FBI warns about cyber criminals exploiting DeFi vulnerabilities
Vulnerabilities in decentralized finance (DeFi) platforms are being exploited by cybercriminals to steal cryptocurrency, the Federal Bureau of Investigation warned Monday.
DeFi platforms generally rely on smart contracts, which are automated agreements that lack an intermediary, like a broker.
However, that has left many platforms, and the assets investors entrust to them, at risk.
“Cyber criminals seek to take advantage of investors’ increased interest in cryptocurrencies, as well as the complexity of cross-chain functionality and open source nature of DeFi platforms,” the agency warned in a public service announcement.
In March, Ronin Network announced attackers stole cryptocurrency worth hundreds of millions of dollars in a DeFi hack later attributed to North Korean hackers. Other DeFi platforms, including Deus Finance, Rari Capital, Saddle Finance, and Inverse Finance, have also suffered thefts.
The FBI said it has observed attackers use a number of different tactics, including exploiting vulnerabilities related to signature verification and flash loans — smart contracts that enable conditional instant lending.
The agency included advice for investors:
Research DeFi platforms, protocols, and smart contracts before investing and be aware of the specific risks involved in DeFi investments.
Ensure the DeFi investment platform has conducted one or more code audits performed by independent auditors. A code audit typically involves a thorough review and analysis of the platform’s underlying code to identify vulnerabilities or weaknesses in the code that could negatively impact the platform’s performance.
Be alert to DeFi investment pools with extremely limited timeframes to join and rapid deployment of smart contracts, especially without the recommended code audit.
Be aware of the potential risk posed by crowdsourced solutions to vulnerability identification and patching. Open source code repositories allow unfettered access to all individuals, to include those with nefarious intentions.
The FBI also recommended DeFi developers adopt real-time analytics, monitoring, and rigorous code-testing as well as response plans in the event of exploitation or other suspicious activity.
Andrea Peterson
(they/them) is a longtime cybersecurity journalist who cut their teeth covering technology policy at ThinkProgress (RIP) and The Washington Post before doing deep-dive public records investigations at the Project on Government Oversight and American Oversight.