The FBI has is warning crypto investors that cybercriminals are increasingly exploiting vulnerabilities in decentralized finance (DeFi) platforms to pilfer funds from unsuspecting victims.
In a public service announcement, the Bureau says the thieves are leveraging vulnerabilities in the smart contracts governing DeFi platforms to steal cryptocurrency. Investors who suspect they’ve been a victim are instructed to contact the FBI via the Internet Crime Complaint Center or their local FBI field office.
Cybercriminals are apparently taking advantage of the complexity of cross-chain functionality and the open source nature of DeFi platforms to find vulnerabilities to exploit.
Citing data from Chainalysis, the agency reports that hackers stole $1.3 billion in cryptocurrencies between January and March 2022. Around 97% of that was stolen from DeFi platforms, an increase from 72% in 2021 and 30% in 2020.
According to the FBI, threat actors’ methods include:
- Initiating a flash loan that triggered an exploit in the DeFi platform’s smart contracts, causing investors and the project’s developers to lose approximately $3 million in cryptocurrency as a result of the theft.
- Exploiting a signature verification vulnerability in the DeFi platform’s token bridge and withdrawing all of the platform’s investments, inflicting some $320 million in losses.
- Manipulating cryptocurrency price pairs by exploiting a series of vulnerabilities, including the DeFi platform’s use of a single price oracle, and then conducting leveraged trades that bypassed slippage checks, and benefited from price calculation errors to steal approximately $35 million in cryptocurrencies.
If in any doubt, investors are told to seek advice from a licensed financial adviser. They should also research DeFi platforms, protocols and smart contracts before reaching for their wallet, and make sure they are fully aware of the risks specific to DeFi investments.
A good rule of thumb is to ensure the DeFi investment platform has conducted one or more code audits performed by independent auditors, so that any vulnerabilities or weaknesses in the code have been identified and fixed.
Stakeholders would be smart to steer clear of DeFi investment pools with extremely limited timeframes, especially without the recommended code audit.
Also important is to be aware of the potential risk posed by crowdsourced solutions to vulnerability identification and patching, as “open source code repositories allow unfettered access to all individuals,” including malicious actors, the FBI notes.
As for DeFi platform providers, the agency recommends instituting real-time analytics, monitoring and rigorous testing of code to be able to quickly combat any vulnerabilities or indicators of suspicious activity.
Finally, DeFi vendors should develop and implement an incident response plan that includes alerting investors when smart contract exploitation, vulnerabilities or other suspicious activity is detected.