Decentralized finance is inherently a risky bet. In recent months, several hacks targeting decentralized finance platforms have led to the theft of several million dollars in various cryptocurrencies. While in some cases the perpetrators of the attacks agreed to return the money, in other cases they preferred to keep the stolen funds, leaving it to the victim companies to arrange with their users to reimburse the sums.
In a blog post published at the beginning of April, the American company Chainalysis returned to the numerous hacks that have shaken the decentralized finance sector in recent months.
A trend that does not seem to be weakening. “Nearly 97% of all cryptocurrencies stolen in the first three months of 2022 were taken from DeFi protocols, compared to 72% in 2021 and only 30% in 2020”, indicates Chainalysis, recalling in passing that according to its conclusions, cryptocurrency thefts in 2021 were $3.2 billion.
Smart contracts aren’t always so smart
If players in the decentralized finance sector are such an attractive target for hackers, it is because they open up a new opportunity for cybercriminals who want to steal funds. At the heart of decentralized finance are indeed applications allowing peer-to-peer financial operations to be carried out in a fully automated manner. An automation made possible in particular by the use of “smart contracts” operating on the Ethereum blockchain.
But these smart contracts are just programs like any other: they are therefore not exempt from classic software bugs and security vulnerabilities.
The enthusiasm for these tools therefore opens up a new avenue for cybercriminals, who may seek to exploit the flaws of certain smart contracts to steal funds. “Code exploits happen for a number of reasons. On the one hand, open source development is a staple of DeFi applications. This is a generally positive trend: since DeFi protocols move funds without human intervention, users need to be able to audit the code in order to trust the protocol. But it also benefits cybercriminals, who can analyze scripts for vulnerabilities and plan exploits well in advance. »
Changing trends
This type of attack is particularly the one pointed out in the hacking of the Ronin network, used by the online game Axie Infinity, which allowed attackers to steal more than 625 million dollars in cryptocurrencies. And this has remained at an equivalent level in recent years.
The Chainalysis report, however, notes that attackers’ reliance on “Flash Loan”, a popular attack technique in 2020, is on a gradual decline and represents only a tiny fraction of cryptocurrency theft in the first months of 2022. Unlike attacks exploiting a vulnerability within a smart contract, the flash loan technique involves exploiting the automated lending capabilities of decentralized finance applications to manipulate the prices of certain securities on exchanges.
The last technique mentioned by the Chainalysis teams remains the leak of private data, more precisely the attackers obtaining private keys at the addresses used to store cryptocurrencies. These private keys can be obtained through a variety of means, ranging from phishing to scamming to hacking into devices storing these private keys, and don’t seem to be losing steam. “From 2020 to the first quarter of 2022, 35% of stolen cryptocurrencies” were due to an attack of this type, indicates Chainalysis. The use of this type of attack to attack decentralized finance protocols even seems to be on the rise.
For Chainalysis, these numbers underscore the importance of developing secure protocols. “Code audits, decentralized oracle applications, and a more rigorous approach to platform security could be the ideal means to this end,” conclude the report’s authors.