Decentralized finance (DeFi) has had a challenging year — losing 75% of its total value locked over the last 11 months. However, while the crypto crash might have hit investors, it did not deter criminals. Bug exploits, logic faults, private key compromises and social engineering attacks broke records in 2022, stealing a record $2.7 billion from DeFi protocols.
Decentralized finance (DeFi) is an emerging financial technology that challenges the current centralized banking system. DeFi eliminates the fees that banks and other financial companies charge for using their services and promotes the use of peer-to-peer, or P2P, transactions (see DeFi Fundraising Review).
From North Korean heists to US sanctions against Tornado Cash, DeFi-related crime — or “DeCrime” — has displayed new trends and behaviors throughout 2022. In this blog, Elliptic analyzes these trends, and the top five crucial insights observed throughout the year that might shed light on the biggest security risks facing DeFi in 2023.
Thefts Netted $32.6 Million per Hack on Average — Almost Double 2021’s Figure
In 2020, the average DeFi theft earned their perpetrators around $6.4 million. In 2021, that figure rose to $17 million. In 2022, that latter figure has almost doubled — with an average of $32.6 million stolen in each hack. The heaviest loss was sustained by the BSC Token Hub in October 2022, when it lost $569 million worth of cryptoassets.
In another slightly conciliatory development, the number of DeFi hacks across the years have actually fallen in 2022 — with less than 90 occurring compared to more than 120 observed in 2021 (see How Much Are Crypto Criminals Laundering Using Blockchain Technology?). One hack occurred every four days on average — less than one every three days last year.
However, given the heavy-hitting nature of many of these hacks, the daily average amount taken from DeFi protocols has exceeded a record-breaking $7.6 million (see Metaverse & NFT Market Trends).
The BSC Token Hub hack, the Ronin Bridge attack ($540 million stolen), the Wormhole Bridge hack ($325 million stolen) and the Wintermute exploit ($162 million stolen) have all entered the top ten scoreboard for largest-ever crypto thefts. BSC Token Hub and Ronin are second and third, respectively (see how Investing in the Metaverse).
BSC Overtakes Ethereum as the Most Hacked Blockchain
Binance Smart Chain (BSC) has narrowly taken the lead, constituting 25% of funds lost to single-chain hacks. Solana has also become a frequent target, accounting for 18.6% of stolen funds (see about Insurance for Crypto Assets). As new blockchain ventures seek to challenge Ethereum’s dominance through faster transaction speeds and scalability, DeFi projects testing out their capabilities soared sharply. In many cases, security and crime-proofing considerations were slow to catch up.
Cross-chain Bridges Were the Biggest Casualties of the Year
Perhaps one of the most stark and clearly observed trends in 2022 was the plight of cross-chain bridges. These are services that allow users to exchange cryptoassets between blockchains — otherwise known as “chain hopping” (see about NFT Thefts and Financial Crime. Types of Scams in Non-Fungible Tokens).
For criminals, a liquid smart contract is a lucrative one. Three of the four hacks described above — namely BSC Token Hub, Ronin and Wormhole — are cross-chain bridges. Significant hacks have also targeted Qubit, Harmony and Nomad bridges. Over $1.85 billion has been stolen from these services in 2022 — nearly 70% of all thefts this year. This is double the figure from 2021, where bridge attacks stole $640 million.
Another vulnerability of bridges is their existence — given the nature of their service — on smaller blockchains with relatively untested security and audit cultures. On these chains, the smart contracts operated by these bridges may therefore be more vulnerable to an attack compared to more mainstream blockchains such as Ethereum.
Subsequently, the popular decentralized mixer Tornado Cash announced that it would implement a smart contract sanctions screening tool to prevent Lazarus from using its tool to cash out the stolen funds.
To avoid these measures, the Lazarus Group generated new intermediary addresses to send funds through Tornado Cash indirectly — leading to fresh sanctions of those addresses by the United States in an attempt to stop them from reaching Tornado Cash.
According to Elliptic’s internal estimates, North Korean money laundering constituted 6.5% of ETH and USDC being processed by the mixer. Elliptic has also attributed the smaller $100 million Harmony Horizon Bridge hack in June 2022 to Lazarus — partially based on the similarity of its post-hack Tornado Cash laundering patterns.
Post-Tornado Money Laundering is Going Cross-chain and Cross-asset
Arguably the most significant sanctions development of 2022 with a nexus to DeFi — namely the sanctioning of Tornado Cash — did little to stop DeFi hacks.
These are services that allow users to convert between cryptoassets on the same blockchain. A further $2.7 million has been sent directly through cross-chain bridges to be laundered on different blockchains. Just $6.6 million — 2.1% of the theft proceeds observed — have been sent through Tornado Cash.
………..
FULL Report — https://beinsure.com/decentralized-finance-hacks-crypto-defi-crime/
