4 of the top DeFi cybersecurity risks

What is a cybersecurity risk?

Cybersecurity risk is the probability of exposure or loss resulting from a cyber-attack or data breach (e.g. direct loss of assets and sensitive information, or reputational harm).

DeFi projects

Cybersecurity risk can come from within a project (internal risk) or from external parties (external risk) and can be malicious or unintentional. Internal risks stem from the actions of employees inside a project, such as sabotage, fraud and theft (malicious); or coding mistakes and failure to update software (unintended).

External risks stem from outside a project, such as from hackers or business partners, including data breaches and a variety of specialised attacks (malicious), or outages and failures from a relied upon partner (unintended).

Crypto-theft

The most popular method of crypto theft is the infiltration of crypto-exchange security systems. Centralised cryptocurrency exchanges often act as custodians and hold the private keys on behalf of the users who purchase and trade tokens on the exchange. Even though users can access their exchange their own accounts using logins and passwords, what they see is a representation of the tokens held on their behalf – the exchange’s wallet actually holds the tokens and private keys.

This custodial structure has advantages such as speed of transactions, customer support, insurance and the ability to deposit and withdraw fiat currency. However, the central control over private keys and user accounts and passwords has proven to be a major cybersecurity risk.

Consequences of crypto-theft

As of December 2020, approximately US$2.9B had been stolen through security breaches in the internal security systems of cryptocurrency exchanges. The first major breach was the Mt Gox breach in 2014 when the bitcoin exchange lost almost 750,000 of its customers’ BTC as well as 100,000 of its own BTC. The total loss represented around 7% of the total BTC available and was worth around $473M at the time. The largest breach to date involved the Japanese exchange Coincheck in 2018 when hackers stole nearly $500M of NEM tokens.

Cybersecurity breaches at cryptocurrency exchanges continue to be a major concern at exchanges around the world. In response to the cybersecurity risks, cryptocurrency exchanges and custodians are taking various precautions including the use of cold wallets and buying insurance to protect customer accounts.

A list of these breaches as well as other fraud involving cryptocurrencies can be found at the Map of Security Breaches and Fraud Involving Crypto 2011-2021.

Key management compromises

The most common DeFi cybersecurity risks are “key management compromises” (e.g. by individual users or by admins/developers at projects and exchanges), coding mistakes, misuse of third-party protocols, and business logic errors. Exploits still happen frequently by hackers who take advantage of these vulnerabilities.

Consequences of key management compromises

With smart contracts, if an attacker compromises an admin key, they can have complete control over the smart contract and steal user funds. For example, in April 2021, the DeFi protocol EasyFi was hacked for $80M of EASY tokens due to a targeted attack on the founder’s Metamask wallet to access admin keys.

Sometimes a small coding mistake in smart contracts can turn into a major disaster that causes assets worth millions to be compromised. For example, in May 2021, Value DeFi was hacked for $20M due to a missing line of code that allowed a hacker to re-initialise a liquidity pool, set themself up as the operator, and drain the staked tokens.

While many DeFi projects run independently, some require users to interact with other third-party protocols (e.g. Yearn Finance) or borrow code from other projects (e.g. PancakeSwap references code from UniSwap, even though both run independently). If the source code of the third-party project is vulnerable or poorly understood, then the project that uses the code is also vulnerable.

For example, in May 2021, an attacker was able to drain $10M of ETH from the Rari Capital Ethereum Pool by exploiting a function from the Alpha Homora protocol, which was integrated into Rari.

Business logic errors

Business logic errors are another form of cybersecurity risk, where an exploitable opportunity is created in a project mostly because developers lack the necessary financial knowledge to foresee arbitrage loopholes. For example, in October 2020, a ‘hacker’ took advantage of an unchecked arbitrage opportunity on the Harvest Finance DeFi platform, using a $50M flash loan to manipulate liquidity pool prices in a series of trades that generate over US$24M in unchecked arbitrage profits.

Coding errors

There have been numerous cases where there have been coding errors or other problems with smart contracts and DeFi projects. One of the highest-profile cases was the 2016 DAO hack where US$50 million of DAO tokens were stolen by an unknown hacker who exploited a loophole in the smart contracts to drain investment funds.

There was an intense debate amongst the Ethereum community on how to respond to the hack. Many believed that since this wasn’t an error in the Ethereum blockchain, that the transactions should be accepted and the blockchain ledger left as it was.

Others believed that Ethereum should perform a ‘hard fork’ to reverse the theft, and this is what eventually happened. Read Understanding the DAO Attack to learn about the 2016 DAO hack and subsequent hard fork by Ethereum. Extraordinary measures such as this are not always available to remedy DeFi cybersecurity breaches, so it is important to understand the risks a project may pose before investing.