The figures are in: October was the busiest month for crypto protocol exploits this year, with some $760 million stolen. The cumulative total for crypto hacks in 2022 is now at least $2.98 billion, already more than double the amount stolen through exploits in 2021, according to blockchain security firm Peckshield.
Peckshield released those figures on Halloween night, giving credence to the term “Hacktober” some industry participants have taken to using. Not a week has gone by without some exploit in crypto making the news. Peckshield estimated there were at least 44 exploits involving some 53 protocols in October.
November, too, is already off to a rocky start. Wednesday, Deribit closed customer withdrawals from the derivative exchange so it could patch a bug in its hot wallet that led to a loss of $28 million in bitcoin (BTC), ether (ETH) and stablecoin USDC. Then Solana-based decentralized finance (DeFi) protocol Solend announced a $1 million exploit. Meanwhile, a new Lightning Network bug has been discovered that can cause transactions to fail on the Bitcoin scaling and payments layer.
That some $100 million of funds stolen in October have so far been returned is cold comfort. Crypto has become a den of liars, thieves and exploiters – in a way that has may have permanently stained the industry’s reputation. Also of little relief is the fact that crypto, once thought to be the den of illicit dark net behavior, is just a fraction of global crime. That may be because open, verifiable blockchains are bad places to do bad things. But even with just a small percentage of total crypto transactions being tied to criminal behavior, hacks will continue to tarnish the industry’s reputation.
Apart from scaring potential participants, hacks have real consequences for how authorities will regulate the industry. The $625 million Ronin bridge exploit in March, the second-most lucrative month in 2022 for hackers, was thought to have been perpetrated by North Korean keyboard warriors and eventually led to the sanctioning of the Ethereum-based crypto mixer Tornado Cash by the U.S. Treasury Department.
Exploits come in all shapes and sizes. Bridges, the communication portals between different blockchains that often require users to park collateral before getting on, seem like particularly vulnerable targets. It’s clear today that crypto needs more resilient infrastructure if the “multi-chain” world will ever become a reality.
Some schemes are exploits of crypto and DeFi’s fundamental design. In 2020, amid the rise of DeFi, the industry saw the rise of the “flash loan” attack. Instead of exploiting buggy code, flash loans are actually a desirable (for some) financial mechanism that allows people to borrow significant amounts of crypto and pay back the loan within a single block – sometimes manipulated so that users can walk away with the money without having paid more than a few transaction fees.
Another increasing area of concern are protocols that use blockchain oracles to feed them real-world data. Last month, a hacker manipulated price feeds to take out a $116 million loan on Mango Markets, draining the protocol’s liquidity. That attack, one of three that occurred on Oct. 12, seems to have been replicated again with Wednesday’s Solend breach.
It’s hard to stop attacks that seem to rely on DeFi’s core functions and promise: permissionless transactions. This is an echo of crypto’s long-running problem with rug pulls, which at one time seemed to be the source of most stolen funds. According to a report by the Multidisciplinary Digital Publishing Institute initially published in early 2022 and recently updated, some 97% of token listings were connected to “malicious” activity.
Experts have criticized that data, which analyzed 27,000 tokens, saying that not every low-effort phishing or pyramid scheme has takers. Some, like Mark Zeller, vice president of the DeFi committee at L’Adan, a French digital asset industry group, said crypto users know the risks when they decide to get involved. That’s likely the case for people who know how to bridge crypto across blockchains or provision liquidity in decentralized money markets.
But that argument is less convincing for crypto platforms like lenders Celsius Network and Voyager Digital which advertised to the masses and had user experiences similar to legitimate banking and trading apps. DeFi, too, is moving to professionalize and polish its on-ramps. Maybe it can clear out the bugs.