Image: Getty Images/Oscar Wong

After a run of thefts from Decentralized Finance (DeFI) platforms, the Federal Bureau of Investigations (FBI) has warned that criminals are increasingly exploiting bugs in these platforms to steal investors' cryptocurrency. 

The FBI has issued a warning to investors who pour money into DeFI platforms that they could be exposing themselves to financial losses due to vulnerabilities in the smart contracts governing the platforms. 

DeFi is an emerging digital financial infrastructure that theoretically eliminates the need for a central bank or government agency to approve financial transactions, and is deeply connected with the evolution of blockchain technologies.

But now the FBI warns that investors are getting burned by attackers exploiting vulnerabilities in smart contracts. 

Special Report

The Future of Money

From blockchain and bitcoin to NFTs and the metaverse, how fintech innovation is changing the future of money.

Read now

"A smart contract is a self-executing contract with the terms of the agreement between the buyer and seller written directly into lines of code that exist across a distributed, decentralized blockchain network. Cyber criminals seek to take advantage of investors' increased interest in cryptocurrencies, as well as the complexity of cross-chain functionality and open source nature of DeFi platforms," the FBI states.  

SEE: DeFi: Injective Protocol's 'CosmWasm' upgrade adds more functionality for developers and users

Researchers from US penetration testing firm Bishop Fox found that 51% of attacks on DeFI projects in 2021 exploited vulnerabilities in smart contracts, followed by platform protocol and design flaws at 18%. Most of the attacks were deemed unsophisticated. 

Hackers stole$80 million from DeFI project Qubit Finance earlier this year by exploiting a vulnerability in its QBridge protocol. Hackers also nabbed$30 million from Grim Finance in late 2021 by exploiting a flaw in its vault contract. 

US blockchain analysis firm Chainalysis reported that 97% of the$1.3 billion of cryptocurrency stolen in the first quarter of 2022 was from DeFI platforms. Thefts from DeFI platforms took off in 2021 when DeFI platform hacks made up 71% of financial losses, whereas previously most cryptocurrency theft targeted individual wallets or crypto exchanges. 

The FBI says it has observed cybercriminals defrauding DeFI platforms through individual vulnerabilities affecting smart contracts and signature verification elements, as well as chaining together several flaws to manipulate price pairs. These include:

• Initiating a flash loan that triggered an exploit in the DeFi platform's smart contracts, causing investors and the project's developers to lose approximately$3 million in cryptocurrency as a result of the theft.
• Exploiting a signature verification vulnerability in the DeFi platform's token bridge and withdraw all of the platform's investments, resulting in approximately$320 million in losses.
• Manipulating cryptocurrency price pairs by exploiting a series of vulnerabilities, including the DeFi platform's use of a single price oracle and then conducting leveraged trades that bypassed slippage checks and benefited from price calculation errors to steal approximately$35 million in cryptocurrencies.    

The FBI is urging investors to treat DeFI platforms with caution but also acknowledges that investment involves risk. Investors should research platforms, protocols and smart contracts before investing and ensure the platform has conducted a code audit. 

The FBI also warns investors to be watchful of "DeFi investment pools with extremely limited timeframes to join and rapid deployment of smart contracts, especially without the recommended code audit."

And it warns projects to be aware of the potential risk posed by crowdsourced solutions to vulnerability identification and patching."Open source code repositories allow unfettered access to all individuals, to include those with nefarious intentions," it notes.

Security

8 habits of highly secure remote workersHow to find and remove spyware from your phoneThe best VPN services: How do the top 5 compare?How to find out if you are involved in a data breach -- and what to do next

• 8 habits of highly secure remote workers
• How to find and remove spyware from your phone
• The best VPN services: How do the top 5 compare?
• How to find out if you are involved in a data breach -- and what to do next