The FBI issued a Public Service Announcement (PSA) regarding increasingly concentrated cybercriminal activity surrounding the DeFi (Decentralized Finance) landscape. The FBI cautions investors to do their due diligence in choosing what DeFi protocols they decide to engage with, citing particular vulnerabilities from their (frequent) open-source nature. While transparent, open-source opens up the book on eventual security vulnerabilities that cybercriminals can explore. Due to the amount of money being moved through Decentralized Exchanges (DEX), which in 2021 moved around $1 trillion, there's a huge appetite for exploits.
The FBI's numbers are staggering. According to the service, an estimated $1.3 billion have already been hacked away from the cryptocurrency market, with 97% of that value taken from the DeFi sector between January and March this year. The FBI estimates this to correspond to an increase of 72% over the same period last year, and a 30% increase over 2020. According to public data, over $4 billion were siphoned from the crypto space throughout the entirety of 2021. The service also explicitly points to wormholes — services that bridge disparate blockchains together — as preferred points of attack. Recently, one such service, Ronin, was hacked for $625 million.
The #FBI warns that cyber criminals are increasingly exploiting vulnerabilities in decentralized finance (DeFi) platforms to steal investors cryptocurrency. If you think you are the victim of this, contact your local FBI field office or IC3. Learn more: https://t.co/fboL1N17JN pic.twitter.com/VKdbpbmEU1August 29, 2022
A territory of cryptocurrencies, DeFi has several tiers of decentralization, spanning truly decentralized services (where no singular institution has control of funds or private keys) through less-centralized versions of it (recall the events surrounding the Celsius DEX). All of them operate through smart contracts, digital automations that define rules for swaps, purchases, transmissions of ownership, and essentially everything that happens in the blockchain space.
Due to the complexity of programming, however, sometimes bugs slip through the code. This also sometimes happens due to poor code audits and validations. The FBI has thus included in its recommendations that investors make sure that the DeFi service they're considering using has run through independent code audits. While this isn't a guarantee that they can't or won't be hacked, it does in theory increase the bar that hackers have to jump through to access users' funds.
Poor code typically has bugs that bad actors can leverage to siphon funds from exchanges. This siphoning can occur via an actual transfer of funds from the DEX to criminal-controlled wallets, or by minting (creating) legitimate tokens out of thin air. (These tokens aren't "real" tokens, such as an Ethereum (ETH) or Bitcoin (BTC) unit, but exchange-specific representations of that token, which are valued the same as their original counterparts). When these tokens are created, they're recognized as valid and are thus worth exactly the same as legitimate ones, even though they're in fact worthless.
This originates two tiers of concern. First, the value of all equivalent tokens in circulation decreases (because there are more of them circulating). Second, they can be exchanged for the actual cryptocurrencies they represent (such as BTC or ETH). These cryptocurrencies are usually deposited into exchanges by investors and serve as collateral for their DEX activities.
When these funds are exchanged and moved to a criminal wallet, the game is mostly over. Due to the blockchain's irreversibility, all trades are final. These actions can bring exchanges to their knees, since they no longer own the cryptocurrency assets deposited by investors, and thus can't return them at their request, generating liquidity crises, "bank runs", and leaving investors' funds stranded.
Cybercriminals take a number of steps to hide their activities, including tumblers (smart-contracts that eliminate cryptocurrency trails by pooling funds sent to it, obfuscating provenance and the general traceability of all cryptocurrency transactions). The Tornado.cash service was one of them (its coder has since been arrested). Another, more ingenious (and destructive) method is for hackers to simply paste their exploit code in an open database. Then others, who generally wouldn't have the know-how to explore vulnerabilities themselves, can simply copy and paste this code and take part in the looting. Here, chaos serves as cover.
Takeaway
The FBI clearly considers the cryptocurrency space a source of concern, with hacks from bad actors impacting a large number of users (i.e. investors) with each successful extrication of funds. It falls to users to perform their due diligence in choosing which exchanges to interact with and where they'll deposit their investments. Looking for exchanges that have adequate transparency, that are actually decentralized, that have performed independent code audits, and that have a history of strong coding and event response are paramount for investors to accurately gauge how risky their investment is. Easier said than done.
At the same time, the responsibility doesn't lay solely with investors. The FBI urges exchanges to perform the same steps that they're asking users to be aware of. They should perform independent code audits, manage real-time on-chain analytics, and create timely response plans that can effectively communicate with investors.
Ultimately, users also choose with their wallets which DeFi platforms rise to prominence. The more informed their decisions are, the smarter their investment allocation, and the lower the risk.
