The FBI Issues a Warning About DEFI
The Federal Bureau of Investigation administered a warning on Monday aimed at the attacks against decentralized finance (DeFi) platforms, saying that hackers are manipulating weaknesses in the smart contracts that run them.
"Between January and March 2022, cybercriminals stole $1.3 billion in cryptocurrencies, almost 97 percent of which was stolen from DeFi platforms," the agency says, citing an April 2022 report by blockchain analysis firm Chainalysis.
The FBI cites three primary tactics cybercriminals use to execute these attacks. The classic flash loan attack - a borrower can trick the lender into believing that the loan has been repaid in full, even if it has not. Exposing a vulnerability in the DeFi platform's token bridge, like what happened to Nomad earlier this month. And Influencing cryptocurrency prices by exploiting a series of exploits, including using a single price oracle.
"Cybercriminals seek to take advantage of investors' increased interest in cryptocurrencies, as well as the complexity of cross-chain functionality and open source nature of DeFi platforms," the agency says.
Blockchain security and analytic firms have long documented hackers' most frequently used attack methods to infiltrate smart contracts.
Susceptibilities at such a high level are hazardous, as "smart contract code usually cannot be changed to patch security flaws, assets that have been stolen from smart contracts are irrecoverable, and stolen assets are extremely difficult to track,” reports the Ethereum Foundation.
Though regularly in the headlines for such attacks, DEFI platforms are not the only vulnerable tech in crypto; last week, the blockchain analysis firm Elliptic published its "NFTs and Financial Crime" report. Inside it details how over $100 million in NFTs were stolen between July 2021 and July 2022.
Conversely, the FBI recommends investors study the Defi platforms protocols and smart contracts before investing and being informed of the inherent risks involved.
For example, the firm recommends that users check to see if the platform has had its code audited by an independent company and use high levels of caution around investment pools with extremely restricted timeframes to join and rapidly deploy smart contracts, especially without the recommended code audit.
The FBI and FAL follow the same rule of thumb, do your research. It is nice to see a story coming out from a U.S regulator that doesn't specifically spell doom for the industry. Hopefully, more will come to follow in the coming months.