Over 50% of Attacks on DeFi Ecosystems Use This Vector: Researcher
Kofi Kufuor proposed his own classification of attacks on decentralized finance (DeFi) protocols and indicated core vulnerabilities this turbulent segment is exposed to.
Four major types of attacks in DeFi
According to his detailed post, all attacks that resulted in money being stolen from crypto protocols can be divided into four types based on "vulnerability stack."
1/ I collected data on over $4B of crypto application hacks
In this piece, I break down how the hacks were executed, the tools we have to stop history from repeating itself, and predictions for the future of crypto securityhttps://t.co/W2A9lPz69O— Kofi (@0xKofi) October 6, 2022
That said, all recent attacks are executed either against the ecosystem, protocol, smart contract language, or infrastructure. Infrastructure attacks target weaknesses of consensus, Internet systems behind DeFis, private keys and so on.
Smart contract language attacks exploit design flaws of programming languages used for smart contract creation. Protocol logic attacks are executed under bad business logic and tokenomical weaknesses.
Last but not least, ecosystem attacks target the interactions between various DeFi protocols: to initiate an attack (or amplify it), malefactors borrow money from one protocol and inject it into the liquidity pools of another DeFi.
Multi-chain apps and bridges under fire
Ecosystem attacks are the most frequent: over 41% of all DeFi hacks belong to this group. At the same time, should we exclude the three most devastating hacks from the analysis (Ronin Bridge, Poly Network, BNB Chain bridge), infrastructure attacks resulted in the largest losses.
Out of ecosystem hacks, flash loan attacks with price oracles are the most frequent; various attacks on private keys (phishing, brute force, compromised keys and so on) are dominant in anti-infrastructure hacks.
Ethereum-based apps witnessed $2 billion in stolen funds. More than one half of attacks in 2020-2022 targeted cross-network bridges and multi-blockchain apps.