Think your crypto is more safe on a decentralized platform compared to the more centralized exchanges? Well, the FBI is here to tell you that, no, the vulnerabilities on DeFi platforms are real, and they’ve been party to the vast majority of $1.3 billion in stolen crypto in just the first three months of this year.
In a public notice posted late Monday, the FBI warned investors against the increase in the total number of exploited DeFi platforms since the start of 2022. The bureau said cyber criminals are exploiting vulnerabilities in the smart contracts governing DeFi platforms, particularly “the complexity of cross-chain functionality and open source nature of DeFi platforms.”
The FBI said 97% of that $1.3 billion stolen crypto was from these DeFi platforms, according to crypto security firm Chainalysis. While they did not point to any particular hacks, the agency noted the $3 million flash loan attacks that manipulated contracts on the multi-chain protocol Deus Finance, the $325 million Wormhole protocol exploit, and one other hack that exploited a lack of security checks to steal $35 million in digital currency.
The FBI said investors should be cautious about investing, do their research and confirm the DeFi platform has done more or more code audits done by independent security auditors to assess any weaknesses. Though the FBI has recently warned about fake apps and other crypto scams, the agency also warned about the dangers of “crowdsourced” projects, namely that the “open source code repositories allow unfettered access to all individuals, to include those with nefarious intentions.”
First, it’s important to note just what the FBI is referring to with the moniker of “DeFi.” It’s a very broad and often ill-used term that denotes any financial technology (though mostly blockchain protocols) that tries to eliminate centralized institutions like banks from the equation. Money, AKA your crypto, is stored on a digital wallet users operate. So unlike an exchange, which is purposefully centralized (but don’t you dare call it a bank, even though they do much of the same thing that regular banks already do) DeFi projects try to eliminate any intermediaries through peer-to-peer networks on community-developed security protocols.
Proponents say these blockchains and their attached security protocols are more secure than older systems, which are often referred to as Web3 and Web2, respectively. Though as much as these blockchain systems are resistant to man in the middle attacks, where data is intercepted and manipulated midstream, scammers are still making away with billions of stolen funds, often with phishing schemes or through security holes found in connection to Web2 platforms.
The total $1.3 billion the FBI cites also includes the $625 million stolen in late March from the Ronin Bridge, used by the play-to-earn game Axie Infinity. And of course there have been other major exploits since March. In early August, the Nomad DeFi project was drained of $190 million thanks to a security hole left by a routine upgrade, while users on the Solana blockchain network initially experienced a loss of well over $5 million from thousands of individual crypto wallets. That latter exploit saw hundreds of internet users take up an exploit to drain funds from their fellow crypto users, and the people who operate Solana have essentially begged those hackers to return their ill-gotten gains.
Though the FBI recommended that DeFi platforms analyze and test their code for any security holes, the open nature of these “decentralized” projects is a main selling point. Many of these kinds of projects operate as decentralized autonomous organizations, otherwise known as DAOs. Ostensibly, all decision making is done by consensus vote by the community, however the code writers (most often the founders of the project) still have control over how any changes are coded and implemented.
In April, after the DeFi platform Rari Capital and the Fei protocol were hacked for $80 million across several pools, the Tribe DAO running the system came together to decide whether to reimburse members. According to Decrypt, the vast majority of 34 million member votes wanted to make affected users whole. Despite the community consensus, a second vote went ahead and vetoed that original decision. “Key” members said the original vote left it unclear how those users would get their funds back. A third vote nixed the idea of reimbursement entirely.