The FBI issued a new warning Monday about cybercriminals exploiting vulnerabilities in the smart contracts that govern decentralized finance (DeFi) platforms.
“Between January and March 2022, cybercriminals stole $1.3 billion in crypto, nearly 97 percent of which were stolen from DeFi platforms,” the agency claims, citing a Chainalysis report from April 2022.
FBI agency cites three methods used by cybercriminals to launch attacks:
- Manipulating cryptocurrency prices by exploiting a series of vulnerabilities, including the use of a single price oracle, such as in the case of the April 2022 Deus Finance exploit, where thieves made off with $13.4 million.
- They were initiating a flash loan, such as in the case of the November 2021 attack on the Ethereum DeFi Project bZx where thieves made off with $55 million in digital assets.
- They are exploiting a vulnerability in the DeFi platform’s token bridge, as seen in the case of the Nomad token bridge earlier this month.
“Cybercriminals seek to exploit investors’ increased interest in crypto, as well as the complexity of cross-chain functionality and the open source nature of DeFi platforms,” according to the agency.
Blockchain security companies have long monitored the most common vectors used by cybercriminals to compromise smart contracts.
Exploits at this level are risky because “smart contract code is typically not changeable to patch security flaws, assets stolen from smart contracts are irrecoverable, and stolen assets are challenging to track,” according to the Ethereum Foundation.
Cybercriminals are not only interested in DeFi platforms.
Elliptic, a blockchain analysis firm, released its “NFTs and Financial Crime” report last week. According to the report, over $100 million in NFTs occurred between July 2021 and July 2022.
The FBI, for its part, recommends conducting a thorough examination of DeFi platforms, protocols, and smart contracts before investing, as well as being aware of the specific risks involved. Consumers, for example, should check to see if the platform has had one or more code audits performed by independent auditors. Furthermore, the FBI advises caution regarding investment pools with extremely short timeframes to join and rapidly deploy smart contracts, especially without the recommended code audit.