The Federal Bureau of Investigation issued a new warning Monday about cyber criminals trying to exploit vulnerabilities in the smart contracts regulating decentralized finance platforms.
"Between January and March 2022, cybercriminals stole $1.3 billion in cryptocurrencies, nearly 97 percent of which were stolen from DeFi platforms," the agency claims, citing an April 2022 report by blockchain analysis firm Chainalysis.
The agency cites three attack methods used by cybercriminals:
- Initiating a flash loan, as in the November 2021 invasion of the Ethereum Project bZx, in which thieves stole $55 million in digital assets.
- Exploiting a vulnerability in the platform's token bridge, as was seen earlier this month with the Nomad token bridge.
- Manipulating cryptocurrency prices by exploiting a series of vulnerabilities, including using a single price oracle, as in the April 2022 Deus Finance exploit, which resulted in the theft of $13.4 million.
"Cybercriminals seek to exploit investors' growing interest in cryptocurrencies, as well as the complexity of cross-chain capabilities and the open source nature of DeFi platforms," according to the agency.
Blockchain security companies have long monitored the most common vectors used mainly by cyber criminals to compromise smart contracts.
Exploits at this level are risky because "smart contract code is typically not changeable to patch security flaws, assets robbed from smart contracts are irreversible, and stolen assets are exceedingly difficult to track," according to the Ethereum Foundation.
Cybercriminals are not only interested in DeFi platforms. Elliptic, a blockchain analysis firm, released its "NFTs and Financial Crime" report last week. According to the report, over $100 million in NFTs occurred between July 2021 and July 2022.
The FBI, for its part, recommends thoroughly researching DeFi platforms, protocols, and smart contracts prior to actually investing, as well as being aware of the specific risks involved.
For example, the agency advises consumers to check to see whether the platform has undergone one or more code audits by independent auditors.
Furthermore, the FBI advises caution regarding investment pools with extremely short timeframes to join and speedily deploy smart contracts, mainly if the recommended code audit is not performed. Do your own research, in other words.