The FBI warned crypto investors after data by Chainalysis showed that cybercriminals stole $1.3 billion in crypto in Q1 of 2022. The report added that 97 percent of the stolen funds were obtained from decentralized finance (DeFi).
The agency has investigated the issue and provided several suggestions to investors based on the results. The FBI encouraged investors to research platforms, smart contracts and protocols before placing their money there. They also warned people about certain risks that DeFi investments possess.
The agency highlighted that cybercriminals tend to target smart contracts, which are central to the DeFi system. Smart contracts are “self-executing contracts that have the terms of a transaction” and will be activated and distributed across the network once those terms are met. The criminals took advantage of the vulnerability of the contracts, which is the signature verification procedure, to steal all assets in a DeFi platform.
Wormhole, a connection protocol among networks, lost $320 million worth of Ether (ETH) in February this year due to signature verification issues. Later in April, Beanstalk Farms reported that scammers stole $180 million using a similar method.
The FBI added that investors must make sure that the DeFi platform they wanted to invest in had been audited by independent auditors. The required audits for a DeFi platform typically include a review of the platform’s code protocol to detect vulnerabilities that may hinder its performance.
The FBI also warned of the potential risk of crowdsourcing solutions. According to the agency, crowdsourcing is susceptible to crimes due to weakness in identification and patching. There was a recent case where investors and developers of a DeFi project lost $3 million after cybercriminals initiated a “flash mortgage."
The FBI demanded DeFi platforms “to institute real-time analytics, monitoring and testing of code, and develop incident response plans that include alerting investors.”
Perception on DeFi’s risks
Several figures in the cyber industry also warned of the risks of participating in DeFi. Michael Oglesby of Cerberus Sentinel said that early investors needed to be “wary” of their funds. According to Oglesby, most DeFi platforms do not offer adequate protection to prevent consumers’ “catastrophic loss” in the event of a fraudulent attack.
Jeff William of cybersecurity firm Contract Security also commented on the recent surge of DeFi investors, saying these investors were “putting their faith” in the crypto mechanisms.
"But even if they are perfect, there is a lot more to DeFi platforms than just crypto,” William said.
“These platforms are just software and they require high-security authentication, access control, input handling, attack detection and response, use of open source, IaC [infrastructure-as-code] security, and much more."
Williams said that DeFi platforms must be transparent to the investors about the security measures they put in place to protect their patrons.
He added, "This would be a great use case for the new consumer software security label scheme created by NIST per the [US President's] cybersecurity executive order."
In the U.K., the Bank of England recently announced that crypto assets and the DeFi system did not affect the stability of the U.K.’s financial system at the moment. Nonetheless, the central bank said if the current growth rate prevailed in the upcoming years, there would be some risks to the country’s finances in the future.