Scams in a DeFi World and How to Defend Against Them

By Roger A. Grimes, Data-Driven Defence Evangelist at KnowBe4

 

The Decentralised Finance (DeFi) world is full of projects, cryptocurrencies, blockchains, financial innovation, and promises. Clearly, DeFi will change the world around us for the better in ways we can’t all imagine right now. It’s also full of hackers, scammers, charlatans, and money grabbers (both legal and illegal). DeFi is currently over promising, under delivering, and stealing billions from early believers.

I’ve been following how attackers and malware programs successfully compromise victim resources, what we call “initial access” in the cybersecurity industry for over two decades. Regardless of an attacker’s intent, there’s basically only 12 ways they gain initial access:

  • Social Engineering
  • Programming Bug (patch available or not available)
  • Malicious Instructions/Scripting
  • Human Error/Misconfiguration
  • Eavesdropping/MitM
  • Side Channel/Information Leak
  • Brute Force/Computational
  • Data Malformation
  • Network Traffic Malformation
  • Insider Attack
  • 3rd Party Reliance Issue (supply chain/vendor/partner/etc.)
  • Physical Attack

By far, social engineering is the number one way that attackers and malware gain access to victim’s computers. It’s responsible for somewhere between 50% and 92% of all attacks, depending on who’s report or data you believe. Nothing else comes close and it’s been this way for over three decades. Vulnerabilities in software are the second most popular threat and are involved in about 20% to 40% of attacks. All the other types of initial access methods are involved in about 1% to 10% of total attacks added up all together.

This holds true even more so in the DeFi world. The vast majority of attacks happen because of social engineering of one type or another. By far the most common type of scam in the DeFi world are malicious individuals and groups posing as a legitimate entity, product, offering, or service, who then steal value (usually cryptocurrency or NFTs) from unsuspecting victims. Over $7.8 billion dollars was stolen from cryptocurrency and DeFi projects in 2021 alone (https://go.chainalysis.com/rs/503-FAP-074/images/Crypto-Crime-Report-2022.pdf).

 

Summary of Cryptocurrency, DeFi, and NFT Attacks

Here are the relevant facts and methods of theft in the DeFi world:

  • Most involve social engineering scams
  • Value stolen (from individual, project, bridge, or exchange)
  • Many outright project scams (i.e., rug pulls)
  • Many fraudulent cryptocurrencies, initial coin offerings (ICOs), and NFTs
  • Many fraudulent trades
  • Many fraudulent exchanges (rug pulls)
  • Many fraudulent mining operations
  • Many fraudulent DeFi projects
  • Buggy contracts
  • Bridge and exchange attacks
  • Stolen resources (malicious miners)

If I had to drill down the above to just the two most damaging types of initial access methods, it would be social engineering and buggy software. Social engineering usually involves enticing a potential buyer or investor into unintentionally allowing a malicious attacker or their malware access to the victim’s cryptocurrency wallet or into buying fake things. Or just as serious, an attacker social engineers an employee of a legitimate project, which allows the attacker to then compromise the project and further social engineer its members. One of the most common scams is for an attacker who has gained access to a legitimate project to then post fraudulent links to fake scams promising “airdrops” of cryptocurrencies or tokens or the ability to buy sought after NFTs early on for cheap. Members read these claims thinking they are legitimate and then spend cryptocurrency or allow access to their cryptocurrency wallets, which the attackers then use to steal value.

 

Buggy Contracts and Bridges

In the non-DeFi world, software vulnerabilities, both zero-days and those with available patches, make up the number two reason why victims are compromised. This is just as true in the DeFi world, but the type of code that is attacked is different. Just like in the non-DeFi world, any software run by a victim is fair game, but some of the most exploited code are “smart contracts” and software code used by cryptocurrency “bridges” and “exchanges”.

In the DeFi world, many, if not almost all transactions are accomplished using smart contracts. Smart contracts are scripts and software code that run within a blockchain, usually Ethereum, which gets sent inputs resulting in predefined outputs. Typically, the inputs are some sort of buying, selling, or exchange transaction, and the output is the accomplishment of the transaction and whatever the predefined results are. For example, someone buys an NFT, and the seller gains the agreed upon cryptocurrency value, the seller gives up the agreed upon value to pay for the NFT and transaction fees, and all the involved parties get whatever transaction fees and actions as defined by the smart contract. The transaction and all the involved inputs and outputs are stored permanently on the involved blockchain.

Cryptocurrency exchanges allow members to buy, sell, and trade cryptocurrencies and NFTs. Cryptocurrency bridges allow different cryptocurrencies and blockchains (which normally cannot directly interact with each other) to transact with each other. A simple example might be someone buying an NFT using the Ether cryptocurrency, which ends up giving the seller bitcoin cryptocurrency in exchange, at an agreed upon exchange price.

Hackers frequently look for bugs in smart contracts, exchanges, and bridges, find them, and then exploit the vulnerabilities to steal value. This often results in the theft of cryptocurrencies or NFTs. Sometimes, bugs in DeFi sites and projects are exploited to allow the hacker to post new fraudulent claims, links, and NFTs. Other times bugs allow an attacker to directly take someone’s cryptocurrency or NFTs. In short, hackers look for code bugs and steal things of value.

In the non-DeFi world, say a regular banking web site, an attacker who finds an exploit bug must then figure out how to turn that exploit into the theft of value. There are usually many steps from the first exploit to the stealing of value. In the DeFi world, the original vulnerability exploit usually directly results in the immediate theft of value, or at least, a lot quicker and easier. Worse, the illegal transaction is usually “locked” to the blockchain, and difficult to impossible to reverse even if everyone knows it happened illegally. Compare that to the non-DeFi world where an illegal transaction is often able to be reversed and the injured parties are made whole.

 

Defences

The defences in the DeFi world are the same as in the non-DeFi world. All DeFi stakeholders (i.e., project leaders, participants, developers, exchanges, bridges, services, etc.) need to enable controls to stop all the possible attack types (as listed at the top of this article). But all participants need to pay special attention to social engineering attacks and code exploits. These two attack methods are responsible for the vast majority of attacks.

To defeat all possible threats, defenders need to implement the best, defence-in-depth, or a combination of policies, technical defences, and education to mitigate those threats. It is especially important that all participants be made highly aware of the most common types of social engineering attacks and how to recognise and avoid them. Nothing will do more to defeat the vast majority of DeFi attacks than a well-educated stakeholder. All developers need to be trained in secure development lifecycle techniques, use more secure programming languages (if they can), do automated and manual code reviews, conduct penetration tests, and educate everyone involved in how to mitigate project vulnerabilities.

The vast majority of DeFi attacks and theft would be prevented by all stakeholders putting down just two threats: social engineering and software vulnerabilities. How well a DeFi project or stakeholder does at preventing these two types of attacks very much determines how well they will do at reducing the risk of a successful attack. The DeFi project and stakeholder that understands their overall importance and concentrates on defeating them the best are going to better reduce cybersecurity than the projects and stakeholders that do not.

spot_img

Explore more