Why DeFi should expect more hacks this year: Blockchain security execs

Published at: Jan. 9, 2023

Decentralized finance (DeFi) investors should buckle themselves up for another big year of exploits and attacks as new projects enter the market and hackers become more sophisticated.

Executives from blockchain security and auditing firms HashEx, Beosin and Apostro were interviewed for Drofa’s An Overview of DeFi Security In 2022 report shared exclusively with Cointelegraph.

The executives were asked about the reason behind a significant increase in DeFi hacks last year, and were asked whether this will continue through 2023.

Tommy Deng, managing director of blockchain security firm Beosin, said while DeFi protocols will continue to strengthen and improve security, he also admitted that “there is no absolute security,” stating:

“As long as there is interest in the crypto market, the number of hackers will not decrease.”

Deng added that many new DeFi projects “don’t go through complete security testing before going live."

Additionally, a significant amount of projects are now exploring the use of cross-chain bridges, which were a prime target for exploiters last year, leading to $1.4 billion stolen across six exploits in 2022.

The comments mirror those of blockchain security firm CertiK, who told Cointelegraph on Jan. 3 that it doesn’t “anticipate a respite in exploits, flash loans or exit scams” in the coming year.

In particular, CertiK noted the likelihood of “further attempts from hackers targeting bridges in 2023” citing the historically high returns from attacks in 2022.

Crypto auditing firm HashEx founder and CEO, Dmitry Mishunin, said “hackers have gotten smarter, gained more experience, and learned how to look for bugs.”

“The crypto industry is still relatively new, and everyone is growing with each other, so it’s difficult to get too far ahead of bad actors.”

He added the amount of value in some DeFi projects made the industry “very attractive” to malicious actors, and that the number of hacks “is only going to grow going forward.”

Mishuin said these attacks may even spread outside of DeFi, with attackers setting their sights on “crypto exchanges and banks” that enter the market offering “more secure solutions for storing digital assets.”

Related: Crypto’s recovery requires more aggressive solutions to fraud

Smart contract security and auditing firm Apostro co-founder, Tim Ismiliaev gave a more hopeful take, however, as he expects the space to “mature over the next five years, and new best practices for securing decentralized finance protocols will emerge.”

Too long; didn’t read

Interestingly, both Mishunin and Deng noted that many of the post-incident reports provided by blockchain security firms often fail to reach their target audience — blockchain developers.

“The people that read such analyses are average investors that are concerned about their money. Actual blockchain developers are too busy coding; they don’t have time to read stuff like that,” said Mishunin.

Meanwhile, Deng said the reports are usually about “event-based vulnerabilities and related recommendations,” so doesn’t often help other developers as they might still be vulnerable to other exploits.

He admitted, however, that reports on “general vulnerabilities” in DeFi “tend to do a good job of ramping up protection.”

“The reentrancy vulnerabilities are now not as common as they used to be.”
Tags
Related Posts
​​Cream Finance DeFi platform loses $19M in a flash loan hack
Cream Finance, a major decentralized finance (DeFi) protocol focused on lending, has suffered a severe exploit, with a hacker stealing nearly $19 million from its platform. An unknown hacker has managed to gain $18.8 million in the latest flash loan exploit of the Cream Finance protocol through a reentrancy bug introduced by the Amp token, according to an investigation by blockchain security firm PeckShield. Announcing the news Monday, Cream Finance said that the protocol has stopped the exploit by pausing supply and borrow contracts on the Amp token. “No other markets were affected,” Cream Finance stated. C.R.E.A.M. v1 market on …
Decentralization / Aug. 30, 2021
Hacker bungles DeFi exploit: Leaves stolen $1M in contract set to self destruct
In a rare comedic bungle among decentralized finance (DeFi) exploits, an attacker has fumbled their heist at the finish line leaving behind over $1 million in stolen crypto. Just after 8:00 am UTC on Thursday, blockchain security and analytics firm BlockSec shared it had detected an attack on a little-known DeFi lending protocol called Zeed, which styles itself a “decentralized financial integrated ecosystem.” The attacker exploited a vulnerability in the way the protocol distributes rewards, allowing them to mint extra tokens, which were then sold, crashing the price to zero, but netting just over $1 million for the exploiter. Blockchain …
Defi / April 22, 2022
Wintermute inside job theory 'not convincing enough' —BlockSec
Blockchain security firm BlockSec has debunked a conspiracy theory alleging the $160 million Wintermute hack was an inside job, noting that the evidence used for allegations is “not convincing enough." Earlier this week cyber sleuth James Edwards published a report alleging that the Wintermute smart contract exploit was likely conducted by someone with inside knowledge of the firm, questioning activity relating to the compromised smart contract and two stablecoin transactions in particular. BlockSec has since gone over the claims in a Wednesday post on Medium, suggesting that the “accusation of the Wintermute project is not as solid as the author …
Blockchain / Sept. 28, 2022
Projects would rather get hacked than pay bounties, Web3 developer claims
As hacks and exploits continue to go rampant within the crypto industry, the importance of finding vulnerabilities to prevent potential losses becomes of utmost importance. However, a Web3 developer highlighted that it’s not rewarding to do so. In a tweet, a Web3 developer claimed that he found a vulnerability in a Solana smart contract that would have affected several projects and around $30 million in funds. According to the dev, he reported and helped patch the vulnerabilities. However, when it was time to ask for a reward, the projects just started to ignore him. The developer noted that this sends …
Blockchain / Dec. 20, 2022
DeFi to be examined at inaugural CFTC tech advisory meeting: Finance Redefined
Welcome to Finance Redefined, your weekly dose of essential decentralized finance (DeFi) insights — a newsletter crafted to bring you significant developments over the last week. DeFi will be in focus during the inaugural Commodity Futures Trading Commission (CFTC) tech advisory meeting, where a panel will “explore issues in decentralized finance.” Polygon, a layer-2 scaling protocol for Ethereum, has launched a zero-knowledge decentralized identity solution to the public nearly a year after announcing its development. The cryptocurrency phishing scammer behind some of the most high-profile and high-value Web3 thefts claims to have packed up shop, saying it was “time to …
Adoption / March 3, 2023