What Makes DeFi Platforms Vulnerable to Attacks?

In 2020, more than $ 520 million worth of cryptocurrencies were stolen from services and individuals through hacks and non-technical attacks such as social engineering or phishing. In light of these recent attacks a new popular target emerged that fell victim to almost half of them, DeFi or Decentralized Finance Platforms.

13 May 2021

One of the most notable trends between cybercriminals these days seem to be an attempt to steal cryptocurrency from DeFi platforms. The use of DeFi platforms has skyrocketed in 2020, which has given hackers a unique and vulnerable new target to attack. As was revealed in The 2021 Crypto Crime Report, despite the fact that DeFi only accounts for 6% of all cryptocurrency activity, these platforms lost approximately 33% of all stolen cryptocurrency in 2020. DeFi platforms also figure prominently as a convenient place for cybercriminals to launder stolen cryptocurrencies and convert them into cash.

DeFi Platforms, a story of success and caution

DeFi’s extraordinary rise has been one of the most striking stories of cryptocurrency in 2020. DeFi stands for Decentralized Finance. Decentralization arising from the fact that DeFi platforms can, in theory at least, operate autonomously without the support of a central company, group or individual. DeFi platforms are built on blockchain smart contracts – primarily the Ethereum network – and can perform certain financial functions determined by the underlying code, executing certain transactions such as trades and loans automatically when certain conditions are met.

Without the need for centralized infrastructure or human resource management, DeFi platforms can enable users to execute financial transactions with lower fees than other fintech apps or financial institutions. In total, DeFi platforms received $ 86.5 billion worth of cryptocurrency in 2020, which is 67 times more than in 2019.

However, there are evident dangers to these benefits. Not to mention their decentralized nature makes DeFi platforms more attractive as a money laundering mechanism – since these platforms never directly accept custody of deposited funds, many do not know their customer (KYC) and do not have information or reports of transaction activity as required by the Law on banking secrecy (BSA) and other financial regulations. How is it possible that in 2020, cybercriminals stole more than $ 170 million from DeFi platforms, which is quite disproportionate to DeFi’s share of total cryptocurrency activity? The main reason for this is that DeFi platforms are uniquely vulnerable to a price manipulation attack. 

A new playground for cybercriminals?

Price manipulation has been key to nearly every notable attack on DeFi platforms in 2020. DeFi transactions are almost instantaneous with very few mechanisms to prevent shadow transactions, so attackers can make huge profits by manipulating the price of cryptocurrency on one or more DeFi platforms.

DeFi platforms rely on tools called a “price oracle” to obtain data on a price of specific asset from external sources – usually from other exchanges, other services or data providers, sometimes assets are priced against the rest of the market. However, most DeFi platforms use centralized price oracles that rely on only one node to transfer data to the rest of the platform and often use a single source of price data, making them vulnerable to attacks.

Price manipulation may seem like an unlikely attack method for cybercriminals, since the price of any crypto asset requires initial capital to raise its value, right? Due to Flash Credits, this is not the case with DeFi.

Flash Credits and their role in DeFi platforms

Flash Credits allow DeFi users to receive loans instantly without collateral, using funds to transact elsewhere and repaying loans in one instant transaction. If they don’t repay the loan, the entire transaction is rolled back instantly, which means that the lender gets back the original capital as if the loan never happened. In essence, this means little or no risk for either party: the transaction that the borrower wants to make with the borrowed funds does not work, and the loan cannot be repaid, neither they nor the lender lose anything.

This also means that lenders can charge very low interest rates on instant loans. Traders often use quick loans to obtain the funds needed to take advantage of the arbitrage opportunity, using borrowed funds to take advantage of differences in prices across platforms and make a small profit after the loan is paid off. 

In 2020, cybercriminals used flash loans as a weapon, using leveraged funds to buy crypto assets, driving up their price and selling them at great profit, thereby making it easy for them to pay off the original loan and put the remaining funds in their pocket.

We saw such a scheme in action during two bZx hacks in February, a DeFi protocol that allows users to build apps for decentralized lending, margin trading, and other financial transactions. In the first hack, cybercriminals borrowed a large amount of ether from bZx in the form of flash credit, used it to buy and raise the price of packed bitcoin on Uniswap – at some point, the price of packed bitcoin on Uniswap reached 109.8 ETH, up from 38 for the market as a whole. The attacker then exchanged their bitcoins for a huge ether profit, some of which was used to pay off the initial flash loans. In total, the attacker received $ 350,000 worth of ether. The second attack, which mimicked the first, brought in $ 633,000. The identities of the hackers are unknown, and it is unclear if the same person or group was responsible for both incidents.

The source of an issue

These attacks on bZx worked because the platform code did not contain fault-tolerant devices to track large price spikes on other DeFi platforms, which could have caught cybercriminals manipulating the Bitcoin price on Uniswap. The bZx repository on GitHub shows that the issue has now been fixed. But this highlights another reason DeFi platforms are vulnerable to attack: their use of open source. DeFi platforms move user funds solely based on their underlying code without human intervention, so users need to be able to validate that code to trust the platform, making open source a must.

However, this means that cybercriminals can also analyze the code for vulnerabilities and plan the perfect attack, since, apparently, they did this in the case of attacks on bZx. In fact, bZx was hacked again later that year for $ 8.1 million, all because one inappropriate line of code allowed users to manipulate their own balances under certain circumstances, creating new coins for themselves at will.

These attacks show how important it is for DeFi platforms to adopt the latest security measures.