Crypto is crumbling, and DeFi hacks are getting worse

The amount of crypto stolen in the first quarter of 2022 has already surpassed criminal hackers’ 2021 haul. There aren’t any easy fixes.

DeFi teetering on a cliff.

The biggest hacks of 2022 were carried out by attackers spotting vulnerabilities in smart contracts and protocols, especially in cross-chain bridges and flash loan protocols.

Illustration: Christopher T. Fong/Protocol

Until recently, DeFi seemed like it was on an exponential trajectory upwards. With the collective value of crypto peaking near $3 trillion, hackers saw a big opportunity. The only thing that may slow them down is the precipitous drop in the value of the tokens they’re going after.

DeFi hacks have been getting worse and worse, with no clear solutions in sight. According to a recent report by blockchain security firm PeckShield, the amount of money netted from DeFi hacks in the first four months of 2022, $1.57 billion, has already surpassed the amount netted in all of 2021, $1.55 billion. A report by Chainalysis found a similar trend, with the hacker haul in the first three months of 2022 exceeding a record set in the third quarter of 2021.

The biggest contributors to the worst quarter the industry has seen — or the best, if you’re a criminal — were Axie Infinity’s Ronin bridge exploit ($650 million), the Wormhole network exploit ($320 million) and the Beanstalk Farms governance attack ($180 million).

A thread connects all three: The biggest hacks of 2022 were carried out by attackers spotting vulnerabilities in smart contracts and protocols, especially in cross-chain bridges and flash loan protocols. The rising tide of digital theft threatens to undermine confidence in cryptocurrency broadly and bring down regulators’ wrath on a still-nascent industry.

Erin Plante, senior director of Investigations at Chainalysis, told Protocol that because blockchain code is typically public, hackers can view it easily to spot vulnerabilities and manipulate the protocol to exploit it.

Plante added that there was a “dramatic shift to exploiting DeFi protocols” in 2022, due to “code exploits and flash loans,” as opposed to the social engineering attacks that typified previous years’ hacks. This could explain why DeFi hacks have become so massive in 2022: Attackers no longer rely on a large number of people falling for phishing scams, but are instead able to attack the DeFi protocols directly.

Cross-chain bridges have become a target for attackers mainly because of an increased surface area that allows for more attack vectors than typically exist on a single blockchain. Bridges also usually have a smaller developer community, which means a smaller number of validator nodes that must sign off before transactions are recognized. In the Axie Ronin bridge attack, only five out of nine validator nodes needed to be signed, an opportunity the hacker targeted.

There is perhaps another alarming statistic for regulators. 2022 has also been the biggest year for North Korean-affiliated hacking groups so far, according to the Chainalysis report. Last month, the U.S. Treasury linked the Ronin bridge hack to North Korea’s Lazarus hacking group, listing its wallet address in the Specially Designated Nationals List and sanctioning the funds.

This is especially worrying given a recent United Nations report that found crypto laundered by North Korean hackers was used to fund nuclear and missile programs, making the issue a matter of international security.

As the wheels of government enforcers and regulators churn slowly, DeFi companies need to move quickly to ensure that open-source code isn’t taken advantage of by attackers. Ronghui Gu, CEO of blockchain security firm CertiK, said projects need to take a proactive, end-to-end approach with their security.

“This means having smart contract audits of every line of code, both before launch and any time the code is changed,” Gu said.

Other security measures include on-chain monitoring tools to protect smart contracts after deployment, as well as avoiding centralization, another big attack vector in 2021. Centralization played a key role in the Axie hack: The attacker managed to gain control of four Ronin validator nodes in one go through social engineering and gained access to another through a bug.

Gu suggested that project owners could also submit themselves to background checks, a controversial measure. Some “undoxxed” crypto figures pride themselves on operating under pseudonyms, while others advertise themselves as “doxxed,” disclosing their real, verified identities to build trust with token buyers and software developers.

While Plante echoed the same sentiments, she added that there is also “a need for the community to come together and support each other and protect each other and attempt to ward off these attackers,” leveraging Web3’s community ethos. It will take collective effort to secure the blockchain — and if the industry doesn’t provide it, Washington might just step in.


Judge Zia Faruqui is trying to teach you crypto, one ‘SNL’ reference at a time

His decisions on major cryptocurrency cases have quoted "The Big Lebowski," "SNL," and "Dr. Strangelove." That’s because he wants you — yes, you — to read them.

The ways Zia Faruqui (right) has weighed on cases that have come before him can give lawyers clues as to what legal frameworks will pass muster.

Photo: Carolyn Van Houten/The Washington Post via Getty Images

“Cryptocurrency and related software analytics tools are ‘The wave of the future, Dude. One hundred percent electronic.’”

That’s not a quote from "The Big Lebowski" — at least, not directly. It’s a quote from a Washington, D.C., district court memorandum opinion on the role cryptocurrency analytics tools can play in government investigations. The author is Magistrate Judge Zia Faruqui.

Keep ReadingShow less
Veronica Irwin

Veronica Irwin (@vronirwin) is a San Francisco-based reporter at Protocol covering fintech. Previously she was at the San Francisco Examiner, covering tech from a hyper-local angle. Before that, her byline was featured in SF Weekly, The Nation, Techworker, Ms. Magazine and The Frisc.

The financial technology transformation is driving competition, creating consumer choice, and shaping the future of finance. Hear from seven fintech leaders who are reshaping the future of finance, and join the inaugural Financial Technology Association Fintech Summit to learn more.

Keep ReadingShow less
The Financial Technology Association (FTA) represents industry leaders shaping the future of finance. We champion the power of technology-centered financial services and advocate for the modernization of financial regulation to support inclusion and responsible innovation.

AWS CEO: The cloud isn’t just about technology

As AWS preps for its annual re:Invent conference, Adam Selipsky talks product strategy, support for hybrid environments, and the value of the cloud in uncertain economic times.

Photo: Noah Berger/Getty Images for Amazon Web Services

AWS is gearing up for re:Invent, its annual cloud computing conference where announcements this year are expected to focus on its end-to-end data strategy and delivering new industry-specific services.

It will be the second re:Invent with CEO Adam Selipsky as leader of the industry’s largest cloud provider after his return last year to AWS from data visualization company Tableau Software.

Keep ReadingShow less
Donna Goodison

Donna Goodison (@dgoodison) is Protocol's senior reporter focusing on enterprise infrastructure technology, from the 'Big 3' cloud computing providers to data centers. She previously covered the public cloud at CRN after 15 years as a business reporter for the Boston Herald. Based in Massachusetts, she also has worked as a Boston Globe freelancer, business reporter at the Boston Business Journal and real estate reporter at Banker & Tradesman after toiling at weekly newspapers.

Image: Protocol

We launched Protocol in February 2020 to cover the evolving power center of tech. It is with deep sadness that just under three years later, we are winding down the publication.

As of today, we will not publish any more stories. All of our newsletters, apart from our flagship, Source Code, will no longer be sent. Source Code will be published and sent for the next few weeks, but it will also close down in December.

Keep ReadingShow less
Bennett Richardson

Bennett Richardson ( @bennettrich) is the president of Protocol. Prior to joining Protocol in 2019, Bennett was executive director of global strategic partnerships at POLITICO, where he led strategic growth efforts including POLITICO's European expansion in Brussels and POLITICO's creative agency POLITICO Focus during his six years with the company. Prior to POLITICO, Bennett was co-founder and CMO of Hinge, the mobile dating company recently acquired by Match Group. Bennett began his career in digital and social brand marketing working with major brands across tech, energy, and health care at leading marketing and communications agencies including Edelman and GMMB. Bennett is originally from Portland, Maine, and received his bachelor's degree from Colgate University.


Why large enterprises struggle to find suitable platforms for MLops

As companies expand their use of AI beyond running just a few machine learning models, and as larger enterprises go from deploying hundreds of models to thousands and even millions of models, ML practitioners say that they have yet to find what they need from prepackaged MLops systems.

As companies expand their use of AI beyond running just a few machine learning models, ML practitioners say that they have yet to find what they need from prepackaged MLops systems.

Photo: artpartner-images via Getty Images

On any given day, Lily AI runs hundreds of machine learning models using computer vision and natural language processing that are customized for its retail and ecommerce clients to make website product recommendations, forecast demand, and plan merchandising. But this spring when the company was in the market for a machine learning operations platform to manage its expanding model roster, it wasn’t easy to find a suitable off-the-shelf system that could handle such a large number of models in deployment while also meeting other criteria.

Some MLops platforms are not well-suited for maintaining even more than 10 machine learning models when it comes to keeping track of data, navigating their user interfaces, or reporting capabilities, Matthew Nokleby, machine learning manager for Lily AI’s product intelligence team, told Protocol earlier this year. “The duct tape starts to show,” he said.

Keep ReadingShow less
Kate Kaye

Kate Kaye is an award-winning multimedia reporter digging deep and telling print, digital and audio stories. She covers AI and data for Protocol. Her reporting on AI and tech ethics issues has been published in OneZero, Fast Company, MIT Technology Review, CityLab, Ad Age and Digiday and heard on NPR. Kate is the creator of and is the author of "Campaign '08: A Turning Point for Digital Media," a book about how the 2008 presidential campaigns used digital media and data.

Latest Stories