Crypto world on edge after string of hacks with $3.2 billion stolen from DeFi projects

Hackers have terrorised the crypto industry for years. PHOTO: REUTERS
Updated
Sep 29, 2022, 10:16 AM
Published
Sep 29, 2022, 08:18 AM

NEW YORK - Not long after dropping out of college to pursue a career in cryptocurrencies, Mr Ben Weintraub woke up to some bad news.

Mr Weintraub and two classmates from the University of Chicago had spent the past few months working on a software platform called Beanstalk, which offered a stablecoin, a type of cryptocurrency with a fixed value of US$1. To their surprise, Beanstalk became an overnight sensation, attracting crypto speculators who viewed it as an exciting contribution to the experimental field of decentralised finance, or DeFi.

Then it collapsed. In April, a hacker exploited a flaw in Beanstalk's design to steal more than US$180 million (S$259 million) from users, one of a series of thefts this year targeting DeFi ventures.

Hackers have terrorised the crypto industry for years, stealing Bitcoin from online wallets and raiding the exchanges where investors buy and sell digital currencies. But the rapid proliferation of DeFi start-ups like Beanstalk has given rise to a new type of threat.

These loosely regulated ventures allow people to borrow, lend and conduct other transactions without banks or brokers, relying instead on a system governed by code. Using DeFi software, investors can take out loans without revealing their identities or even undergoing a credit check.

As the market surged last year, the emerging sector was hailed as the future of finance, a democratic alternative to Wall Street that would give amateur traders access to more capital. Crypto users entrusted roughly US$100 billion in virtual currency to hundreds of DeFi projects. But some of the software was built on faulty code.

This year, US$2.2 billion (S3.2 billion) in cryptocurrency has been stolen from DeFi projects, according to crypto tracking firm Chainalysis, putting the overall industry on pace for its worst year of hacking losses.

Many of the thefts have stemmed from flaws in the computer programs - known as "smart contracts" - that power DeFi. The programs are often built hastily, and because smart contracts use open-source code, which provides a publicly viewable map of the software, hackers have been able to orchestrate attacks on the digital infrastructure itself, rather than simply infiltrating someone's account. It is the difference between robbing an individual and emptying an entire bank vault.

"DeFi has introduced a whole other level for hackers to be able to access a platform," said Ms Erin Plante, vice-president of investigations at Chainalysis. "It is putting a lot of pressure on the space and restricting the innovation that is possible."

The breaches have shaken faith in DeFi during a grim period for the crypto industry. An epic crash this spring erased nearly US$1 trillion and forced several high-profile companies into bankruptcy. In August, thieves exploited a coding issue to drain US$190 million from a company called Nomad. Last week, crypto firm Wintermute said its DeFi division had been hacked, leading to losses of US$160 million.

Tracking the movement of stolen crypto is fairly straightforward. Transactions are recorded on public ledgers called blockchains, which anyone can analyse to find patterns. But it is significantly harder to regain access to lost funds.

The hacks have prompted many DeFi start-ups to explore preventive measures, including recruiting auditors to examine their code for vulnerabilities. Even as other types of crypto firms cut costs during the downturn, security and auditing companies have seen a huge surge in business.

Since crypto's inception, companies have struggled with security. In 2014, the first major Bitcoin exchange, Mt. Gox, was breached in a damaging attack that eventually led to the company's bankruptcy and the loss of billions of dollars in digital currency.

At the time, the industry was relatively small and uncomplicated. Now, hackers can attack a wider ecosystem, including an experimental economy of crypto-based video games, decentralised lending projects and newfangled coins. Last year, a hacker stole US$600 million from DeFi platform Poly Network; the thief eventually returned the money after negotiations with the project's leaders.

This year's hacks have caused far more damage. In March, a group sponsored by the North Korean government stole US$620 million in digital currency from the Ronin Network, a DeFi platform that powers the video game Axie Infinity. Around the same time, a hacker exploited a software flaw in a DeFi project called Wormhole to abscond with US$320 million.

"Many people are putting up platforms with a known vulnerability," said Mr Chris Tarbell, a former Federal Bureau of Investigation agent who now runs cyber-security firm Naxo. "In a target-rich environment, criminals are going to be opportunistic." NYTIMES

More On This Topic
Digital identities on blockchain could help with compliance in crypto, say players
Blockchain tech, crypto assets set to become more mainstream

Join ST's Telegram channel and get the latest breaking news delivered to you.

Available for
iPhones and iPads
Available in
Google Play

MCI (P) 066/10/2023. Published by SPH Media Limited, Co. Regn. No. 202120748H. Copyright © 2024 SPH Media Limited. All rights reserved.

Back to the top