EclecticIQ Threat Research Team
March 17, 2022

Understanding Features and Vulnerabilities of The Decentralized Finance Attack Surface is Key to Protecting Against Cyber Attacks

Intelligence Research

de-fi-blog

Synopsis

The estimated value of greater Decentralized Finance and cryptocurrencies surpassed half a trillion dollars in market capitalization in 2018, and then one trillion for the first time in 2021 (1). Since then, cryptocurrency values reached new records during the pandemic. New systems of finance are consolidating under significant momentum and threat actors are adapting to this landscape. Decentralized Finance and the information security protocols protecting it remain in their early stages of development, as does the adaptation of new cyberattack techniques. The way these two forces compete between one another is very likely to shape the DeFi landscape in the coming years. An analysis of the key features, systems, and services of Decentralized Finance supports a more complete picture of this unique evolving attack surface and provides orientation for threat intelligence applications.

Cryptocurrencies Are Established Via Blockchain Security.

Just as Euros, Pounds, and Dollars are exchanged via fiat banking systems, cryptocurrencies are exchanged over Decentralized Finance (DeFi) protocols. “DeFi” refers generally to financial products and services built on blockchain-based software technology. A blockchain is a distributed database shared among distributed networked computers. Blockchain-based cryptocurrency is an encrypted list arranged in chronological order providing a record of all addresses that hold assets. Numerous different blockchains exist, but the blockchain technology underpinning them is the same. Blockchains can exist as private or public; public blockchains allow anyone to freely create and attach a new node to the network, while private blockchains require each new node to be approved by the network.

Blockchains Contain Records of All Previous Data.

One of the primary features of blockchains is that they hold sets of structured data in groupings called blocks. Different blockchains have different storage capacity, data fields, and algorithms within their blocks. When a new block is created and filled with data, it is linked to the block that directly preceded it and to other blocks via a proprietary algorithm. New information is added to an existing block in a way that changes the data it contains yet preserves all previous changed data values (2).

Blockchains have many applications outside finance, but cryptocurrency is currently the most common use of blockchain. Transaction data are stored in data fields of other blocks. In the specific case of DeFi, blockchains are used to build special immutable ledgers that cannot be destroyed, which means cryptocurrency movement can be tracked through all transactions across time. Each coin is represented in transaction data within blocks of its respective blockchain. New coins are released into circulation as reward for mining, a process discussed further below.

DeFi Aims to Provide an Alternative to Centralized Fiat Currency Markets Around the Globe.

To be relevant to users, DeFi systems must provide decentralized control and flow of data in a way that yields a level of currency liquidity similar to traditional financial markets. In the DeFi environment, a transaction is first initiated by a system or a user. A transaction is simply a request to exchange cryptocurrency assets in a way that alters at least two variables within the network and blocks. The transaction is sent to the distributed network of peer systems comprising that blockchain. The computers on the blockchain network validate the transaction and the new information generated by the transaction is clustered into blocks. Within the blockchain hash tables are used to associate blocks and reference them. When the clustered blocks are further confirmed to have legitimate configurations, they are chained together in the requisite order, known as “mining”, creating a permanent ledger visible to all users on that blockchain. New information is added on top of older information in a way that preserves all past data transparently. Mining is also the process by which new cryptocurrency blocks are released gradually into circulation in accordance with the blockchain’s algorithm, each time an individual user solves a particular algorithm associated to the blockchain (3). A small fee known as ‘gas’ is taken from almost every transaction and is implemented like a tax. Gas provides a reward, in the form of new ‘coins’ to node-owners that participate in validating transactions using their own systems (nodes).

A Growing Number of Different Cryptocurrencies Lend to an Expanding Attack Surface.

Bitcoin was the first cryptocurrency and was released for public use as open-source software in 2009. Users typically transact with cryptocurrencies in the form of tokens and coins, using Decentralized Finance (DeFi) exchanges (DEX) that act as banking software platforms. DEXs enable transactions on specific blockchains. Altcoins generally refer to cryptocurrency other than bitcoin. Coins, a generic term, have no intrinsic value, while Stablecoins peg their value to an external tangible asset, and Tokens can stand for physical assets or deeds. Cryptocurrency is accounted for in wallets. Coins and Altcoins may be hosted on their own proprietary (private) blockchain, or they may be hosted on another (public) blockchain. Find the outline of how DeFi systems compare to traditional finance here.

Software and Code Developed by DeFi Organizations Remain Vulnerable to Attack.

One misconception about cryptocurrency is that threat actors hack cryptocurrencies or blockchains themselves – this is not true. Threat actors attack software and code developed by DeFi organizations to control digital crypto-currency flows. Fintech organizations as well as individuals who accumulate cryptocurrency assets are victims. Organizations with DeFi systems that achieve higher valuation face greater risk because they are the more attractive targets with the most to lose relative to peers. According to estimates of value transferred/received and individual deposits, currently the United States leads DeFi adoption closely followed by Vietnam, Thailand, China, and the UK (5). EclecticIQ analysts identified a number of common vulnerabilities and weaknesses that arise out of various features present in the DeFi ecosystem.

Threat Actors Attempt Authentication to Victim Wallets Using Stolen Cryptographic Keys.
One of the concepts central to the security of a cryptocurrency wallet is the ‘private key’. Private Keys are integral to cryptocurrency wallets for two main reasons. First, and like passwords, they provide a method of authentication and establish ownership over wallets and assets. Second, the private key allows funds to be withdrawn and the public key allows funds to be deposited.

Private keys can be stored as alphanumeric characters - like passwords - or within hardware wallets, such as USB keys, that store private keys offline (“Cold Wallets”). Private keys can also be stored online in software containers (“Hot Wallets”). Private keys typically carry low risk of attack if security best practices are followed, but their compromise means full access to the contents of the wallet. Wallets may be custodial, residing on a trading platform or DEX, or non-custodial, controlled exclusively by the wallet owner. Hardware wallets are 3rd party physical devices that store private keys in an air gapped offline device, such as a USB key (2).

Misconfigured Vaults Carry Elevated Risk of Attack to Wallets.

Cryptocurrency Vaults are a form cryptocurrency storage solution that applies a transaction approval process and does not allow funds to be withdrawn immediately, similar to escrow (2). Vaults are system controlled and operate under some level of automation, without manual operation. Vaults, in theory, provide a higher level of security than hot or cold wallets, except external hardware wallets held by end users. Vaults are attractive attack targets because they are more likely to have assets passing through them than a user wallet, which may be empty or abandoned. Threat actors gain access to vaults via exploiting misconfigurations in the vault or by stealing private keys.

Ledgers Without Transparency Are Exploited by Threat Actors to Exfiltrate Assets.

A Dark Pool is a separate DeFi order book not visible to the rest of the market that exists on a particular DEX. Dark pools are privately organized exchanges for trading cryptocurrencies. Dark Pools were born from fiat markets to help absorb the impact of large trade volumes. There are 59 US-SEC registered Dark Pools currently active in fiat markets as of 2021 (6). Currently Dark Pools have a minor presence in DeFi, but they are important because the lack of normal transparency opens Dark Pools up to predatory trading that seeks to obtain an unfair pricing advantage, and potential conflicts of interest between owners and investors.

Smart Contracts Carry Vulnerabilities Similar to Programs of Standard Operating Systems.

Smart Contracts are an integral piece of the DeFi environment. Essentially smart contracts are code typically written in object-oriented programming languages which reside at specific addresses on a particular blockchain. They live inside their own wallet addresses. Smart contracts act as agreements that facilitate cryptocurrency transactions on DEXs. They can call further smart contracts to tie together in complex layers and pass variables to one another or trigger when specific conditions are met. Smart contracts often contain unchecked coding errors that can be reverse engineered to discover new vulnerabilities that enable the diversion of assets.

Flexibility Built Into DEXs is Abused to Produce Malicious Outcomes.

Flash loans are another integral component of DeFi systems. Flash loans are used to facilitate transactions through enabling temporary liquidity. Flash loans are prominently featured within Smart Contracts as a way to temporarily allocate assets to provide additional flexibility to transactions over a blockchain. Flash loans are typically exploited to manipulate negative balances, or to create a window, by way of a temporary transfer of assets, through which the threat actor can exploit a further smart contract vulnerability.

Certain Features of Blockchains Help Reduce Risk and Fraud.

Timelocks are smart contract primitives that limit spending part of a crypto-asset until a future block has been added to the blockchain or until a given time in the future (3). Timelocks serve as a type of escrow for transactions. They facilitate trust in assets that are invested under blockchains by guaranteeing funds until a certain time has passed, similar to a trust. An absence of timelocks within certain smart contracts can be an indication of a possible exploitation opportunity or it could signal the potential for coordinated fraud.

Bridges Enable Threat Actors to Pivot Across Different Blockchains During Exploitation.

Some third-party services, known as ‘bridges’ in DeFi, facilitate transactions across different blockchains. A blockchain bridge is software that functions as escrow between more than one blockchain. Bridges help users gain flexibility with transactions across DeFi by providing a central point to initiate transactions spanning multiple blockchains. Bridges allow threat actors to pivot between blockchains, either moving funds, or searching for further vulnerabilities that enable lateral movement to further chains. Bridges enact special forms of smart contracts and are subject to similar coding errors that can be exploited by threat actors.

Outlook

New Cryptocurrency Services Will Expand the DeFi Attack Surface in the Short Term.

The features and services described here represent a current snapshot of DeFi systems in the Fintech industry. The momentum enjoyed by cryptocurrency recently will continue to attract not only threat actors, but also developers of additional services; online payment Software-as-a-Service for cryptocurrencies to webstores for example. New services adopted and adapted into a landscape lacking in information security controls and standardization will almost certainly introduce new and further vulnerabilities to Fintech and cryptocurrency users. DeFi is very likely to remain unstable in the next few years, in terms of risk to cyberattack.

A Study of Emerging Cryptocurrency Threat Intelligence Provides the Building Blocks for Stronger Security.

Decentralized Finance (DeFi) products and services – the platforms that build on and facilitate cryptocurrency usage - have created rising valuation across DeFi exchanges. This new source of financial gain is undoubtedly attracting the attention of many threat actors developing new attacks against this space. Vulnerable and immature cybersecurity practices in cryptocurrency enable many threat actors to rapidly drive increased risk. Understanding and analyzing the central features of the DeFi environment is the best way to apply threat intelligence that can help prepare for attacks against DeFi and reduce risk. EclecticIQ analysts expect DeFi and Fintech to become central topics of threat intelligence over the next two years.

References:

  1. https://www.morningbrew.com/daily/stories/2021/08/09/seven-charts-explain-current-state-crypto
  2. https://www.investopedia.com/terms/
  3. https://en.bitcoin.it/wiki
  4. https://wifpr.wharton.upenn.edu/wp-content/uploads/2021/05/DeFi-Beyond-the-Hype.pdf
  5. https://www.yahoo.com/now/most-active-defi-platforms-2021-130052995.html  https://blog.chainalysis.com/reports/2021-global-defi-adoption-index
  6. https://www.investopedia.com/articles/markets/050614/introduction-dark-pools.asp 

Talk to one of our experts

Protect your organization with cutting-edge threat intelligence. Book your free demo today and explore how our products and services can help you meet your security needs.
Book a call
cta-footer
Book a demo