Research Finds Smart Contract Exploits Hardest to Eliminate as FBI Raises Warning

Please fol­low and like us:
Pin Share

In a recent research report, Token Ter­mi­nal finds that there are three root caus­es of DeFi exploits, and remov­ing smart con­tract vul­ner­a­bil­i­ties is by far the most chal­leng­ing of the three.

Since inter­est in decen­tral­ized finance has sky­rock­et­ed, so have the hacks and rug pulls in the seg­ment with an esti­mat­ed 105 on-chain exploits result­ing in the theft of almost $4.2 bil­lion from var­i­ous protocols.

Inter­est­ing­ly, the research finds that the biggest hacks, on aver­age, come via cross-chain bridges and cen­tral exchange (CEX) wal­lets, where­as yield aggre­ga­tors and lend­ing pro­to­cols are most fre­quent­ly abused.

“The largest exploits tend to be across mul­ti­ple chains or on major ecosys­tem bridges.”

FBI raises new DeFi warning for investors and platforms

The three largest DeFi exploits to date, Ronin Net­work ($624 mil­lion), Poly Net­work ($611 mil­lion), and Worm­hole ($326 mil­lion), are all cross-chain bridges that dom­i­nate the list of the largest exploits. Bridges typ­i­cal­ly lost over $188 mil­lion in every hack, the report noted.

Recent­ly, the US Fed­er­al Bureau of Inves­ti­ga­tion (FBI) cau­tioned the investors and plat­forms about these risks in DeFi in a pub­lic ser­vice announce­ment.

“Cyber crim­i­nals are increas­ing­ly exploit­ing vul­ner­a­bil­i­ties in the smart con­tracts gov­ern­ing DeFi plat­forms to steal cryp­tocur­ren­cy, caus­ing investors to lose mon­ey,” the agency not­ed. “Cyber crim­i­nals seek to take advan­tage of investors’ increased inter­est in cryp­tocur­ren­cies, as well as the com­plex­i­ty of cross-chain func­tion­al­i­ty and open source nature of DeFi platforms.”

Con­verse­ly, yield aggre­ga­tors and lend­ing pro­to­cols are the most fre­quent­ly tar­get­ed sys­tems by attacks, how­ev­er, they fre­quent­ly result in small­er finan­cial loss­es per attack as per Token Ter­mi­nal. In gen­er­al, yield aggre­ga­tors and lend­ing pro­to­cols were abused more fre­quent­ly, while bridges and CEXs typ­i­cal­ly suf­fer the biggest loss­es per exploit. Cross-chain bridges and CEX hot wal­lets account for $2.2 bil­lion in stolen assets, or over 52% of the total amount compromised.

Safe-keeping of private keys is the simplest rescue plan

The most com­mon caus­es of these exploits have been rough­ly cat­e­go­rized into smart con­tract loop­holes, com­pro­mised pri­vate keys, and pro­to­col fron­tend spoof­ing. Notably, loop­holes in smart con­tracts, fre­quent­ly asso­ci­at­ed with flash loans and ora­cle manip­u­la­tion, report­ed­ly account­ed for 73% of all hacks since Sep­tem­ber 2020. But, auto­mat­ed for­mal ver­i­fi­ca­tion and DeFi secu­ri­ty audits are the two pri­ma­ry tech­niques for man­ag­ing these smart con­tract risks.

The report also finds that the largest hacks, aver­ag­ing $91 mil­lion each, are caused by com­pro­mised pri­vate keys, which are often obtained using spear-phish­ing attempts. Iron­i­cal­ly, this attack vec­tor is also the most avoid­able by bet­ter secur­ing the pri­vate keys and using dif­fer­ent plat­forms for storage.

Last­ly, fron­tend spoof­ing is an attack method that goes against spe­cif­ic users rather than the funds that the pro­to­col con­trols, like in the case of the Bad­ger­DAO exploit. Typ­i­cal­ly, this entails using tech­niques like DNS cache poi­son­ing to replace the real pro­to­col website’s IP address with a pho­ny lookalike.

Mean­while, exploiters are also report­ed­ly look­ing for new options now that the stan­dard means of cash­ing out ill-got­ten gains, through Tor­na­do Cash, has been dis­con­tin­ued via sanc­tions. Be[In]Crypto had report­ed that fol­low­ing the penal­ties against Tor­na­do Cash, a small but ris­ing num­ber of decen­tral­ized finance (DeFi) projects, includ­ing dYdX, Liq­uid­i­ty, GMX, Kwen­ta, and oth­ers, are devel­op­ing decen­tral­ized fron­tends (DeFe) instead.

With that, the FBI also rec­om­mends that DeFi plat­forms insti­tute real-time ana­lyt­ics, mon­i­tor­ing, and rig­or­ous test­ing apart from devel­op­ing an inci­dent response to avoid such exploits.

How­ev­er, Aztec Net­work, an Ethereum-based rollup that offers pri­vate trans­ac­tions using zero-knowl­edge tech­nol­o­gy, is one pos­si­ble sub­sti­tute to Tor­na­do Cash as per the research report. 

For Be[In]Crypto’s lat­est Bit­coin (BTC) analy­sis, click here.

Disclaimer

All the infor­ma­tion con­tained on our web­site is pub­lished in good faith and for gen­er­al infor­ma­tion pur­pos­es only. Any action the read­er takes upon the infor­ma­tion found on our web­site is strict­ly at their own risk.

Source link

Please fol­low and like us:
Pin Share

Leave a Reply

Your email address will not be published. Required fields are marked *