One of the biggest bridge hacks in 2022 manifested after a project published a code update that exposed a critical vulnerability that had not yet been remediated. The vulnerability allowed a hacker to mint approximately $325 million worth of derivative cryptoassets on a particular blockchain without depositing the requisite collateral. Such exploits, which can quickly deplete large amounts of liquidity from a given bridge, may leave founders and project backers scrambling to replenish stolen assets to prevent potential cascading effects, such as severe downward market volatility, eradication of traders’ positions, and other contagion-like effects.
Another major bridge hack in 2022 resulted in the theft of approximately $625 million worth of cryptoassets from an Ethereum sidechain bridge. Details of the event unfolded over the course of a year, exposing a complex criminal scheme the U.S. government eventually tied to a North Korean-sponsored threat group. The hack, a result of a sophisticated “spear-phishing” scheme that targeted developers with access to core infrastructure associated with the DeFi bridge, is demonstrative of several serious risks DeFi platforms pose to both consumers and national security.
The scheme involved the hackers presenting a seemingly legitimate and lucrative employment offer to the developer who downloaded materials about the “offer.” The content contained a trojan horse that granted hackers access to the developer’s device, which contained credentials the hackers stole and used to gain unauthorized access to a crypto wallet holding significant value.
Hacks have exposed various flaws in the DeFi ecosystem. One key vulnerability appears to be when purportedly “decentralized” projects use substandard protocols that result in a centralized attack vector. As demonstrated above, this can expose DeFi projects to the same types of risks faced by centralized entities.
DeFi “Flash Loan” Hacks
DeFi “flash loans” are uncollateralized digital asset lending programs deployed on a blockchain. They provide instant liquidity to borrowers and execute instant trades on their behalf. If the borrowed digital assets are not repaid, or if the executed trade is unprofitable, the underlying code of the flash loan considers the terms of the loan unsatisfied, reverses the transaction and returns the borrowed digital assets to the lender. While DeFi flash loans present a theoretically low risk of financial loss to lenders and borrowers who use them as intended, their reliance on code and underlying network governance mechanisms may present significant hacking risks.
One such risk relates to coding or design flaws in the voting mechanisms used by DeFi network participants to make collective decisions concerning network upgrades or treasury allocations. In one example, the exploitation of a majority governance system implemented by one DeFi protocol led to the loss of $182 million of the protocol’s native governance token and left the rightful owners of those tokens holding the bag. The vulnerability was exploited through use of a flash loan, which allowed the hacker to borrow nearly $1 billion in digital assets and exchange them for 67% of the DeFi protocol’s voting stake in the project. Now having acquired more than the two-third’s control required to unilaterally approve code executions, the hacker was able to access the project’s wallet and steal the funds. The theft left the project devastated for several months.
Phishing and Romance Scams
While reports indicate that crypto scam revenue fell nearly 46% in 2022, phishing scams continued to make headlines. For example, in May 2022, scammers stole approximately $4.3 million of cryptoassets by using social engineering tactics to lure victims to a fraudulent website designed to trick them into granting access to their crypto wallets. Romance scams also continued in 2022. In a crypto “romance scam,” the attacker establishes a close relationship with their victim, sometimes over the course of months. Once the victim’s trust is gained, the attacker manipulates the victim into sending them large sums of cryptoassets.