The world of decentralised finance (DeFi) is defined by interesting projects, varied cryptocurrencies, blockchains, financial innovations and promises of wealth and digital freedom. It is also populated by the type of people and organisations that usually hang around outside money-making endeavours not yet regulated enough. The snake oil salesmen, the wonder cure tonic charlatans, the money grabbers – both legal and illegal – and, of course, the cybercriminal elite. DeFi promises a lot, but currently it is spending more time under-delivering and having billions of dollars stolen.
As Anna Collard, SVP of Content Strategy and Evangelist of KnowBe4 Africa points out, DeFi is Web3’s attempt at a more transparent financial system with financial instruments designed to make life easier, but needs more rigorous security and regulations to bring this potential into reality.
“The innovation in Web3 and DeFi offer up opportunities to both new and traditional financial institutions,” she adds. “However, they bring with them cyber-risks, scams and very little consumer protection. Apart from not being able to get your money back when DeFi institutions go bankrupt or struggle during crypto downturns, there is the risk of falling for social engineering attacks such as phishing or fake investments or succumbing to malware written to target people who play in this space.”
One such malware is Clipper. It targets cryptocurrency wallet owners during a transaction and when the user applies copy and paste, Clipper replaces the address with the one belonging to the attacker. As a result, the user ends up sending funds to a criminal and not to the person or business they intended.
Another challenge is that the code that is written for distributed apps and smart contracts is written by people, and people make mistakes and accidently embed bugs into the code. According to Immunefi, the total loss experienced by DeFi hacks in 2021 was $10 billion with a 137% rise in attacks compared with 2020. And this is only going to get worse…
“One of the leading ways in which attackers and malware gain access to a system is through social engineering,” says Collard. “This is responsible for a significant percentage of attacks. People are the most popular attack vector because they trust, they make mistakes, and they fall victim to fear and emotion-based attacks. Social engineering was one of the techniques used in the US$ 615 million Ronin heist, which has been linked to the North Korean Lazarus cybercrime group.”
Exploiting system or smart contract vulnerabilities or business logic vulnerabilities are another popular attack vector.
“One of the primary issues with DeFi is that many of the new protocols being launched have code vulnerabilities that hackers can exploit,” says Collard. “Cyber-attacks not only steal assets, but also undermine the reputation of the platform which results in withdrawals by investors and can cause a cataclysmic chain of failure. There are also business logic loopholes such as the $182 million flash loan attack against Beanstalk which is a credit-based stable coin protocol based on Ethereum.”
The opportunity for fraud is what makes this space so exciting for the cybercriminal syndicates. One of the alleged leaders of the Conti Ransomware as a Service gang asked his team to search for crypto schemes and sponsored $100,000 for a writing competition in the crypto space to identify local talent. It is a highly lucrative space with limited regulations which makes it so attractive to the criminals.
“Organisations interested in this space need to assess what is at stake, unpack the vulnerabilities, and ensure their developers are well trained with any smart contracts extensively audited before they go live,” concludes Collard. “This ecosystem is rapidly changing and there has to be more cooperation between stakeholders from protocols to security practitioners to regulators to solve these challenges.”