Thinking Like a Hacker: The Threat of DeFi Hacks for Financial Institutions | Hacker Noon


Lior Lamesh Hacker Noon profile picture

Lior Lamesh

Co-Founder and CEO of GK8

The DeFi (decentralized finance) ecosystem burst out into the spotlight last year as the amount of money locked into the smart contracts, on-chain programs powering it, soared. This development was not lost on major financial institutions, which moved to explore the novel ecosystem, but hackers were paying attention too. It is thus hardly surprising that this year, DeFi-related theft, hacks, and scams hit an all-time high, already accounting for more than 54% of major crypto fraud compared to 3% this time last year. 

To put this in perspective, here is a list of DeFi hacks that cost investors approximately $1.2 billion this year alone.

  1. Saddle Finance: $275,000
  2. Yearn Finance (YFI): $11,000,000
  3. Growth DeFi (GRO): $1,300,000
  4. BT Finance (BT): $1,500,000
  5. Alpha Finance Lab (ALPHA) & Cream Finance (CREAM): $37,000,000
  6. Furucombo (COMBO): $14,000,000
  7. Meerkat Finance (MKAT): $31,000,000
  8. Paid Network (PAID): $160,000,000
  9. DODO (DODO): $1,910,000
  10. Roll: $5,700,000
  11. Iron Finance (IRON): $170,000
  12. TurtleDex (TTDX): $2,400,000
  13. Force DAO (FORCE): $376,000
  14. EasyFi (EZ): $80,000,000
  15. Uranium Finance: $50,000,000
  16. Spartan Protocol (SPARTA): $30,000,000
  17. Rari Capital (RGT): $15,000,000
  18. xToken (XTK): $24,500,000
  19. bEarn Fi (BFI): $11,000,000
  20. PancakeBunny (BUNNY): $200,000,000
  21. Venus Protocol (XVS): N/A
  22. AutoShark Finance (JAWS): $822,000
  23. Merlin Lab: $1,560,000
  24. Wild Credit (WILD): N/A
  25. BurgerSwap (BURGER): $7,200,000
  26. Belt Finance (BELT): $50,000,000
  27. Alchemix (ALCX): N/A
  28. Impossible Finance (IF): $500,000
  29. Eleven Finance (ELE): $4,600,000
  30. SafeDollar (SDO): $248,000
  31. ChainSwap (ASAP): $5,200,000
  32. Bondly Finance (BONDLY): N/A
  33. THORChain (RUNE): $18,039,000
  34. PancakeBunny (BUNNY): $2,400,000
  35. Levyathan (LEV): N/A
  36. Popsicle Finance (ICE): $25,000,000
  37. Punk Protocol (PUNK): $3,950,000
  38. Poly Network: $268,000,000
  39. Dao Maker: $11,000,000
  40. Cream Finance: $19,000,000
  41. Sushi: $3,100,000
  42. Cream Finance: $130,000,000
  43. bZx: $55,000,000

Hacking is about ROI. It is safe to assume that when it comes to new technologies, hackers will be motivated enough to invest millions into stealing billions. And while blockchain, the ultimate underlying technology of the cryptoverse, is considered highly secure, with DeFi, there is an additional layer to consider – a layer that consists of thousands of various services running on multiple blockchains and interacting with one another. This does sound complex and dynamic, but also opens up new attack vectors for savvy hackers, as not all of these services are equally secure, and some of their interactions can work as exploits too.

Banks like Vast Bank, the first US-chartered bank to offer crypto as banking services, UBS, CitiBank, BNY Mellon, JP Morgan Chase, to name a few, and other major financial institutions like Mastercard, Visa, and Paypal, are all adopting and investing in a crypto future. The primary concern for such major players is how to keep assets safe while still keeping up with the speed of business – and this challenge must not be taken lightly. 

How are hackers finding their way in? Primarily through the vulnerabilities found in the private key management protocols and via vulnerabilities within the smart contract code. 

Private key management

To manage your digital assets, you need a private key. The ability to safely hold and transfer the assets themselves is only guaranteed as long as the private key is safe. Once that key is compromised, the funds can easily be transferred into the hacker’s own wallet. Therefore, preventing the theft of private keys is crucial to maintaining digital asset security.

A multi-party computation (MPC) solution is one of the best methods for securing a private key. It’s designed to distribute fragments (shards) of the private key across multiple computers instead of keeping all of those on one internet-connected computer. 

Many enterprises rely solely on an MPC to protect and manage digital assets. However, even though an MPC is more secure than a hot wallet, it is not enough by itself for banks or financial institutions managing tens or hundreds of millions of dollars worth of crypto. 

Since hacking is about return on investment, if a hacker knows that the account holds tens of hundreds of millions of dollars, they are willing to invest a few million into emptying it. The MPC adds to the price tag of attack by making the hackers go after multiple targets instead of having to compromise just one internet-connected computer, but this increased entry barrier could still fail to deter the more incentivized groups that can afford running a highly-sophisticated plot, as the potential returns still outshine their initial investment.  

A better approach is to divide your digital asset balance and use the MPC to manage only 2% or 3% of the assets, while the rest is held in a cold vault, where it is 100% safe since the vault is never connected to the internet.

With DeFi in the picture, though, things get more challenging, as every interaction with the smart contracts powering the ecosystem begins with initiating a transaction. This does not necessarily have to be a transaction in the regular sense of moving assets from account A to account B. In programming terms, this is more akin to a function call: Initiating a specific script, or a smart contract function, with DeFi, and, if needed, giving it a required input. The transaction must be signed off by the institution’s private key, which opens a window of opportunity for a hacker to intercept it. To make sure their systems are built to the highest security standards, institutions must only rely on solutions that will allow them to sign off transactions without having their vault go online at any point in the process.

On the flip side, DeFi services must also make sure to get their private key management right, because DeFi is not nearly as decentralized as the name suggests. There is a bottleneck in the system here too: The smart contract owner (the one who uploaded the piece of software to the blockchain) has “superpowers,” special control which, depending on the project, can include freezing, updating the price, minting, and burning new assets. By compromising the smart contract owner’s private key, the whole economy of the protocol can be destroyed right away. It is worse than hacking a single DeFi user – it means hacking all DeFi users at once!

Smart Contracts

The other main way to hack a DeFi service is by utilizing a flaw in its code, which can boil down to the sequence in which specific functions are being called by the contract or how it handles its use of memory. Such vulnerabilities often play off the ways in which smart contracts interact with one another and call first and foremost for more robust smart contract auditing.

Part of the reason why such attacks can be expected to become more complex for the hackers to pull off in the future is that the DeFi ecosystem is now still in its nascent stages, and as such, is yet to work out a time-tested security ruleset. As it matures, developers will be picking up on the best practices from one another, assisted by blockchain researchers, and will weed out the blunders that can enable devastating hacks. For now, though, vigilance and cautious smart contract auditing are the way to go when plugging into the DeFi ecosystem. 

The Takeaways

The DeFi ecosystem has a lot to offer traditional financial institutions, too much to be deterred from the exploring hackers’ threat, as considerable as it is. Thankfully, by sticking to just two baseline security rules, banks and financial institutions tapping DeFi can greatly reduce their risks. 

The first rule is for financial institutions to manage their own private keys in the most secure manner, in a way that keeps the majority of the assets in custody in cold storage, outside the hackers’ reach, while smaller amounts will be held in an MPC network for automatic high-frequency transactions when needed. 

The second rule is to vet and audit the services banks are looking to integrate with, both for flaws in smart contracts – and for adhering to security rule number one themselves.