After more than $1 billion was stolen from a DeFi (decentralized finance) provider in three months, the FBI urged people to be vigilant and thoroughly research the provider before spending money on it.
In an alert this week, citing figures from blockchain research firm Chainalysis, the Federal Reserve said that a total of $1.3 billion in cryptocurrency was withdrawn from January to March 2022 alone, 97% of which came from DeFi clothing. He said it was brought up. In May, Chainalysis increased that figure to $1.68 billion in the first four months of the year.
The FBI wants people to be aware of risks, get expert financial advice when in doubt, and do their part on DeFi provider security and common practices. It means exchanges, marketplaces, and similar sites where you can buy, sell, exchange, or rent private digital assets. your.
The agency’s alert included a $100 million attack on Harmony (purportedly committed by North Korea), an estimated $200 million theft from BitMart, and $130 million theft from Cream Finance. This comes after a series of cyber thefts against the platforms of this kind-hearted. .
According to Chainalysis, North Korea’s crypto heist is the largest ever, with 2022 costing at least $840 million so far.
“The data shows that toughening DeFi protocols against hackers is not just about building trust with users, so DeFi can continue to grow,” Chainalysis argues. “Given that cryptocurrencies stolen by North Korean hacking groups are used to support North Korea’s development of weapons of mass destruction, this is also a matter of international security.” Referring to a 2019 UN document [PDF] to confirm this argument.
The FBI warning advises investors starting with a general warning about conducting due diligence before investing, and then suggests:
- Research DeFi platforms, protocols, and smart contracts before investing and be aware of some of the risks associated with DeFi investments.
- Ensure that your DeFi investment system has had at least one token audit by an independent auditor. A code audit typically includes a thorough review and analysis of the platform’s underlying code to identify weaknesses and weaknesses in the code that can negatively impact the platform’s performance.
- Beware of DeFi investment pools with very limited timeframes to quickly join and deploy smart contracts, especially without recommended code checks.
- Be aware of the potential risks posed by crowdsourcing solutions to identify and patch security vulnerabilities. Open source code repositories are freely accessible to all individuals, including malicious ones.
Most of the DeFi platforms are relatively new and attract large and small investors. This may include more than the basic exchange of tokens. For example, a lot of these websites and apps allow users to create and use smart contracts. Usually, a smart contract is a token that is executed to perform a transaction. This means that there are user-written bugs in the mix that thieves can exploit to steal coins or simply disappear assets. Then there are APIs for accessing collectibles and sending tokens, which can go wrong. The combination of poorly tested or poorly implemented technology and large sums of money make this landscape an attractive target for cybercriminals.
“People put their trust in encryption algorithms and protocols, and time will tell if they are right,” said Jeff Williams, co-founder and chief technology officer of cybersecurity firm Contract Security. registration.
“But even when it’s perfect, DeFi platforms are more than just cryptocurrencies. These platforms are purely software, with advanced security authentication, access control, input processing, attack detection and response, open source use, and the required IaC. [infrastructure-as-code] Like security. “
Even the largest established financial institutions suffer from software vulnerabilities, with an average of more than 30 serious problems per application, Williams claims.
The FBI said cyber gangs appeared to be targeting smart contracts. The FBI describes a smart contract as a self-executing contract in which terms and conditions agreed upon by the buyer and seller are written directly into lines of code. These contracts are executed when contract terms are met and are replicated across decentralized and decentralized blockchain networks.
Authorities have already identified the methods cybercriminals use to defraud DeFi platforms, including combining smart contracts with fast loans to steal millions of dollars in seconds. A DeFi platform called Beanstalk Farms lost $180 million in one such attack in April. The agency also noted that Wormhole, a protocol for linking blockchains, lost $320 million in Ether in February due to a signature verification vulnerability.
According to Michael Oglesby, executive vice president of security services at cybersecurity firm Cerberus Sentinel, investors are examining the cybersecurity practices of DeFi platforms and their financial benefits, which have been independently vetted and tested.
“The explosive growth and high returns of the DeFi ecosystem have attracted many early adopters of blockchain technology such as smart contracts,” said Oglesby. registration“Early investors need to be vigilant, but most DeFi systems have little protection or safety nets in place to prevent catastrophic losses from unauthorized attacks.”
According to the FBI, operators of DeFi platforms must conduct real-time analysis, monitor and test their code and develop incident response plans that include alerts to investors.
The warnings from the Federal Reserve are good, Williams said, but netizens “really need more transparency in terms of the security protections these companies provide.” [US President’s] Cyber Security Executive Order®