­er TTPs list­ed here.

Mathematical and Logical Programmatic Weaknesses in Core Components of Defi Systems Enable Attacks on Many DEXs

Threat actors exploit­ed Cream Finance using flash loans and the yUS­D­Vault token. The price of yUS­D­Vault tokens was manip­u­lat­ed using flash loans between two wal­lets. A vul­ner­a­bil­i­ty in Cream’s inter­nal Price­O­r­a­cleProxy of yUS­D­Vault tokens cre­at­ed a self-ref­er­enc­ing, pos­i­tive feed­back loop, which the attack­er exploit­ed using flash loans between their wal­lets. The vul­ner­a­bil­i­ty allowed threat actors to accu­mu­late over­val­ued col­lat­er­al, which was final­ly lever­aged against Cream lend­ing vaults to drain as many assets as pos­si­ble. This was the third attack Cream Finance had suf­fered in a year. The root caus­es of the oth­er two attacks were Smart Con­tract relat­ed (14, 15). The devel­op­ers behind the Cream Finance DEX plat­form, Yearn Finance, have devel­oped many oth­er DEXs (16), at least nine of which have been attacked. Eight of these attacks net­ted between $2 mil­lion to $20 mil­lion each, and one attack (tar­get­ing Alpha Finance) net­ted $37.5 million.

Inherent Features of DeFi Are Exploited to Produce Banking Errors

Pan­cake­Bun­ny was exploit­ed using a com­plex sys­tem of flash loans. A bug in the pro­to­col that uses the “Pan­cakeSwap” func­tion to retrieve the prices of Pan­cakeSwap liq­uid­i­ty providers was lever­aged using eight flash loans, exe­cut­ed in a spe­cif­ic order, to manip­u­late the price on var­i­ous Pan­cakeSwap asset pools, and cre­ate a skewed cal­cu­la­tion of BUNNY tokens from the Vault­FliptoFlip vault using 2 exter­nal cryp­tocur­ren­cy coins. This enabled the threat actor to mint 697,000 BUNNY tokens, which were then sold at an inflat­ed val­ue, caus­ing the price of BUNNY tokens to drop from $146 to $6 per token (17).

CRITICAL SYSTEM COMPROMISE

Crit­i­cal sys­tem com­pro­mise involves ille­git­i­mate access to a spe­cial­ized sys­tem or soft­ware with­in cryp­tocur­ren­cy net­works. A suc­cess­ful crit­i­cal sys­tem com­pro­mise pro­duces ele­vat­ed per­mis­sions and/or access to spe­cial func­tions. Attacks of this cat­e­go­ry most often result in expo­sure of pri­vate keys to wal­lets and API keys used to con­trol cryp­tocur­ren­cy trans­ac­tions. Keys may be exposed inad­ver­tent­ly in pub­lic files, by a web appli­ca­tion, or via malware.

Mismanagement Across Third Party Systems Enhances Risk of High Losses.

Ronin Bridge is a DEX and Bridge with a focus on the Ronin token, NFTs, and a cryp­tocur­ren­cy-based play-to-pay game. A fun­da­men­tal design of the Ronin chain involves the use of cen­tral val­ida­tor nodes for con­sen­sus-approval of trans­ac­tions. Of nine cen­tral nodes, five is the thresh­old required to sign and approve a giv­en trans­ac­tion with­in the Ronin Blockchain (18,19). Some­time pri­or to March 23, threat actors gained access to part of the Ronin admin­is­tra­tion sys­tem through uniden­ti­fied means. Using the ini­tial access, the threat actors com­pro­mised keys of four Ronin val­ida­tor nodes with­out rais­ing any alarms. A fifth node was com­pro­mised in a fur­ther third-par­ty attack of the Axie DAO DeFi orga­ni­za­tion who man­aged the node. An Axie DAO node was approved as a ninth val­ida­tor for Ronin start­ing on Novem­ber 21, 2021 due to a need for addi­tion­al val­ida­tor nodes caused by increased trans­ac­tion demand. The Novem­ber-March time­line indi­cates it is pos­si­ble the threat actor was dwelling with­in the Ronin DeFi net­work for mul­ti­ple months in order to qui­et­ly com­pro­mise four Ronin approval nodes. A 5th node man­aged by the Axie-DAO was com­pro­mised through a mis­con­fig­ured RPC (remote pro­ce­dure call) node in the Axie net­work. With a major­i­ty of approval keys, the threat actor exe­cut­ed a fraud­u­lent approval for two trans­ac­tions total­ing $540 mil­lion on March 23 (20). Ronin devel­op­ers did not become aware of the attack until March 29 when anoth­er user report­ed issues with a trans­ac­tion (21).

Kucoin Represents the Largest Attack on DeFi Systems Linked to an APT Group

The U.N. Secu­ri­ty Coun­cil accus­es the DPRK of using assets stolen from cryp­tocur­ren­cy cyber­at­tacks to sup­port its nuclear and bal­lis­tic mis­sile pro­grams and to cir­cum­vent sanc­tions (22). The attack against the Kukoin exchange involved exploit­ing 185 dif­fer­ent tokens and coins across the DEX (23). The ini­tial vec­tor for the attack was mul­ti­ple pri­vate keys leaked through an unknown chan­nel pro­vid­ing unau­tho­rized access to cryp­tocur­ren­cy wal­lets (20). The CEO stat­ed that the APT group gained access to the inter­nal net­work for “a long time”. Kucoin was able to freeze some of the stolen assets, but the APT group suc­cess­ful­ly exfil­trat­ed at least $13 mil­lion (24, 25).

One notable fea­ture of this attack was the exfil­tra­tion method. After con­sol­i­dat­ing five dif­fer­ent Tokens, the APT used at least four dif­fer­ent DEXs to exchange and obfus­cate the funds so they could be with­drawn more anony­mous­ly. The amount orig­i­nal­ly stolen in the attack was report­ed to be as high as $281 mil­lion, but Kucoin was able to recov­er up to 80% of the stolen funds by issu­ing a spe­cial update that inval­i­dat­ed part of the blockchain per­tain­ing to the stolen assets. The update allowed Kucoin’s pric­ing to recov­er and effec­tive­ly black-list­ed the stolen cryp­tocur­ren­cy from inter­act­ing with­in the legit­i­mate DeFi envi­ron­ment. North Korea is accused of steal­ing at least $110 mil­lion in addi­tion­al cryp­to assets via oth­er attacks (26).

Access to Privileged Systems Amplifies DEX Cyberattack Impact.

One of the ear­li­est large-scale attacks on DeFi exchanges occurred on 19 June 2011, which was a year after the first cryp­tocur­ren­cy retail trans­ac­tion (27). The MT Gox bit­coin exchange was hacked using a com­pro­mised machine owned by a recent audi­tor of MT Gox. It is not known how the threat actor obtained the auditor’s access. The auditor’s sys­tem had priv­i­leged access to the MT Gox DEX, which enabled the threat actor to steal pri­vate keys to a hot wal­let and trans­fer Bit­coin to their wal­let at a spe­cial nom­i­nal val­ue. MT Gox remains one of the largest hacks of a DeFi exchange to date, result­ing in approx­i­mate­ly $470 mil­lion stolen (28).

Mismanagement of Automated Services Paired with Third Party Systems Create Single Points of Compromise

Vul­can Forge is a DeFi plat­form com­prised of a diverse port­fo­lio of blockchain-based ser­vices oper­at­ing under one orga­ni­za­tion­al umbrel­la. To man­age all the offer­ings, their plat­form relied on dif­fer­ent auto­mat­ed and third-par­ty ser­vices to help users man­age their cryp­tocur­ren­cy accounts. Vul­can Forge set up auto­mat­ed accounts for users and relied on cus­to­di­al wal­lets host­ed on the platform’s infra­struc­ture to facil­i­tate trans­ac­tions. A threat actor was able to exploit and com­pro­mise a pub­licly exposed serv­er and obtain cre­den­tials to a third-par­ty ser­vice provider “Vene­ly” that man­aged cre­den­tials for cus­to­di­al wal­lets. The attack­er piv­ot­ed to fur­ther weak­ness­es in Vulcan’s “MyForge” GUI mod­ule used to dis­play wal­let hold­ings and steal myr­i­ad pri­vate keys. The attack­ers tar­get­ed 96 high-val­ue “whale” accounts with an aver­age hold­ing of $1.46 mil­lion (29). Stolen funds were con­sol­i­dat­ed into a sin­gle wal­let and then exfil­trat­ed through anoth­er DEX before much of the dam­age could be mit­i­gat­ed (30).

Attacks Are Enabled Through Private Key Compromise of Publicly Exposed Hot Wallets

A secu­ri­ty breach at the Bit­Mart exchange was caused by com­pro­mised pri­vate keys to at least one ETH hot wal­let and one BSC hot wal­let. Bit­Mart did not dis­close how the pri­vate keys were obtained (31). Eclec­ti­cIQ ana­lysts strong­ly posit that the pri­vate key expo­sure was the result of poor­ly con­fig­ured wal­lets that were exposed to the inter­net, based on assess­ments of sim­i­lar attacks and the spe­cif­ic wal­lets tar­get­ed. Attack pat­terns ana­lyzed in sim­i­lar large cryp­tocur­ren­cy heists indi­cate the most like­ly expo­sure vec­tors includes pri­vate keys that were not stored in accor­dance with infor­ma­tion secu­ri­ty best prac­tices. A mix of more than 20 tokens were stolen. Key expo­sure remains the most pop­u­lar attack vec­tor for steal­ing funds.

CRITICAL SYSTEM COMPROMISE MOST OFTEN RESULTS IN EXPOSURE OF PRIVATE KEYS

Easy­Fi is a mul­ti­chain DEX oper­at­ing on three blockchain net­works. Threat actors ini­ti­at­ed the attack by dis­cov­er­ing and exploit­ing a machine used by a founder of Easy­Fi (32). The com­pro­mised machine con­tained an Easy­Fi mod­ule exclu­sive­ly used for offi­cial trans­fers across the exchange. The threat actor went fur­ther and dis­cov­ered an EASY token smart con­tract vul­ner­a­bil­i­ty affect­ing two oth­er relat­ed smart con­tracts. The vul­ner­a­bil­i­ty and access allowed the threat actor to use these fur­ther two smart con­tracts to direct assets into a dark pool, where they were lat­er exfil­trat­ed under a sep­a­rate, obfus­cat­ed C2 con­nec­tion. A Dark Pool is a sep­a­rate DeFi order book not vis­i­ble to the rest of the mar­ket that exists on a par­tic­u­lar DEX.

Ascen­dex was hacked by exploit­ing a pri­ma­ry hot wal­let in use as part of the exchange’s main infra­struc­ture not acces­si­ble to reg­u­lar users. The hot wal­let was con­fig­ured con­trary to many best prac­tices. A threat actor was able to gain access to the hot wal­let via undis­closed means, steal the pri­vate key, and exfil­trate funds in a very short time (33).

Access Control Configuration in Decentralized Networks is Crucial to Prevent Compromise

Com­pound is a DEX that also pro­motes its own token. An access con­trol error was present in a spe­cial func­tion of a vault that was poor­ly con­fig­ured and open to any user to call if dis­cov­ered. The func­tion con­trolled a cen­tral vault used by the exchange to hold its own tokens and was not mon­i­tored. Cryp­tocur­ren­cy Vaults are a form cryp­tocur­ren­cy stor­age solu­tion that applies a trans­ac­tion approval process and does not allow funds to be with­drawn imme­di­ate­ly, sim­i­lar to escrow. Vaults are sup­posed to pro­vide increased secu­ri­ty com­pared to cryp­to wal­lets held by end users. Eclec­ti­cIQ ana­lysts eval­u­ate it is most like­ly that either mul­ti­ple users were able to dis­cov­er the open vault and lever­age the weak func­tion to steal Tokens, or an insid­er threat actor lever­aged the weak­ness to steal Tokens. Funds were drained from the vault on at least two dif­fer­ent attacks result­ing in approx­i­mate­ly $80 and $60 mil­lion dol­lars in assets stolen over sev­er­al days before a full reme­di­a­tion was com­plet­ed (34).

Threat Actors Monitor Public Code to Reverse Engineer DeFi Systems for Compromise

Worm­hole Bridge is a spe­cial­ized fin­tech com­pa­ny that pro­vides a ser­vice for facil­i­tat­ing trans­ac­tions across Blockchains. On Jan­u­ary 13, 2021 the com­pa­ny post­ed a soft­ware update to their GitHub repos­i­to­ry. With­in hours of the upload a threat actor reverse engi­neered part of the update, allow­ing them to craft a valid approval sig­na­ture to exploit trans­ac­tions across the bridge (35). The attack result­ed in an approx­i­mate $325 mil­lion dol­lar loss in two forms of ETH cryp­tocur­ren­cy. Eclec­ti­cIQ ana­lysts eval­u­ate it as like­ly that the threat actor was active­ly mon­i­tor­ing the Worm­hole GitHub page, flagged the update, and quick­ly reverse engi­neered part of the update to dis­cov­er the vul­ner­a­bil­i­ty before sys­tems in the net­work applied the update.

Absence of Standard IT Security Best Practices Enables Complex DeFi Cyberattacks

Bad­ger­DAO was attacked from an unse­cured Cloud­flare API con­fig­ured with­out doc­u­men­ta­tion. The attack­er then obtained an API key, which allowed them to cre­ate new accounts with access to cloud man­age­ment ser­vices. The attack­ers main­tained per­sis­tent access between Novem­ber and Decem­ber 2, 2021, increas­ing per­mis­sions to slow­ly lay the ground­work for their attack, and even­tu­al­ly allow­ing them to upload their own mali­cious smart con­tracts. The threat actor specif­i­cal­ly tar­get­ed wal­lets on cer­tain DEXs whose con­tents exceed­ed an unspec­i­fied amount. They rotat­ed unique mali­cious scripts dur­ing each attack under short attack win­dows, pro­vid­ing unique hash sig­na­tures each time and mak­ing the attack much hard­er to detect and trace. With the new accounts, the threat actors exploit­ed a secu­ri­ty hole in approvals tied to smart con­tracts that allowed the attack­ers to use their mali­cious smart con­tracts to redi­rect assets to threat actor-con­trolled accounts (36, 37). In the final phase of the attack, at least 200 accounts were tar­get­ed over a ten-hour win­dow until the orga­ni­za­tion stopped the attack by sus­pend­ing the DEX (38). Eclec­ti­cIQ ana­lysts pro­pose with high con­fi­dence based on the TTPs used through­out the Kill Chain that this attack was per­formed by anoth­er APT group.

Common Traditional Attack Vectors Afflict Defi Environments

DEX bZx was hacked in late 2021 when threat actors sent a sim­ple suc­cess­ful phish­ing email to one of the devel­op­ers of bZx. The mali­cious email intro­duced a pay­load that enabled the com­pro­mise of a devel­op­er pri­vate key inside an Exter­nal­ly Owned Account (EOA) wal­let. The pri­vate key in the EOA gave attack­ers access to two dif­fer­ent chains, from which they drained mil­lions of dol­lars. This attack was the fourth time bZx was attacked in over two years (39, 40).

FRAUD ATTACK VECTORS

Fraud Attack Vec­tors remain the most pop­u­lar attack type by vol­ume of all DeFi attacks (2). Though fraud-based attacks do not fit with the oth­er attack pat­terns dis­cussed here, which lever­age tech­ni­cal TTPs unique to DeFi, fraud con­tin­ues to con­sume the DeFi space pri­mar­i­ly impact­ing end-users in two forms: Indi­vid­ual threat actors per­form­ing fraud against indi­vid­ual vic­tims, and rug pull scams ini­ti­at­ed by indi­vid­u­als or very small groups that impact many vic­tims at once. Fraud against fiat cur­ren­cy remains a much larg­er issue pri­mar­i­ly due to the pre­dom­i­nant use of fiat cur­ren­cy, with a low esti­mate of approx­i­mate­ly $2 tril­lion in laun­dered fiat cur­ren­cy glob­al­ly last year (11).

Fraud Attacks Against Individual Victims Remains a Prominent Attack Vector

Fraud-based cryp­tocur­ren­cy theft tar­get­ing indi­vid­u­als was more com­mon­place pri­or to 2020 when few­er high-val­ue DeFi sys­tems exist­ed. Since 2020, the emer­gence of myr­i­ad DeFi prod­ucts is attract­ing threat actor atten­tion away from indi­vid­ual fraud. Major cyber­at­tacks against DeFi orga­ni­za­tions increased more than 200% in the past year, and the appeal of big attacks influ­enced low­er rates of less lucra­tive fraud against indi­vid­u­als (41, 42, 47). Eclec­ti­cIQ ana­lysts expect fraud aimed at indi­vid­u­als will retain the high­est num­ber of attacks rel­a­tive to all oth­er attack types because of the low­er bar­ri­er to entry for this type of attack. The rise of mal­ware-as-a-ser­vice adapt­ed to cryp­tocur­ren­cy tar­gets cou­pled with a vac­u­um of law enforce­ment oper­a­tions against indi­vid­ual vic­tims will cre­ate a dou­ble incen­tive, allow­ing attacks in this cat­e­go­ry to grow at the great­est rate rel­a­tive to all others.

Rug Pull Attacks Represented About a Third of Malicious Activity Against Cryptocurrency and DeFi Platforms in 2021

Rug­pull scams are attacks trig­gered when a key cryp­tocur­ren­cy orga­ni­za­tion fig­ure, usu­al­ly a founder or devel­op­er, con­vinces users to engage with a new DeFi plat­form ini­tial­ly and then abrupt­ly dis­ap­pears with part or all the deposit­ed val­ue. This fraud attack vec­tor is high­ly impact­ful, affect­ing many vic­tims at once. Some esti­mates peg the total net­ted from rug­pull scams at $7.7 bil­lion through 2021 (43). Rug­pull scams are most often abet­ted by smart con­tracts designed with inten­tion­al weak­ness­es; most often in trans­fer func­tions and in the absence of Time­Locks (also called liq­uid­i­ty locks). Time­locks lim­it the spend­ing of part of a cryp­to asset until a future block has been added to the blockchain or until a future time (44).

Rep­utable report­ing states rug­pull scams rep­re­sent the largest increas­ing attack cat­e­go­ry, as rep­re­sent­ed by total stolen asset val­ue in 2021 (45). It is very like­ly rug­pull scam fre­quen­cy is relat­ed to and influ­enced by cycles of increased cryp­tocur­ren­cy adop­tion rate. Increased cryp­tocur­ren­cy adop­tion means these types of scams net more mon­ey. This type of attack preys on nov­el users who may tran­si­tion to cryp­tocur­ren­cy increas­ing­ly dur­ing times of high­er val­u­a­tion or crisis.

CONCLUSION

Eclecticiq Analysts Assess With High Confidence That The Number of Threat Actors Flocking to Defi Will Grow And Increase Risk From Cyberattacks

Illic­it cryp­tocur­ren­cy trans­ac­tion vol­ume in 2021 report­ed­ly rep­re­sent­ed only 0.15% of all cryp­tocur­ren­cy trans­ac­tions (2). Secu­ri­ty frame­works and com­mon effec­tive infor­ma­tion secu­ri­ty prac­tices are lack­ing in Defi sys­tems, as is enforce­ment of stan­dards to min­i­mize risk. This pro­duces large secu­ri­ty gaps that allow threat actors to flour­ish. A large degree of the dam­age and risk from cyber­at­tacks thus far has been off­set by DeFi orga­ni­za­tions’ abil­i­ties to claw back assets and reim­burse users. This is not a finan­cial­ly sus­tain­able approach and will not last.

Effective Mitigation of TTPs Described Here Will Illuminate Details of Further Vulnerabilities And Weaknesses And Provide a Future Strategic Roadmap to Best Practices for DeFi

A review of recent cyber­at­tacks net­ting the high­est returns show pat­terns of how threat actors are exploit­ing decen­tral­ized finance indus­try. Many attacks described here take advan­tage of mutu­al and inter­de­pen­dent vul­ner­a­bil­i­ties and weak­ness­es that form attack pat­terns. Fea­tures inher­ent and built-in to DeFi sys­tems often play into these attack pat­terns. More tra­di­tion­al infor­ma­tion secu­ri­ty weak­ness­es inte­gral with­in oth­er tech­nolo­gies also play a large role in DeFi cyber­at­tacks. The attack pat­terns iden­ti­fied above are ulti­mate­ly the result of imma­ture infor­ma­tion secu­ri­ty prac­tices with­in an indus­try that is still tak­ing shape. Tar­get­ing these attack pat­terns with fur­ther secu­ri­ty resources devel­oped from threat intel­li­gence is key to clos­ing the pri­ma­ry gaps dis­cussed here.

About EclecticIQ Threat Research

Eclec­ti­cIQ is a glob­al provider of threat intel­li­gence, hunt­ing and response tech­nol­o­gy and ser­vices. Head­quar­tered in Ams­ter­dam, the Eclec­ti­cIQ Threat Research team is made up of experts from Europe and the U.S. with decades of expe­ri­ence in cyber secu­ri­ty and intel­li­gence in indus­try and government.

We would love to hear from you. Please send us your feed­back by email­ing us at [email pro­tect­ed].

You might also be inter­est­ed in:

SANS Web­cast: While You Were in Lock­down – Cyber­at­tacks Against Decen­tral­ized Finance Had a Ban­ner Year

Under­stand­ing Fea­tures and Vul­ner­a­bil­i­ties of The Decen­tral­ized Finance Attack Sur­face is Key to Pro­tect­ing Against Cyber Attacks

References

  1. coin360.com/charts
  2. blog.chainalysis.com/reports/2022-crypto-crime-report-introduction/
  3. go.chainalysis.com/rs/503-FAP-074/images/Crypto-Crime-Report-2022.pdf
  4. comparitech.com/crypto/biggest-cryptocurrency-heists/
  5. reuters.com/markets/us/cryptocurrency-crime-2021-hits-all-time-high-value-chainalysis-2022–01-06/
  6. rekt.news/leaderboard/
  7. comparitech.com/crypto/biggest-cryptocurrency-heists/
  8. ciphertrace.com/cryptocurrency-crime-and-anti-money-laundering-report-august-2021
  9. htxt.co.za/2021/08/poly-network-invites-hacker-to-be-its-chief-security-officer/
  10. slowmist.medium.com/slowmist-tracking-possible-identification-clues-related-to-poly-network-attackers-b330d4d710f
  11. insights.glassnode.com/defi-attacks-flash-loans-centralized-price-oracles/
  12. unodc.org/unodc/en/money-laundering/overview.html
  13. coinmarketcap.com/alexandria/article/coincheck-hack-one-of-the-biggest-crypto-hacks-in-history
  14. slowmist.medium.com/slowmist-analysis-of-uranium-finances-hacked-event-9c9d11af7b2b
  15. alfacash.medium.com/new-defi-hack-alpha-and-cream-finance-got-robbed-by-over-37m-b96fbbd54751
  16. coindesk.com/business/2021/08/30/defi-protocol-cream-finance-hacked/
  17. https://cointelegraph.com/news/pancakebunny-tanks-96-following-200m-flash-loan-exploit
  18. https://cointelegraph.com/news/axie-infinity-s-ronin-bridge-hacked-for-over-600m
  19. https://blockworks.co/sky-mavis-ronin-network-bridge-exploited-for-over-600m/
  20. https://www.elliptic.co/blog/540-million-stolen-from-the-ronin-defi-bridge
  21. https://blockworks.co/sky-mavis-ronin-network-bridge-exploited-for-over-600m/
  22. rekt.news/cream-rekt‑2/
  23. reuters.com/article/us-northkorea-sanctions-cyber-idUSKBN2AA00Q
  24. decrypt.co/56425/the-kucoin-hackers-successfully-took-45-million-in-crypto-says-ceo
  25. blog.chainalysis.com/reports/kucoin-hack-2020-defi-uniswap/
  26. decrypt.co/43806/kucoin-has-found-the-hackers-who-stole-281-million
  27. decrypt.co/56425/the-kucoin-hackers-successfully-took-45-million-in-crypto-says-ceo
  28. justice.gov/opa/pr/three-north-korean-military-hackers-indicted-wide-ranging-scheme-commit-cyberattacks-and/
  29. news.bitcoin.com/eight-historic-bitcoin-transactions
  30. comparitech.com/crypto/biggest-cryptocurrency-heists/
  31. forkast.news/headlines/vulcan-forged-replaces-token-stolen-hack/
  32. coinlive.me/by-revealing-the-users-private-key-the-vulcan-forged-platform-was-hacked-for-over-145-million-11139.html
  33. https://cointelegraph.com/news/ascendex-loses-80m-following-erc-20-bsc-polygon-hot-wallet-compromise
  34. support.bmx.fund/hc/en-us/articles/4411998987419
  35. medium.com/easify-network/easyfi-security-incident-66c02a277a91
  36. rekt.news/compound-rekt/
  37. theverge.com/2022/2/3/22916111/wormhole-hack-github-error-325-million-theft-ethereum-solana
  38. badger.com/technical-post-mortem,
  39. techtarget.com/searchsecurity/news/252510627/BadgerDAO-users-cryptocurrency-stolen-in-cyber-attack
  40. microsoft.com/security/blog/2022/02/16/ice-phishing-on-the-blockchain/
  41. decrypt.co/85360/ethereum-defi-project-bzx-hacked-again-reported-55-million
  42. quantstamp.com/blog/10-quick-and-dirty-facts-about-the-bzx-hacks
  43. ciphertrace.com/cryptocurrency-crime-and-anti-money-laundering-report-august-2021/
  44. ciphertrace.com/cryptocurrency-crime-and-anti-money-laundering-report-august-2021/
  45. cointelegraph.com/explained/crypto-rug-pulls-what-is-a-rug-pull-in-crypto-and-6-ways-to-spot-it
  46. en.bitcoin.it/wiki
  47. blog.chainalysis.com/reports/2021-crypto-scam-revenues/

*** This is a Secu­ri­ty Blog­gers Net­work syn­di­cat­ed blog from Eclec­ti­cIQ Blog authored by Eclec­ti­cIQ Threat Research Team. Read the orig­i­nal post at: https://blog.eclecticiq.com/attack-patterns-produce-growing-losses-targeting-mutual-vulnerabilities-endemic-to-decentralized-finance

Source link

Please fol­low and like us:
Pin Share

Leave a Reply

Your email address will not be published. Required fields are marked *