Assessing the Shortfalls of DeFi Platforms

Author: Vimal Mani, CISA, CISM, Six Sigma Black Belt
Date Published: 27 September 2023

Decentralized finance (DeFi) is an emerging trend in the world of financial services. Most DeFi platforms are driven by blockchain and the Ethereum cryptocurrency. DeFi platforms provide services such as lending, borrowing and insurance to safeguard against losses that occur across assets in the DeFi ecosystem. These capabilities have created an innovative banking ecosystem and made it possible to access various financial instruments with limited input from customers. DeFi platforms experienced significant growth in 2020 and 2021, receiving investments of more than US$100 billion.¹ The global DeFi-driven financial market is expected to grow at an annual rate of 42.5 percent from 2022 to 2030 to reach US$231.19 billion by 2030.² However, financial institutions should be mindful of the increase in cybercrimes and scams targeting DeFi platforms, and the arrival of new international regulations designed to curb these attacks.

How DeFi Platforms Differ From Traditional Banks

In the financial services sector, new DeFi platforms are becoming the alternative to traditional banks for peer-to-peer digital exchanges. The salient features of DeFi platforms compared to traditional banks are:

Unlike conventional banks, DeFi platforms do not enforce restrictions (e.g., daily withdrawal limits) on their customers.
The know-your-customer (KYC) process, such as completing background verification for new customers, has fewer inconveniences on DeFi platforms than in banks, where the process includes cumbersome lists of checks and balances.
DeFi platforms can yield higher interest rates than traditional banks.
On DeFi platforms, individuals have private keys and they are the only ones who can control their accounts. As DeFi platforms do not rely on any centralized financial institutions, they are not subject to risk of bankruptcy. Thanks to the decentralized nature of DeFi protocols, the fear of a bank going bankrupt can be completely avoided.³
Traditional banks are staffed with officers whereas DeFi is digitally driven, with a very limited number of staff assigned to handle front- and back-office operations. This reduces operating costs in terms of the time required for people management. However, having a smaller staff means direct interaction with staff is negligible, which may adversely impact the employee-customer relationship.
Using DeFi platforms, money can be transferred in the form of digital currency from one account to another in seconds, whereas with traditional banking, money transfers can take days to complete. There is risk in skipping mandatory customer due diligence checks, such as antimoney laundering (AML) screening, when using DeFi platforms because it can permit fund transfers to support terrorism activities. However, AML crimes can be avoided by using emerging blockchain-driven DeFi platforms because customer information can be received, validated and stored in various nodes of the chain for future KYC checks. That is, AML screening done by one bank or DeFi platform can be leveraged by another bank or DeFi platform connected in the blockchain. Unlike in traditional banking practice, AML screening can be skipped while using DeFi platforms.
DeFi platforms are built on public blockchains with the help of cryptocurrencies such as Ethereum, which are open sourced. This results in ease of auditing and transparency. Auditing DeFi platforms is much easier than auditing traditional banks because the data of one platform in the blockchain can be vetted against other DeFi platforms or banks connected in the blockchain.
DeFi eliminates the need to pay fees to banks for using their services. But to execute a DeFi swap, customers may have to pay the network transaction fee. DeFi swapping is a method used by DeFi platforms for transferring virtual assets. Individuals using digital wallets can transfer funds through DeFi platforms in minutes over an Internet connection.

Investors can protect their investments by performing due diligence when choosing genuine cryptocurrency development projects.

The Threat Landscape

As with any financial services platform, DeFi platforms are vulnerable to financial scams and cybersecurity risk. The most prevalent vulnerabilities faced by DeFi platforms are crypto rug pull scams, honeypot scams and cybersecurity attacks.

Crypto Rug Pull Scams
A crypto rug pull is a well-known scam in the cryptocurrency world wherein cryptocurrency developers abandon a project midway and abscond with the funds of investors.

The main types of crypto rug pull scams are:⁴

Liquidity stealing—Token creators remove funds from their liquidity pool.
Limiting sell orders—Crypto developers code the tokens so that they are the only party able to sell those tokens.
Dumping (pump and dump scheme)—Crypto developers quickly sell off their crypto tokens, which will eventually crash the price.

There have been significant crypto rug pull scams observed in recent years,⁵ including the collapse of FTX. Prior to its collapse, FTX was the third-largest cryptocurrency exchange and had more than one million customers. The collapse was caused by a liquidity crisis triggered by its cryptocurrency token, FTT. There was a lack of liquidity and mismanagement of funds, followed by a large volume of withdrawals from a large pool of investors.⁶

Rug pulls cost investors more than US$2.8 billion in 2021, according to the research firm Chainalysis.⁷^, ⁸ To avoid becoming victims of such scams, investors should limit their trading to regulated crypto marketplaces that use trustworthy cryptocurrencies.

Honeypot Scams
A honeypot scam is characterized by continuous fluctuation of the market value of a cryptocurrency and a lack of sales. Scammers insert malicious scripts into a smart contract, which is a codebase that supports automatic execution of financial transactions when predefined conditions are met. With honeypot scams, the smart contracts only allow wallets controlled by the scammers to sell the cryptocurrency, so that investors get lured by the ever-increasing value.⁹

Some DeFi platforms, or parts of them, may facilitate regulated activities driven by well-defined crypto asset regulations¹⁰^,¹¹ aimed at preserving financial stability, protecting investors and consumers, promoting investor protection and market integrity, and mitigating illicit financial risk. DeFi platforms are expected to improve in the future.¹² Investors can protect their investments by performing due diligence when choosing genuine cryptocurrency development projects, which may include:

Ensuring that platform developers review the code of new cryptocurrency token distribution methods, liquidity conditions and market reputation.
Reviewing any cryptocurrency development projects promising very high returns. Staking rewards and yield farming are two common features in DeFi ecosystems that scammers use to make false promises of very high returns.¹³

Cybersecurity Attacks
As of September 2022, approximately US$53.73 billion worth of assets were invested in DeFi platforms worldwide and DeFi platforms had lost US$2.32 billion due to exploitation by hackers.¹⁴^,¹⁵^,¹⁶ Cryptocurrency-targeted cyberattacks have been observed to be on the rise globally.¹⁷ DeFi platforms are vulnerable to hacking because:

Most DeFi platforms are developed as open source, which make them vulnerable to cyberattacks because they can be easily accessed by anyone, including hackers, over the Internet.
Developers do not perform sufficient security reviews of DeFi platforms before they are released for wider use.
The significant amount of interconnectivity requirements of DeFi platforms with other platforms increases the risk of cyberattacks.
Cryptocurrency markets use smart contracts. Logic errors such as typographical errors, misinterpretation of specifications and coding mistakes can be present in the development stage, making smart contracts vulnerable to hacking. Compromised smart contracts allow hackers to divert cryptocurrencies for their own use.¹⁸
DeFi platforms are vulnerable to ransomware, distributed denial of service (DDoS), phishing and cryptojacking attacks.¹⁹ A recent report from security solution provider Sophos predicts that along with ransomware, cryptojacking will be one of the most prominent ways criminals extract cryptocurrency payments from victims.²⁰

DeFi ecosystems can facilitate money laundering and other internal and external financial crimes.

It is advisable that a third-party external audit be commissioned to identify security loopholes present in the DeFi platform developed.

Cybersecurity Mitigation

Because DeFi platforms are so vulnerable, it is critical for developers to ensure the safety and security of the platforms they develop and bring to market. Critical cybersecurity best practices for developers to improve the security posture of DeFi platforms include:

Careful review of DeFi platform development projects to understand their track records and user experiences before investing in them. Having the right DeFi development partner with proven technical skills, domain knowledge, and a track record of developing and launching complicated DeFi platforms can help ensure a secure, reliable and user-friendly DeFi platform for end users.
Open-source tools such as Codefi Inspect should be used to aggregate critical security information about DeFi platforms.²¹
Open vulnerabilities identified in decentralized applications (DApps)―which are blockchain-based, smart contract-powered versions of applications representing a new way of interacting with personal finance―must be reviewed carefully, and remediation measures should be taken diligently.²²
Static analysis tools should be used to identify the potential vulnerabilities in DApps and smart contracts.
Common coding vulnerabilities such as overflows and underflows, nonlimited loops, proxy storage collision, and improper data removal should be avoided. These are coding-caused vulnerabilities or mistakes that cause the DeFi protocol to malfunction, leaving it open to exploitation by hackers. Users should implement secure coding standards and completing periodic secure code reviews of the DeFi platform developed. Also, it is advisable that a third-party external audit be commissioned to identify security loopholes present in the DeFi platform developed. The codebase should, therefore, include comments where appropriate to make it easy for the audit team to understand.
Users should beware of re-entrance attacks.²³
A decentralized oracle network should be used. An oracle is a smart contract that acts as a bridge service between a DeFi platform and the external world.
Well-defined preventive security measures such as fair sequencing services should be enforced.
Detailed third-party security reviews, focused audits and risk assessments should be commissioned before deploying the DeFi platform to production.
Training and awareness education should be provided to new users so that they can detect and understand cryptojacking attacks targeting DeFi platforms.
A fully tested disaster recovery plan (DRP) should be in place.

As the global use of DeFi platforms continues to grow quickly, the financial transactions they enable are prone to greater inherent risk that can impact the entire financial ecosystem.

Security best practices that are critical for DeFi platform users include:

Trading should happen only with legitimate cryptocurrencies that have been proven to be reliable.
Use of smartphones or untrusted networks for accessing DeFi platforms should be avoided.
Anticryptomining browser extensions such as No Coin, minerBlock and Anti Minder should be used to avoid cryptojacking attacks.
Traders should avoid cryptocurrencies in which one or several wallets hold the majority of the tokens to avoid a honeypot scam.
Advertisement blockers should be used to detect and block malicious cyptomining scripts that are embedded into web-based advertisements.
Users should refrain from clicking the links sent in suspicious emails and providing any personal information, such as a seed phrase. DeFi platform development projects never ask for any sensitive information by email.
Hardware wallets should be used to maximize the security posture of crypto platforms. Hardware wallets allow users to store private keys on a physical drive and disconnect them from the rest of the world when not in use.

Conclusion

Although global financial markets have evolved due to the emergence of digitized decentralized services such as DeFi, those services have also attracted tech-savvy cybercriminals who devise various scams targeting the financial services ecosystem. As the global use of DeFi platforms continues to grow quickly, the financial transactions they enable are prone to greater inherent risk that can impact the entire financial ecosystem. According to a recent industry report, DeFi platforms have incurred more than US$12 billion in losses due to fraud and cyberattacks. These losses are only accelerating, with losses totaling US$10.5 billion in 2021, which was up from US$1.5 billion in 2020.²⁴

Between January and March 2022, hackers stole US$1.3 billion worth of cryptocurrencies, and 97 percent of them were stolen from DeFi platforms, according to the US blockchain analysis firm Chainalysis.²⁵ Recently, the US Federal Bureau of Investigation (FBI) issued an alert regarding cybercriminals targeting DeFi platforms through robust cyberattacks.²⁶

Considering the significantly increasing crimes and scams targeting DeFi platforms, financial services regulators such as central banks should start enforcing exclusive financial crime prevention controls and coding standards to prevent these scams. Improvised KYC and AML screening, focused third-party audits, secure code reviews and risk assessments are critical measures that should be considered as part of these controls.²⁷ Financial institutions should be mindful of the arrival of new international regulations that are attempting to curb the cybercriminals targeting decentralized platforms such as DeFi.²⁸

Endnotes

¹ Dale, B.; “DeFi Is Now a $100B Sector,” CoinDesk, 29 April 2021, https://www.coindesk.com/markets/2021/04/29/defi-is-now-a-100b-sector/
² MarketWatch, “Decentralized Identifiers Market Size 2030,” 8 April 2023, https://www.marketwatch.com/
³ Nani, J.; “If a Crypto Exchange Goes Bankrupt, What Happens? Explained,” Bloomberg Law, 19 May 2022, https://news.bloomberglaw.com/bankruptcy-law/if-a-crypto-exchange-goes-bankrupt-what-happens-explained
⁴ CryptoVantage, “What Are the Biggest Crypto Rug Pulls in History?” 23 September 2022, https://www.cryptovantage.com/news/what-are-the-biggest-crypto-rug-pulls-in-history/
⁵ Zipmex, “Rug Pull Meaning in Crypto—Six Pulled Projects to Learn From,” 9 August 2022, https://zipmex.com/learn/rug-pull/
⁶ Southurst, J.; “FTX Bankruptcy: Hacked, Regulated or Rug-Pulled as Traders Despair,” CoinGeek, 12 November 2022, https://coingeek.com/ftx-bankruptcy-hacked-regulated-rug-pulled-as-traders-despair/
⁷ Chainalysis, “The Biggest Threat to Trust in Cryptocurrency: Rug Pulls Put 2021 Cryptocurrency Scam Revenue Close to All-Time Highs,” 16 December 2021, https://www.chainalysis.com/blog/2021-crypto-scam-revenues/
⁸ Makwa, S.; “DeFi ‘Rug Pull’ Scams Pulled In $2.8B This Year: Chainalysis,” CoinDesk, 17 December 2021, https://www.coindesk.com/markets/2021/12/17/defi-rug-pull-scams-pulled-in-28b-this-year-chainalysis/
⁹ Singh, J.; “What Is a Honeypot Crypto Scam and How to Spot It,” CoinTelegraph, 26 December 2021, https://cointelegraph.com/news/what-is-a-honeypot-crypto-scam-and-how-to-spot-it
¹⁰ Li, B.; “Some Key Elements of Crypto Regulation,” International Monetary Fund, 9 December 2022, https://www.imf.org/en/News/Articles/2022/12/16/sp120922-some-key-elements-of-crypto-regulation
¹¹ Abu Dhabi Global Market (ADGM) eServices, “Virtual Asset Activities,” https://www.adgm.com/setting-up/virtual-asset-activities/overview
¹² Securities and Exchange Commission, “Statement on DeFi Risks, Regulations, and Opportunities,” USA, 9 November 2021, https://www.sec.gov/news/statement/crenshaw-defi-20211109
¹³ Waldman, A.; “Cryptocurrency Targeted Cyber Attacks on the Rise as Industry Expands,” TechTarget, March 2022, https://www.techtarget.com/searchsecurity/feature/Cryptocurrency-cyber-attacks-on-the-rise-as-industry-expands
¹⁴ Howell, J.; “Top 10 DeFi Hacks You Should Know,” 101 Blockchains, 29 December 2022, https://101blockchains.com/top-defi-hacks/
¹⁵ Rowden, S.; “What Is Defi Hack? And Top 5 DeFi Hacks of 2022,” BitKan, 21 October 2022, https://bitkan.com/learn/what-is-defi-hack-and-top-5-defi-hacks-of-2022-6270
¹⁶ Gogo, J.; “Top 10 DeFi Hacks of 2022: Hackers Get More Daring,” BeInCrypto, 23 September 2022, https://beincrypto.com/top-ten-defi-hacks-2022-hackers-daring/
¹⁷ Op cit Waldman
¹⁸ ImmuneBytes, “Ten Key Smart Contract Vulnerabilities: That Can Lock Your Crypto Assets,” 29 July 2022, https://www.immunebytes.com/blog/smart-contract-vulnerabilities/
¹⁹ Barney, N.; “Cryptojacking,” TechTarget, September 2022, https://www.techtarget.com/whatis/definition/cryptojacking
²⁰ Sophos, Sophos 2022 Threat Report: Interrelated Threats Target and Interdependent World, United Kingdom, November 2021, https://assets.sophos.com/X24WTUEQ/at/b739xqx5jg5w9w7p2bpzxg/sophos-2022-threat-report.pdf
²¹ ConsenSys Codefi, “ConsenSys Launches Codefi Inspect,” Medium, 5 April 2020, https://consensyscodefi.medium.com/consensys-launches-codefi-inspect-consensys-codefi-5efa8c162025
²² ConsenSys, “Thoughts on DeFi Security,” Medium, 11 May 2020, https://medium.statuspage.io/
²³ Soliditylang.org, “Security Considerations,” https://docs.soliditylang.org/en/latest/security-considerations.html#re-entrancy
²⁴ Elliptic, DeFi: Risk, Regulation, and the Rise of DeCrime, United Kingdom, 2021, https://www.elliptic.co/resources/defi-risk-regulation-and-the-rise-of-decrime
²⁵ Chainalysis, “Hackers Are Stealing More Cryptocurrency From DeFi Platforms Than Ever Before,” 14 April 2022, https://blog.chainalysis.com/reports/2022-defi-hacks/
²⁶ Katte, S.; “FBI Issues Alert Over Cybercriminal Exploits Targeting DeFi,” CoinTelegraph, 30 August 2022, https://cointelegraph.com/news/fbi-issues-alert-over-cybercriminal-exploits-targeting-defi
²⁷ Marley, R.; “Money Laundering and Cybercrime on DeFi Platforms—Ensuring KYC/AML Compliance,” ShuftiPro, 7 November 2022, hhttps://shuftipro.com/blog/money-laundering-cybercrime-on-defi-platforms-ensuring-kyc-aml-compliance/
²⁸ Shumba, C.; “Global Standard Setters Will Team Up to Tackle DeFi Regulation: FSB,” CoinDesk, 16 February 2023, https://www.coindesk.com/policy/2023/02/16/global-standard-setters-will-team-up-to-tackle-defi-regulation-fsb/

VIMAL MANI | CISA, CISM, SIX SIGMA BLACK BELT

Is head of the Information Security Department of the Bank of Sharjah. He is responsible for the bank’s end-to-end cybersecurity program, coordinating its cybersecurity efforts across the Middle East; implementing its cybersecurity strategy and standards; leading periodic security risk assessments, incident investigations and resolution efforts; and coordinating the bank’s security awareness and training programs. He is an active member of the ISACA^® Dubai Chapter (United Arab Emirates). He can be reached at vimal.consultant@gmail.com.