Diving into DeFi — Crypto Crime in DeFi

Decentralized Finance (DeFi) which is pegged to be the next frontier of fintech innovation has grown exponentially over the past year. The DeFi market cap has shown a 382% increase since the beginning of the year, setting a new all-time high at $95.7 billion. However, the surge in the DeFi industry’s growth has also garnered the interest of bad actors leading to a rise of attacks in the DeFi space.

With DeFi quickly gaining traction, it is essential for the industry players — from crypto businesses and financial institutions to regulators and law enforcement agencies — to understand the lay of the land and how the DeFi ecosystem works. Merkle Science recently published “Diving into DeFi: Fundamentals from the Financial Frontier — a comprehensive primer highlighting some of the DeFi risks that individuals and businesses should be aware of when engaging with the DeFi ecosystem.

The U.S. Regulators Signal Intensified DeFi Focus

With an increase in DeFi-related attacks, regulatory scrutiny around DeFi is also increasing. To ensure investor protection and maintain market integrity, regulators are closely monitoring the DeFi space and enacting new regulations to mitigate the risks originating from different DeFi use cases. Therefore, financial institutions and platforms engaging in DeFi activities should put compliance at the forefront and adopt a risk-based approach.

Chairman of the U.S. Securities and Exchange Commission (SEC), Gary Gensler, in an interview discussed the possibility of bringing DeFi under the purview of the SEC, stating that “these peer-to-peer networks, so far completely unregulated in the U.S., may not be immune from oversight. Some decentralized finance projects have features that make them look like the types of entities the SEC oversees.” Further, in his speech at the Aspen Security Forum Gensler also requested greater support and resources from Congress, highlighting that legislative priority should center on crypto transactions, crypto trading, and DeFi platforms as regulators try to pave the way for crypto to exist in a regulated, consumer-protected way.

On 6 August 2021, The U.S. Securities Commission brought its first enforcement action involving DeFi tech, alleging that Cayman Islands-based company -  Blockchain Credit Partners and two of its top executives illicitly issued unregistered securities and misled investors from February 2020 to February 2021.

Representative Beyer’s Digital Asset Market Structure and Investor Protection Act, places an obligation on the Federal Reserve, SEC, CFTC, Office of Comptroller of the Currency, and the Treasury to submit a report summarizing DeFi in the U.S. and (among other things) provide recommendations regarding appropriate DeFi regulation & investor protection, & various legal obligations with regard to DeFi hacks, fraud, & manipulation.

Crypto Crime in DeFi

As DeFi gained popularity in the last two years, DeFi scams have not only increased in frequency but also in size. Below are some of the most notable DeFi hacks and scams that have occurred in 2021.

Rug pulls

Rug pulls are exit scams that happen when cryptocurrency promoters disappear with investors' money during or after an initial coin offering (ICO). DeFi rug pulls are the new iteration of this type of scam whereby crypto developers abandon a project and run away with investors' funds by draining the investors’ funds from the liquidity pool into their own private wallets.  On 4 March 2021, Meerkat Finance — a yield farming project launched on the Binance fell victim to a rug pull.

Meerkat Finance, within 48 hours of its inception, informed its users through the official  Telegram Channel that its smart contract vault had been compromised by malicious actors. According to the Meerkat developer team, $31 million were siphoned from the account and were supposedly moved to several new blockchain addresses that might have been created for this sole purpose. However, the On-chain data showed that the supposed hacker(s) drained the funds by altering Meerkat's smart contract that contains the project's vault business logic using the original Meerkat deployer's account. This means that either the private key of the Meerkat deployer was stolen or this move was initiated by the project directly.

Flash Loan Attacks

Flash loans are a new type of uncollateralized loans enforced by smart contracts, which enable the required amount without any capital. Flash Loan Attacks are smart contract exploits wherein an attacker takes out a flash loan from a DeFi protocol to manipulate the market and exploit the software vulnerabilities within the code.

On 13 February 2021, Alpha Homora a leverage liquidity protocol fell victim to a flash loan attack. The attackers stole $37 million from Alpha Homora by exploiting C.R.E.A.M Finance’s Iron Bank Service, which gives out uncollateralized loans to smart contracts. Since Alpha Homora V2 was integrated with Iron Bank only for protocol lending, the debt was only created between the two protocols, not the users.

The attackers used Alpha Homara dApp for borrowing sUSD (USD pegged token enabled by Synthex Protocol) from IronBank. Each time they borrowed almost twice as much as in the previous one. 

The attacker then used the borrowed sUSD to lend the funds back to Iron Bank which allowed the attacker to receive Yearn Synth sUSDsd (CySUSD) in return. Post this, the attacker, at some point, borrowed 1.8 million USDC coins -  a stable coming pegged to US Dollar from Aave using a flash loan. The attacker then swapped the USDC coins with sUSD coins using Curve. 

The attacker lent these sUSD coins back to the IronBank, again continuing the lending and borrowing process each time receiving cySUSD in return. Some sUSD was spent on repaying the flash loan from Aave. This enabled the attacker to continuously borrow and lend more sUSD and receive cySUSD in return. Basically, the hackers rinsed and repeated this process many times, which allowed them to steal massive amounts of cyUSD that they in turn used to borrow other cryptocurrencies from Iron Bank. 

The users were not affected by the flash loan attack as the debt was between Alpha Homara V2 and IronBank. To mitigate the negative impact brought to Alpha Finance's users, the Alpha team partnered with Yearn Finance’s founder Andre Cronje and the C.R.E.AM Finance team to resolve the debt.

Reentrancy Attack

In a reentrancy attack, a bug placed the smart contract allows an attacker to withdraw funds repeatedly, in a loop, before the original transaction is approved or declined or the funds need to be returned. On 31 August 2021, C.R.E.A.M Finance, once again suffered a serious exploit, wherein the attacker stole nearly $ 35  million in ETH and AMP from the platform.

According to the C.R.E.A.M. Finance Post Mortem AMP exploit, the exploit took place through two transactions - one main exploit and the other a smaller copycat.  The main exploit was executed in just one transaction “by way of reentrancy on the AMP token contract.” The hacker used a “reentrancy attack” in its “flash loan” feature to steal 462,079,976 in AMP tokens and 2,804.96 in ETH coins. Amp is an Ethereum token that aims to collateralize payments on the Flexa Network, making them instant and secure. The root cause of the exploit is the erroneous integration of A.M.P into the C.R.E.A.M Finance protocol.

After the attack, C.R.E.A.M Finance paused its AMP supply and borrow functions promising to re-enable the AMP market when a patch could be safely deployed. Further, C.R.E.A.M. Finance also promised to replace the stolen ETH and AMP to prevent any liquidity issues for its users. It also committed to allocating 20% of all protocol fees toward repayment until the user debt was fully paid.

C.R.E.A.M invited the main exploiter to send back the stolen funds in return for keeping 10% as a bug bounty. Additionally, it stated that it would provide a 50% share of the total funds returned as a bounty reward to anyone who would identify or provide information leading to the successful arrest of the attacker.