Published: August 13th, 2021
Decentralised finance (DeFi) has been on a year-long joyride with nearly USD 80 billion now locked up in its protocols. As money flows in, cybercriminals have the sector firmly in their crosshairs.
A report issued this week by blockchain forensics company CipherTrace says cyber theft and fraud have cost DeFi protocols and their users USD 475 million for the year to date up to 31st July.
While the firm says overall cryptocurrency fraud and crime have dropped considerably in the same period (CipherTrace pegged the sector-wide loss at around $4.5 billion in 2019), DeFi hacks have done 260 per cent more damage to DeFi firms and users than all of last year.
Decentralised finance technology uses protocols based on blockchains, Ethereum mainly, to facilitate payments, loans, financial trades, and other transactions without the need for an intermediary to take custody of them first. Instead of using people and institutions to move money, DeFi uses code, in the form of smart contracts that automate transactions and validate them.
Crypto advocates say the arrival of smart contracts enables individuals to make decisions more freely about how they use their assets while avoiding also sidestepping the fees that traditional intermediaries levy. On paper, it makes sense …
As the data from CipherTrace's details, outside attacks have drained protocols of close to USD 360 million in stolen coins and tokens. ‘Rug pulls’, where a fraudulent project tricks investors and disappears with their funds, cost users USD 110 million.
CipherTrace is most alarmed by the USD 360 million theft figure. DeFi tokens and Ethereum in particular, essentially DeFi’s reserve currency, are worth significantly more today than they were a year ago.
Ethereum's (ETH) price has climbed above USD 3,100, a rise of more than 200 per cent since the start of 2021, while UNI, Uniswap’s governance token, is up over 400 per cent.
From the cybercriminals’ perspective, it is easy to see why DeFi protocols have become an attractive target.
According to CipherTrace, decentralised finance attracted three-quarters of all cryptocurrency hacks for the year to date. DeFi-related fraud accounted for more than half of crypto fraud. Last year it only accounted for 3 per cent of the full-year total.
Most attempted hacks on DeFi protocols use ‘flash loans,' where the fraudster borrows a large sum of money, uses the capital to trade cryptos in an arbitrage opportunity, then pays back the loan, all in a single transaction.
‘Platforms giving out flash loans isn’t the real problem,’ says the CipherTrace report, ‘it’s the unaudited loans and the smart contracts used to validate them which are exploited."
The analytics firm listed the 30 attacks that have been made public since January 2021, including the largest, a USD 45 million grift from PancakeBunny that occurred in May.
The PancakeBunny fraud now looks like small potatoes compared to the exploit suffered by Interoperability protocol Poly Network this past Tuesday, where criminals made off with at least USD 600 million in stolen crypto.
A company press release said three addresses allegedly belonging to attackers had been identified, an Ethereum address holding USD 264.6 million in crypto), a Binance Smart Chain address holding USD 250.5 million, and a Polygon address holding USD 85 million.
Combined, that makes the haul the most significant cryptocurrency hack ever publicised. The previous record-holder being Coincheck, which lost more than USD 528 million to hackers in 2018.
Worryingly, since Poly Network is an interoperability protocol, it’s possible that one of the dozens of other projects using Poly Network has also been breached.
Shortly after the attack, O3 Swap, a Poly Network-based cross-chain pool, halted all its cross-chain functionality.
The company tweeted on Tuesday that it had ‘temporarily suspended cross-chain transactions while we assess the impact of the PolyNetwork breach. Please be patient while we work to return to full functionality.’
Tether also suspended some USD 30 million worth of stablecoins stolen by the hacker, who remains at large and the subject of frenzied speculation amongst crypto enthusiasts.
One pseudonymous crypto fan received 13.35 in ETH from the hacker, worth about USD 41,000 at this week’s prices, as thanks for tipping him off.
In a message attached to an Ethereum transaction, the fan appended the message ‘don’t try and use your USDT, your address is on a blocklist'. When others heard about the thief’s apparent generosity, they started sending messages as well.
In a bizarre twist, a day later, the Poly Network hacker started returning the USD 600 million in stolen crypto. They sent close to USD 5 million in coins and tokens back to the project.
Poly Network developers messaged the hacker using Ethereum transactions to say they are creating a multi-signature address for receiving back more stolen funds. They also listed three wallets for the hacker to use as a way to send back the money.
Around USD 2 million in crypto has been sent to two of the addresses; Poly Network told reporters that a payment of 1,000,100 stablecoins was received by a wallet on the Polygon blockchain. An hour later, a second wallet received a payment of 23.87 BTCB worth about USD 1 million at current prices. BTCB is a token on the Binance Smart Chain that’s pegged to the price of Bitcoin.
Since then, cybersecurity company Slowmist announced that it had captured the hacker’s email and addresses.
A press release on the company’s website said analysts had ‘discovered the attacker's device fingerprints, as well as IP and email addresses using the technique of on- and off-chain tracking.’ The firm is using the data to correlate for other potential identity clues and help bring the hacker to justice.
The strange tale underlines just how vulnerable and chaotic the crypto world can be for traditional investors and crypto bears.