This is the first piece in an ongoing series that decodes the U.S. Department of Treasury’s assessment of DeFi Services. In this piece, the Merkle Science team will be breaking down cyber-related vulnerabilities highlighted in the assessment.
To learn more about Blockchain Analytics and how it can help you move forward with safety and security in a decentralized world, watch out for our next piece.
Earlier today, the U.S. Department of Treasury published an assessment titled “Illicit Finance Risk Assessment of Decentralized Finance”(the assessment). The assessment explores how illicit actors are abusing DeFi services and the vulnerabilities that are unique to such services.
The assessment finds that illicit actors, including ransomware cybercriminals, thieves, scammers, and Democratic People’s Republic of Korea (DPRK) cyber actors, are using DeFi services in the process of transferring and laundering their illicit proceeds.
Therefore, with the state of crypto crime constantly evolving and illicit actors becoming increasingly sophisticated, it is important, now more than ever, to remain vigilant in order to protect against emerging threats. Across all the hacks in 2022, attackers majorly targeted DeFi platforms and services. Out of the total amount lost in crypto-related attacks, more than 81% were swindled from DeFi platforms leading to a loss of more than $3.9 billion.
As noted in Merkle Science’s Hackhub Report across thousands of services in DeFi, the center for the majority of the attacks were cross-chain bridges. Out of the $3.9 billion stolen by illicit actors, more than 60% were swindled from cross-chain bridges alone.
The assessment suggests that these platforms are vulnerable to theft and fraud due to cybersecurity gaps, putting the operations at risk, along with the virtual asset industry and consumers. Cross-chain bridges are particularly susceptible to hacking attacks. These bridges often have a central storage point that backs up the bridged assets on the receiving blockchain, making them an attractive target for illicit actors. Additionally, the treasuries and liquidity pools of DeFi services are also commonly targeted due to similar reasons.
Hack Hub Finds:
Per our analysis, bridges have come under the radar of cybercriminals due a number of reasons. Cross-chain bridges are used for porting large numbers of virtual assets from one network to another. They usually incorporate complex workflows that often lead to technical weak points that developers might not be aware of.
For instance, bridges are heavily dependent on smart contracts for carrying out day-to-day network operations. Inaccuracy, errors, and security gaps in smart contracts can be missed out even after stringent auditing and checks. Such contracts, when deployed on a network, open all doors for cybercriminals to exploit vulnerabilities and drain large amounts of users’ funds.
Involvement of DPRK and the Lazarus Group
With the rise of virtual assets, it’s no surprise that cybercriminals are looking for new avenues to exploit. According to the analysis, DPRK cyber actors are targeting various organizations operating in the crypto industry including DeFi protocols.
Hack Hub Finds:
As highlighted in the Hackhub Report, DPRK is one of the most frequently cited attackers. Attacks by North Korea were typically accomplished through Lazarus Group, its cybercrime group. The rise of the Lazarus Group as a global cybercrime force in 2022 owes as much to political as to technical reasons.
Take the case of the Axie Infinity hack, an attack for which the Lazarus Group was heavily implicated. An email was sent to an engineer at Sky Mavis, the developer behind Axie Infinity, purporting to be from another firm that wanted to poach him with a much more lucrative offer.
These communications were actually spear phishing attacks from the Lazarus Group. What was novel about this attack was that the Lazarus Group did not send the corrupted files immediately, but waited until after an interview with the developer. After gaining his trust, the Lazarus Group then sent over a fake job description, which the developer opened, compromising his computer and giving the attackers access to the organization’s network. Through this entryway, the Lazarus Group eventually made off with US$600 million.
Major Vulnerabilities that lead to losses
The assessment explains that when it comes to hacks and exploits, cybercriminals are taking advantage of the complexity of cross-chain functionality and the open-source nature of DeFi services. Three types of threats highlighted by the Treasury include security breaches, code exploits, and flashloan attacks.
Cybercriminals are increasingly using emerging technologies like DeFi to launder illicit funds, and exploiting vulnerabilities in the system such as re-entrancy attacks, flash loans, price oracle manipulation, arithmetic vulnerabilities, and access control vulnerabilities. The assessment divides these vulnerabilities into three major categories, namely, security breaches, code exploits, and flash loan attacks.
A security breach is an incident that results in an unauthorized intervention or access to confidential or personal data, applications, or networks. Per our findings, in 2022, more than $66 million dollars of users' funds were stolen through security breaches.
Flash Loan Exploits
Flash loan attacks are a type of smart contract security breach that is an emerging threat to the decentralized finance(DeFi) space. Under this type of exploit, the attacker first borrows a hefty sum without collateral, executes a malicious transaction, and then repays the loan before the end of the transaction block. These attacks are the most common among all DeFi attacks since they require lesser monetary resources and are the easiest to get away with. In fact, to carry out a flash loan attack, all that an attacker requires is a computer, an
internet connection, and ingenuity. For attackers, these are low-risk, low-cost, high-reward schemes, which they rigorously use to launder millions of dollars of funds online.
According to the assessment, the lack of a standardized auditing strategy is a major point of failure that causes the exploitation of platforms even after regular auditing checks.
Writing accurate, error-free codes is not an easy job. As mentioned in Merkle Science’s Hack Hub Report code exploits have led to a loss of more than $2 billion of users' funds. Contracts need to be validated and verified by multiple auditing practices including both manual and tool-based code analysis before putting in to use on a network. Furthermore,
Contracts need to be validated and verified by multiple auditing practices including both manual and tool-based code analysis before putting in to use on a network. Furthermore, the decentralized platforms can leverage the services of third-party auditors as well to improve the efficiency and security of the deployed smart contracts. To ensure a robust verification and validation of smart contract audits, it is recommended to utilize semantic, syntactic, and run-time monitoring auditing techniques in combination with the best industry practices. For example, semantic and syntactic audits safeguard against the need for the redeployment of the smart contract with now a different address while run-time validations help in executing correct code logic.
The decentralized platforms can leverage the services of third-party auditors as well to improve the efficiency and security of the deployed smart contracts. To ensure a robust verification and validation of smart contract audits, it is recommended to utilize semantic, syntactic, and run-time monitoring auditing techniques in combination with the best industry practices. For example, semantic and syntactic audits safeguard against the need for the redeployment of the smart contract with now a different address while run-time validations help in executing correct code logic.In A Nutshell:
- Decentralized platforms face new vectors for attacks from hackers that raise concerns about the need for secure smart contracts.
- Smart contracts need to undergo due diligence and stringent validation and verification through multiple auditing practices including manual and tool-based code analysis.
- Third-party auditors can be utilized by decentralized platforms to improve the efficiency and security of the deployed smart contracts.
- To ensure a robust verification and validation of smart contract audit, semantic, syntactic, and run-time monitoring auditing techniques should be combined with the best industry practices.
- Static analysis using tools like Mythril can be used to identify potential vulnerabilities, bugs, or security issues that might exist in the code of smart contracts.
- Open-source code is critical to the DeFi service, but it is essential to identify and address vulnerabilities and potential exploits.
Smart contract security is critical for decentralized platforms, and the use of various auditing practices and techniques can improve the efficiency and security of deployed smart contracts. Static analysis using tools and third-party services can identify potential vulnerabilities, and it is essential to identify and address vulnerabilities and potential exploits in open-source code.
As the blockchain ecosystem continues to grow, it's imperative that steps are taken to protect against crypto crime. Mitigation techniques are one way to achieve this, according to experts in the field. These techniques can help improve security and ensure the continued development of the industry.
However, it's important to note that these techniques are not infallible and must be used in combination with other best practices. These include secure coding, ongoing monitoring, and due diligence. By implementing these measures, the industry can stay ahead of the curve and protect against potential threats.
Discover the story behind the biggest heists of 2022 and the evolved techniques that helped criminals sneak in in spite of existing security measures. Decode the best auditing strategies, mitigation techniques, and lessons to be learned from the worst mistakes of the year with our HackHub Report.