Some attacks on decentralized finance (DeFi) platforms are financial in nature – the manipulation of token prices in the Mango Market attack for example. However, many other attacks are much more mundane but with an important lesson – best practices in cybersecurity are always relevant.
Code Vulnerabilities
The widespread use of open-source code is a potential vulnerability of decentralized crypto exchanges. Open-source code libraries, and their potential vulnerabilities, are visible to anyone who chooses to investigate. Malicious or not. The Wormhole hack in February 2022 exploited a fixed bug, documented in GitHub, but not yet implemented by Wormhole. Perpetrators made off with $325M.
Later in August of 2022, Nomad experienced an attack that resulted in $190M loss that was based on a code error. Such an error may have been detected if application security testing had been performed. But regardless of if a DeFi platform is using open-source code or not, code audits and attention to software supply chain attacks should be a high priority.
API Security
API security was central to the hack of IOTA in 2020, where the API access to the crypto wallet via a payment service was targeted and successfully exploited. The attack was further exacerbated by the delayed communication between IOTA and the third-party payment service, allowing the network to be exploited for a full five days before coordinated action was taken.
BadgerDAO was another victim to a compromised API key, leading to $120 million being stolen. The unauthorized API key was created by the hackers without the knowledge of BaderDAO engineers, which provided the means to inject malicious code. Since APIs are among the foundations of modern digital business, protecting and securing them against vulnerabilities is a must.
MFA
Multifactor Authentication (MFA) is a security best practice that is not followed as often as it should be. One of its benefits is an additional layer of protection against phishers. In the Crypto.com attack, compromised credentials were used to receive account reset tokens without protection of MFA.
Implementing MFA should be a top preventative measure that organizations take against attacks, but they should also be aware that MFA Fatigue is an increasingly-used attack technique; when push notifications are used to send a one-time password (OTP), attackers with stolen credentials can create fatigue in the users by running a script that repeatedly attempts to log in. This sends a seemingly continuous flow of push notifications to the user’s phone, pushing the user to continuously reject the requests until they make a mistake and approve it. Properly implementing MFA is incredibly important, but optimizing the implementation to keep up with new techniques like MFA Fatigue is also just as important.
Key Lesson: Best Practices Must be Followed
Impacts of attacks on crypto exchanges, bridges, and services directly affect individuals and accounts as well as contributing to the volatility of cryptocurrencies in general. Although the reasons listed above are not the only vulnerabilities leading to an attack on DeFi platforms, they occur often enough to show that proper cyber hygiene is necessary no matter how cutting edge the technology is. Care for the software supply chain and due diligence actions like code audits, API security, and MFA are established best practice, but will only protect your organization if they are in place.
In light of Cybersecurity Awareness Month, take these concrete examples of software supply chain security, API security, and MFA to heart. Properly implemented, these security measures help protect your organization against attack, whether your organization operates on premises with legacy systems or is pioneering Web3. Attend the Cybersecurity Leadership Summit or check out research on the security topic of your choice with KuppingerCole Analysts.