Until recently, DeFi seemed like it was on an exponential trajectory upwards. With the collective value of crypto peaking near $3 trillion, hackers saw a big opportunity. The only thing that may slow them down is the precipitous drop in the value of the tokens they’re going after.
DeFi hacks have been getting worse and worse, with no clear solutions in sight. According to a recent report by blockchain security firm PeckShield, the amount of money netted from DeFi hacks in the first four months of 2022, $1.57 billion, has already surpassed the amount netted in all of 2021, $1.55 billion. A report by Chainalysis found a similar trend, with the hacker haul in the first three months of 2022 exceeding a record set in the third quarter of 2021.
The biggest contributors to the worst quarter the industry has seen — or the best, if you’re a criminal — were Axie Infinity’s Ronin bridge exploit ($650 million), the Wormhole network exploit ($320 million) and the Beanstalk Farms governance attack ($180 million).
A thread connects all three: The biggest hacks of 2022 were carried out by attackers spotting vulnerabilities in smart contracts and protocols, especially in cross-chain bridges and flash loan protocols. The rising tide of digital theft threatens to undermine confidence in cryptocurrency broadly and bring down regulators’ wrath on a still-nascent industry.
Erin Plante, senior director of Investigations at Chainalysis, told Protocol that because blockchain code is typically public, hackers can view it easily to spot vulnerabilities and manipulate the protocol to exploit it.
Plante added that there was a “dramatic shift to exploiting DeFi protocols” in 2022, due to “code exploits and flash loans,” as opposed to the social engineering attacks that typified previous years’ hacks. This could explain why DeFi hacks have become so massive in 2022: Attackers no longer rely on a large number of people falling for phishing scams, but are instead able to attack the DeFi protocols directly.
Cross-chain bridges have become a target for attackers mainly because of an increased surface area that allows for more attack vectors than typically exist on a single blockchain. Bridges also usually have a smaller developer community, which means a smaller number of validator nodes that must sign off before transactions are recognized. In the Axie Ronin bridge attack, only five out of nine validator nodes needed to be signed, an opportunity the hacker targeted.
There is perhaps another alarming statistic for regulators. 2022 has also been the biggest year for North Korean-affiliated hacking groups so far, according to the Chainalysis report. Last month, the U.S. Treasury linked the Ronin bridge hack to North Korea’s Lazarus hacking group, listing its wallet address in the Specially Designated Nationals List and sanctioning the funds.
This is especially worrying given a recent United Nations report that found crypto laundered by North Korean hackers was used to fund nuclear and missile programs, making the issue a matter of international security.
As the wheels of government enforcers and regulators churn slowly, DeFi companies need to move quickly to ensure that open-source code isn’t taken advantage of by attackers. Ronghui Gu, CEO of blockchain security firm CertiK, said projects need to take a proactive, end-to-end approach with their security.
“This means having smart contract audits of every line of code, both before launch and any time the code is changed,” Gu said.
Other security measures include on-chain monitoring tools to protect smart contracts after deployment, as well as avoiding centralization, another big attack vector in 2021. Centralization played a key role in the Axie hack: The attacker managed to gain control of four Ronin validator nodes in one go through social engineering and gained access to another through a bug.
Gu suggested that project owners could also submit themselves to background checks, a controversial measure. Some “undoxxed” crypto figures pride themselves on operating under pseudonyms, while others advertise themselves as “doxxed,” disclosing their real, verified identities to build trust with token buyers and software developers.
While Plante echoed the same sentiments, she added that there is also “a need for the community to come together and support each other and protect each other and attempt to ward off these attackers,” leveraging Web3’s community ethos. It will take collective effort to secure the blockchain — and if the industry doesn’t provide it, Washington might just step in.