Synopsis
In 2021 cryptocurrency surpassed $1 trillion in total market value for the first time (1). Along with that legitimate growth, the raw value of illicit transaction volume reportedly reached its highest level ever (2). Threat actors are homing in on Decentralized Finance (DeFi) as a source of profit. In this report, EclecticIQ analysts identify the attack patterns emerging in cyberattacks that have produced the highest returns. The analysis identifies areas subject to repeating attack patterns, where security resource development will be most effective.
In 2021 cyberattacks produced approximately $3.2 billion USD in stolen cryptocurrency assets. The current total estimated value of stolen funds sitting in wallet addresses is over $10 billion (2, 3). During 2021, the total stolen in cryptocurrency assets increased 1330% from 2020, when an estimated $160 million worth of cryptocurrency was stolen, and the 2020 total represents a 335% increase over the 2019 total stolen. Many of the largest attacks took place since the start of the COVID-19 pandemic, when users began adopting cryptocurrency at much higher rates. 2021 saw a 912% jump in DeFi transaction volume (1, 4). As DeFi systems increase assets, the risk and impact of these attack vectors increases. An analysis of the largest cyberattacks against decentralized finance platforms provides strategic value by describing the Tactics, Techniques, and Procedures (TTPs) that are the most impactful and popular attack vectors. The application of IT security resource development towards weak areas of the DeFi ecosystem that enable the patterns described here will have greatest impact on future large scale cyberattacks.
Record-setting attacks against DeFi systems between 2020 and 2022 (5, 6)
DeFi Organization | Amount at Attack | Date |
Poly Network | $611,000,000 | 08.10.2021 |
Ronin Bridge | $540,000,000 | 03.23.2022 |
Wormhole Bridge | $325,000,000 | 01.13.2022 |
BitMart | $196,000,000 | 12.04.2021 |
Compound | $147,000,000 | 09.29.2021 |
Vulcan Forged | $140,000,000 | 12.13.2021 |
Cream Finance | $130,000,000 | 10.27.2021 |
BadgerDao | $120,000,000 | 12.02.2021 |
Ascendex | $77,000,000 | 12.12.2021 |
EasyFi | $59,000,000 | 04.19.2021 |
Uranium Finance | $57,000,000 | 04.28.2021 |
bZx | $55,000,000 | 11.05.2021 |
PancakeBunny | $45,000,000 | 05.19.2021 |
Kucoin | $45,000,000 | 09.29.2020 |
Other notable large-scale attacks prior to 2020
Coincheck | $532,000,000 | 01.2018 |
MT GOX | $470,000,000 | 06.2011 |
BitGrail | $150,000,000 | 02.2010 |
Strategic Primary Goals for DeFi Attacks: Price Manipulation and Key Exposure
Attacking Defi systems to manipulate pricing for malicious outcomes, also known as price boosting, remains the most common goal for threat actors in large heists. Price manipulation can occur in many ways; several of the most common methods are described below. Another strategic attack focus includes discovery and exploitation of systems providing privileged access either to important systems, or keys to access wallets.
Four Attack Patterns Support Strategic Goals of DeFi Cyberattacks
The primary TTPs successfully leveraged by threat actors in major heists against DeFi include smart contract exploitation, flash loan exploitation, and compromise of critical systems. Fraud attacks that rely on social engineering and more familiar cyberattack components are also highly impactful.
SMART CONTRACT EXPLOITATION
Smart contract exploitation involves a programmatic weakness or vulnerability in one or more smart contracts that allows data to be modified in a way that is not congruous with the smart contract’s intent. Smart contracts are comprised of code that function as programs. Smart contract exploitation can involve one or more vulnerabilities that affect a complex chain of smart contracts tied together to produce a malicious outcome. This attack vector in largescale DeFi attacks has led to the greatest losses.
Tools Called Oracles Are Very Often Involved in Smart Contract And Flash Loan Attacks
Oracle attacks involve manipulating services that supply external data inputs to DeFi environments. Oracles are legitimate third-party automated services that retrieve information from outside the blockchain to be incorporated as further data inputs for DeFi systems. Providing pricing data of external assets tied to the value of a particular cryptocurrency is a common oracle role and one of many (10). If oracles are incorporated as centralized, single points of failure their manipulation may affect other variables inside smart contracts reliant upon oracle data fetching, producing a waterfall effect or a positive feedback loop within a transaction.
The Largest Hack to Date Leveraged Smart Contracts
Poly Network was exploited through a coding error in the EthCrossChainManager smart contract. The contract contained a vulnerable function (verifyHeaderAndExecuteTx) that could be executed by a non-privileged user. Within the protocol, the function call executeCrossChainTx calls to the target contract EthCrossChainManager, which calls the EthCrossChainData contract. EthCrossChainData only used the first four hash bytes in a passed call to identify the calling contract and it accepted user input for the ‘ID data’ section. A threat actor reverse engineered the embedded vulnerable function in EthCrossChainData and exploited the related contracts to exfiltrate a large volume of assets to an attacker-controlled wallet. The hacker, claiming to be an individual, returned up to $600 million worth of crypto assets after a negotiation initiated by the threat actor (12).
Simple Numerical Errors Present in Code Allow Threat Actors to Exploit Math-Based Vulnerabilities
Uranium Finance was exploited through smart contract code that contained reused source code (known as a fork) from another DeFi project. Forked code is a branch of a particular original open-source code that has been downloaded and reconfigured into a new project. In this case, the reused or shared code was not properly tested and checked. Through the forked code, based on Uniswap v2 code, a loophole was introduced unnoticed for 10 days. The bug allowed threat actors to exploit a computational error by changing two numerical values inside a smart contract. This allowed them to swap one input token for 98% of the total balance of the output token within the smart contract and cash out, performing fraud against the token value (13).
FLASH LOAN EXPLOITS
Flash loan exploits involve misconfigurations in banking features of DeFi platforms. A flash loan is a transaction where a loan and repayment occur instantaneously. Flash loans are another integral feature of DeFi platforms. They allow users to operate without collateral, enabling further decentralization and flexibility for transactions. Flash loan exploitation can involve complex nested transfers between multiple different cryptocurrency coins. Flash loan exploits have been leveraged in conjunction with all other TTPs listed here.
Mathematical and Logical Programmatic Weaknesses in Core Components of Defi Systems Enable Attacks on Many DEXs
Threat actors exploited Cream Finance using flash loans and the yUSDVault token. The price of yUSDVault tokens was manipulated using flash loans between two wallets. A vulnerability in Cream’s internal PriceOracleProxy of yUSDVault tokens created a self-referencing, positive feedback loop, which the attacker exploited using flash loans between their wallets. The vulnerability allowed threat actors to accumulate overvalued collateral, which was finally leveraged against Cream lending vaults to drain as many assets as possible. This was the third attack Cream Finance had suffered in a year. The root causes of the other two attacks were Smart Contract related (14, 15). The developers behind the Cream Finance DEX platform, Yearn Finance, have developed many other DEXs (16), at least nine of which have been attacked. Eight of these attacks netted between $2 million to $20 million each, and one attack (targeting Alpha Finance) netted $37.5 million.
Inherent Features of DeFi Are Exploited to Produce Banking Errors
PancakeBunny was exploited using a complex system of flash loans. A bug in the protocol that uses the “PancakeSwap” function to retrieve the prices of PancakeSwap liquidity providers was leveraged using eight flash loans, executed in a specific order, to manipulate the price on various PancakeSwap asset pools, and create a skewed calculation of BUNNY tokens from the VaultFliptoFlip vault using 2 external cryptocurrency coins. This enabled the threat actor to mint 697,000 BUNNY tokens, which were then sold at an inflated value, causing the price of BUNNY tokens to drop from $146 to $6 per token (17).
CRITICAL SYSTEM COMPROMISE
Critical system compromise involves illegitimate access to a specialized system or software within cryptocurrency networks. A successful critical system compromise produces elevated permissions and/or access to special functions. Attacks of this category most often result in exposure of private keys to wallets and API keys used to control cryptocurrency transactions. Keys may be exposed inadvertently in public files, by a web application, or via malware.
Mismanagement Across Third Party Systems Enhances Risk of High Losses.
Ronin Bridge is a DEX and Bridge with a focus on the Ronin token, NFTs, and a cryptocurrency-based play-to-pay game. A fundamental design of the Ronin chain involves the use of central validator nodes for consensus-approval of transactions. Of nine central nodes, five is the threshold required to sign and approve a given transaction within the Ronin Blockchain (18,19). Sometime prior to March 23, threat actors gained access to part of the Ronin administration system through unidentified means. Using the initial access, the threat actors compromised keys of four Ronin validator nodes without raising any alarms. A fifth node was compromised in a further third-party attack of the Axie DAO DeFi organization who managed the node. An Axie DAO node was approved as a ninth validator for Ronin starting on November 21, 2021 due to a need for additional validator nodes caused by increased transaction demand. The November-March timeline indicates it is possible the threat actor was dwelling within the Ronin DeFi network for multiple months in order to quietly compromise four Ronin approval nodes. A 5th node managed by the Axie-DAO was compromised through a misconfigured RPC (remote procedure call) node in the Axie network. With a majority of approval keys, the threat actor executed a fraudulent approval for two transactions totaling $540 million on March 23 (20). Ronin developers did not become aware of the attack until March 29 when another user reported issues with a transaction (21).
Kucoin Represents the Largest Attack on DeFi Systems Linked to an APT Group
The U.N. Security Council accuses the DPRK of using assets stolen from cryptocurrency cyberattacks to support its nuclear and ballistic missile programs and to circumvent sanctions (22). The attack against the Kukoin exchange involved exploiting 185 different tokens and coins across the DEX (23). The initial vector for the attack was multiple private keys leaked through an unknown channel providing unauthorized access to cryptocurrency wallets (20). The CEO stated that the APT group gained access to the internal network for “a long time”. Kucoin was able to freeze some of the stolen assets, but the APT group successfully exfiltrated at least $13 million (24, 25).
One notable feature of this attack was the exfiltration method. After consolidating five different Tokens, the APT used at least four different DEXs to exchange and obfuscate the funds so they could be withdrawn more anonymously. The amount originally stolen in the attack was reported to be as high as $281 million, but Kucoin was able to recover up to 80% of the stolen funds by issuing a special update that invalidated part of the blockchain pertaining to the stolen assets. The update allowed Kucoin’s pricing to recover and effectively black-listed the stolen cryptocurrency from interacting within the legitimate DeFi environment. North Korea is accused of stealing at least $110 million in additional crypto assets via other attacks (26).
Access to Privileged Systems Amplifies DEX Cyberattack Impact.
One of the earliest large-scale attacks on DeFi exchanges occurred on 19 June 2011, which was a year after the first cryptocurrency retail transaction (27). The MT Gox bitcoin exchange was hacked using a compromised machine owned by a recent auditor of MT Gox. It is not known how the threat actor obtained the auditor’s access. The auditor’s system had privileged access to the MT Gox DEX, which enabled the threat actor to steal private keys to a hot wallet and transfer Bitcoin to their wallet at a special nominal value. MT Gox remains one of the largest hacks of a DeFi exchange to date, resulting in approximately $470 million stolen (28).
Mismanagement of Automated Services Paired with Third Party Systems Create Single Points of Compromise
Vulcan Forge is a DeFi platform comprised of a diverse portfolio of blockchain-based services operating under one organizational umbrella. To manage all the offerings, their platform relied on different automated and third-party services to help users manage their cryptocurrency accounts. Vulcan Forge set up automated accounts for users and relied on custodial wallets hosted on the platform’s infrastructure to facilitate transactions. A threat actor was able to exploit and compromise a publicly exposed server and obtain credentials to a third-party service provider “Venely” that managed credentials for custodial wallets. The attacker pivoted to further weaknesses in Vulcan’s “MyForge” GUI module used to display wallet holdings and steal myriad private keys. The attackers targeted 96 high-value “whale” accounts with an average holding of $1.46 million (29). Stolen funds were consolidated into a single wallet and then exfiltrated through another DEX before much of the damage could be mitigated (30).
Attacks Are Enabled Through Private Key Compromise of Publicly Exposed Hot Wallets
A security breach at the BitMart exchange was caused by compromised private keys to at least one ETH hot wallet and one BSC hot wallet. BitMart did not disclose how the private keys were obtained (31). EclecticIQ analysts strongly posit that the private key exposure was the result of poorly configured wallets that were exposed to the internet, based on assessments of similar attacks and the specific wallets targeted. Attack patterns analyzed in similar large cryptocurrency heists indicate the most likely exposure vectors includes private keys that were not stored in accordance with information security best practices. A mix of more than 20 tokens were stolen. Key exposure remains the most popular attack vector for stealing funds.
CRITICAL SYSTEM COMPROMISE MOST OFTEN RESULTS IN EXPOSURE OF PRIVATE KEYS
EasyFi is a multichain DEX operating on three blockchain networks. Threat actors initiated the attack by discovering and exploiting a machine used by a founder of EasyFi (32). The compromised machine contained an EasyFi module exclusively used for official transfers across the exchange. The threat actor went further and discovered an EASY token smart contract vulnerability affecting two other related smart contracts. The vulnerability and access allowed the threat actor to use these further two smart contracts to direct assets into a dark pool, where they were later exfiltrated under a separate, obfuscated C2 connection. A Dark Pool is a separate DeFi order book not visible to the rest of the market that exists on a particular DEX.
Ascendex was hacked by exploiting a primary hot wallet in use as part of the exchange’s main infrastructure not accessible to regular users. The hot wallet was configured contrary to many best practices. A threat actor was able to gain access to the hot wallet via undisclosed means, steal the private key, and exfiltrate funds in a very short time (33).
Access Control Configuration in Decentralized Networks is Crucial to Prevent Compromise
Compound is a DEX that also promotes its own token. An access control error was present in a special function of a vault that was poorly configured and open to any user to call if discovered. The function controlled a central vault used by the exchange to hold its own tokens and was not monitored. Cryptocurrency Vaults are a form cryptocurrency storage solution that applies a transaction approval process and does not allow funds to be withdrawn immediately, similar to escrow. Vaults are supposed to provide increased security compared to crypto wallets held by end users. EclecticIQ analysts evaluate it is most likely that either multiple users were able to discover the open vault and leverage the weak function to steal Tokens, or an insider threat actor leveraged the weakness to steal Tokens. Funds were drained from the vault on at least two different attacks resulting in approximately $80 and $60 million dollars in assets stolen over several days before a full remediation was completed (34).
Threat Actors Monitor Public Code to Reverse Engineer DeFi Systems for Compromise
Wormhole Bridge is a specialized fintech company that provides a service for facilitating transactions across Blockchains. On January 13, 2021 the company posted a software update to their GitHub repository. Within hours of the upload a threat actor reverse engineered part of the update, allowing them to craft a valid approval signature to exploit transactions across the bridge (35). The attack resulted in an approximate $325 million dollar loss in two forms of ETH cryptocurrency. EclecticIQ analysts evaluate it as likely that the threat actor was actively monitoring the Wormhole GitHub page, flagged the update, and quickly reverse engineered part of the update to discover the vulnerability before systems in the network applied the update.
Absence of Standard IT Security Best Practices Enables Complex DeFi Cyberattacks
BadgerDAO was attacked from an unsecured Cloudflare API configured without documentation. The attacker then obtained an API key, which allowed them to create new accounts with access to cloud management services. The attackers maintained persistent access between November and December 2, 2021, increasing permissions to slowly lay the groundwork for their attack, and eventually allowing them to upload their own malicious smart contracts. The threat actor specifically targeted wallets on certain DEXs whose contents exceeded an unspecified amount. They rotated unique malicious scripts during each attack under short attack windows, providing unique hash signatures each time and making the attack much harder to detect and trace. With the new accounts, the threat actors exploited a security hole in approvals tied to smart contracts that allowed the attackers to use their malicious smart contracts to redirect assets to threat actor-controlled accounts (36, 37). In the final phase of the attack, at least 200 accounts were targeted over a ten-hour window until the organization stopped the attack by suspending the DEX (38). EclecticIQ analysts propose with high confidence based on the TTPs used throughout the Kill Chain that this attack was performed by another APT group.
Common Traditional Attack Vectors Afflict Defi Environments
DEX bZx was hacked in late 2021 when threat actors sent a simple successful phishing email to one of the developers of bZx. The malicious email introduced a payload that enabled the compromise of a developer private key inside an Externally Owned Account (EOA) wallet. The private key in the EOA gave attackers access to two different chains, from which they drained millions of dollars. This attack was the fourth time bZx was attacked in over two years (39, 40).
FRAUD ATTACK VECTORS
Fraud Attack Vectors remain the most popular attack type by volume of all DeFi attacks (2). Though fraud-based attacks do not fit with the other attack patterns discussed here, which leverage technical TTPs unique to DeFi, fraud continues to consume the DeFi space primarily impacting end-users in two forms: Individual threat actors performing fraud against individual victims, and rug pull scams initiated by individuals or very small groups that impact many victims at once. Fraud against fiat currency remains a much larger issue primarily due to the predominant use of fiat currency, with a low estimate of approximately $2 trillion in laundered fiat currency globally last year (11).
Fraud Attacks Against Individual Victims Remains a Prominent Attack Vector
Fraud-based cryptocurrency theft targeting individuals was more commonplace prior to 2020 when fewer high-value DeFi systems existed. Since 2020, the emergence of myriad DeFi products is attracting threat actor attention away from individual fraud. Major cyberattacks against DeFi organizations increased more than 200% in the past year, and the appeal of big attacks influenced lower rates of less lucrative fraud against individuals (41, 42, 47). EclecticIQ analysts expect fraud aimed at individuals will retain the highest number of attacks relative to all other attack types because of the lower barrier to entry for this type of attack. The rise of malware-as-a-service adapted to cryptocurrency targets coupled with a vacuum of law enforcement operations against individual victims will create a double incentive, allowing attacks in this category to grow at the greatest rate relative to all others.
Rug Pull Attacks Represented About a Third of Malicious Activity Against Cryptocurrency and DeFi Platforms in 2021
Rugpull scams are attacks triggered when a key cryptocurrency organization figure, usually a founder or developer, convinces users to engage with a new DeFi platform initially and then abruptly disappears with part or all the deposited value. This fraud attack vector is highly impactful, affecting many victims at once. Some estimates peg the total netted from rugpull scams at $7.7 billion through 2021 (43). Rugpull scams are most often abetted by smart contracts designed with intentional weaknesses; most often in transfer functions and in the absence of TimeLocks (also called liquidity locks). Timelocks limit the spending of part of a crypto asset until a future block has been added to the blockchain or until a future time (44).
Reputable reporting states rugpull scams represent the largest increasing attack category, as represented by total stolen asset value in 2021 (45). It is very likely rugpull scam frequency is related to and influenced by cycles of increased cryptocurrency adoption rate. Increased cryptocurrency adoption means these types of scams net more money. This type of attack preys on novel users who may transition to cryptocurrency increasingly during times of higher valuation or crisis.
CONCLUSION
Eclecticiq Analysts Assess With High Confidence That The Number of Threat Actors Flocking to Defi Will Grow And Increase Risk From Cyberattacks
Illicit cryptocurrency transaction volume in 2021 reportedly represented only 0.15% of all cryptocurrency transactions (2). Security frameworks and common effective information security practices are lacking in Defi systems, as is enforcement of standards to minimize risk. This produces large security gaps that allow threat actors to flourish. A large degree of the damage and risk from cyberattacks thus far has been offset by DeFi organizations’ abilities to claw back assets and reimburse users. This is not a financially sustainable approach and will not last.
Effective Mitigation of TTPs Described Here Will Illuminate Details of Further Vulnerabilities And Weaknesses And Provide a Future Strategic Roadmap to Best Practices for DeFi
A review of recent cyberattacks netting the highest returns show patterns of how threat actors are exploiting decentralized finance industry. Many attacks described here take advantage of mutual and interdependent vulnerabilities and weaknesses that form attack patterns. Features inherent and built-in to DeFi systems often play into these attack patterns. More traditional information security weaknesses integral within other technologies also play a large role in DeFi cyberattacks. The attack patterns identified above are ultimately the result of immature information security practices within an industry that is still taking shape. Targeting these attack patterns with further security resources developed from threat intelligence is key to closing the primary gaps discussed here.
About EclecticIQ Threat Research
EclecticIQ is a global provider of threat intelligence, hunting and response technology and services. Headquartered in Amsterdam, the EclecticIQ Threat Research team is made up of experts from Europe and the U.S. with decades of experience in cyber security and intelligence in industry and government.
We would love to hear from you. Please send us your feedback by emailing us at research@eclecticiq.com.
You might also be interested in:
References
- coin360.com/charts
- blog.chainalysis.com/reports/2022-crypto-crime-report-introduction/
- go.chainalysis.com/rs/503-FAP-074/images/Crypto-Crime-Report-2022.pdf
- comparitech.com/crypto/biggest-cryptocurrency-heists/
- reuters.com/markets/us/cryptocurrency-crime-2021-hits-all-time-high-value-chainalysis-2022-01-06/
- rekt.news/leaderboard/
- comparitech.com/crypto/biggest-cryptocurrency-heists/
- ciphertrace.com/cryptocurrency-crime-and-anti-money-laundering-report-august-2021
- htxt.co.za/2021/08/poly-network-invites-hacker-to-be-its-chief-security-officer/
- slowmist.medium.com/slowmist-tracking-possible-identification-clues-related-to-poly-network-attackers-b330d4d710f
- insights.glassnode.com/defi-attacks-flash-loans-centralized-price-oracles/
- unodc.org/unodc/en/money-laundering/overview.html
- coinmarketcap.com/alexandria/article/coincheck-hack-one-of-the-biggest-crypto-hacks-in-history
- slowmist.medium.com/slowmist-analysis-of-uranium-finances-hacked-event-9c9d11af7b2b
- alfacash.medium.com/new-defi-hack-alpha-and-cream-finance-got-robbed-by-over-37m-b96fbbd54751
- coindesk.com/business/2021/08/30/defi-protocol-cream-finance-hacked/
- https://cointelegraph.com/news/pancakebunny-tanks-96-following-200m-flash-loan-exploit
- https://cointelegraph.com/news/axie-infinity-s-ronin-bridge-hacked-for-over-600m
- https://blockworks.co/sky-mavis-ronin-network-bridge-exploited-for-over-600m/
- https://www.elliptic.co/blog/540-million-stolen-from-the-ronin-defi-bridge
- https://blockworks.co/sky-mavis-ronin-network-bridge-exploited-for-over-600m/
- rekt.news/cream-rekt-2/
- reuters.com/article/us-northkorea-sanctions-cyber-idUSKBN2AA00Q
- decrypt.co/56425/the-kucoin-hackers-successfully-took-45-million-in-crypto-says-ceo
- blog.chainalysis.com/reports/kucoin-hack-2020-defi-uniswap/
- decrypt.co/43806/kucoin-has-found-the-hackers-who-stole-281-million
- decrypt.co/56425/the-kucoin-hackers-successfully-took-45-million-in-crypto-says-ceo
- justice.gov/opa/pr/three-north-korean-military-hackers-indicted-wide-ranging-scheme-commit-cyberattacks-and/
- news.bitcoin.com/eight-historic-bitcoin-transactions
- comparitech.com/crypto/biggest-cryptocurrency-heists/
- forkast.news/headlines/vulcan-forged-replaces-token-stolen-hack/
- coinlive.me/by-revealing-the-users-private-key-the-vulcan-forged-platform-was-hacked-for-over-145-million-11139.html
- https://cointelegraph.com/news/ascendex-loses-80m-following-erc-20-bsc-polygon-hot-wallet-compromise
- support.bmx.fund/hc/en-us/articles/4411998987419
- medium.com/easify-network/easyfi-security-incident-66c02a277a91
- rekt.news/compound-rekt/
- theverge.com/2022/2/3/22916111/wormhole-hack-github-error-325-million-theft-ethereum-solana
- badger.com/technical-post-mortem,
- techtarget.com/searchsecurity/news/252510627/BadgerDAO-users-cryptocurrency-stolen-in-cyber-attack
- microsoft.com/security/blog/2022/02/16/ice-phishing-on-the-blockchain/
- decrypt.co/85360/ethereum-defi-project-bzx-hacked-again-reported-55-million
- quantstamp.com/blog/10-quick-and-dirty-facts-about-the-bzx-hacks
- ciphertrace.com/cryptocurrency-crime-and-anti-money-laundering-report-august-2021/
- ciphertrace.com/cryptocurrency-crime-and-anti-money-laundering-report-august-2021/
- cointelegraph.com/explained/crypto-rug-pulls-what-is-a-rug-pull-in-crypto-and-6-ways-to-spot-it
- en.bitcoin.it/wiki
- blog.chainalysis.com/reports/2021-crypto-scam-revenues/