London-based cryptocurrency trading platform Wintermute saw cyberattackers take off with $160 million this week, likely due to a security vulnerability found in a partner’s code. The incident highlights deep concerns about the implementation of security for this financial sector, according to the researchers.
Wintermute founder and CEO Evgeny Gaevoy took to Twitter to say the heist targeted the company’s decentralized finance (DeFi) arm, and that while the incident could disrupt some operations “for a few days”, the company is not existentially impacted.
“We are solvent with twice this amount in equity”, he tweeted. “If you have a [money-management] agreement with Wintermute, your funds are safe. There will be a disruption to our services today and potentially for the next few days and we will return to normal after.”
He also said around 90 assets were affected and appealed to the culprit: “We are (always) open to treating this as a white hat [incident]so if you are the aggressor, contact us.”
Meanwhile, he explained at Forbes that the “white hat” comment means Wintermute is offering a $16 million “bug bounty” if the cyberattacker returns the remaining $144 million.
Filled with profanity
He also told the outlet that the theft likely traces back to a bug in a service called Profanity, which allows users to assign an ID to their cryptocurrency accounts (normally, account names consist of long strings gibberish of letters and numbers). The vulnerability, revealed last weekallows attackers to discover the keys used to encrypt and open Ethereum wallets generated with Profanity.
According to Forbes, Wintermute was using 10 Profanity-generated accounts to make quick trades in its DeFi business. DeFi networks connect various cryptocurrency blockchains to create a decentralized infrastructure for borrowing, trading, and other transactions. When news of the bug broke, the crypto firm attempted to take the accounts offline, but due to “human error”, one of the 10 accounts remained vulnerable and allowed attackers to enter. the system, Gaevoy said.
“Some of them [DeFi] also involve third-party integrations and connections where the business may not have the ability to control the source code, which introduces additional risk to the business,” Karl Steinkamp, director of Coalfire, told Dark Reading. . “In this case, a vanity digital asset address provider, Profanity, was leveraged in the attack…A costly and preventable mistake for Wintermute.”
DeFi exchanges will become a target
Bishop Fox analysts earlier this year found that DeFi platforms lost $1.8 billion to cyberattacks in 2021 alone. With a total of 65 events observed, 90% of losses came from unsophisticated attacks, according to the report, which points to the difficulty locking out the sectorwhich relies on automated transactions.
And, just last month, the FBI released a warning that cybercriminals are increasingly exploiting vulnerabilities in DeFi platforms to steal cryptocurrency, to the tune of $1.3 billion between January and March 2022 alone.
The researchers note that the increased adoption and appreciation of digital asset prices has and will continue to attract the attention of malicious individuals, as will the lax state of security in the DeFi zone.
“A lot of these companies are growing at such a rapid pace, customer acquisition is their primary focus,” says Mike Puterbaugh, CMO at Pathlock. “If internal security and access controls are secondary to ‘grow at all costs’, there will be gaps in application security that will be exploited.”
The obstacles to strengthening DeFi security are many; The Wintermute leader noted that it was difficult to find suitable tools.
“You have to sign transactions on the fly, in seconds,” Gaevoy told Forbes, adding that Wintermute had to create its own security protocols because the tools are lacking. He also admitted that Profanity does not offer multi-factor authentication, but the company decided to use the service anyway. “At the end of the day, that’s the risk we took. It was calculated,” he added.
Steinkamp notes, “Depending on the architecture of the DeFi platform, there can be several challenges in securing them. These can range from third-party risk, crypto bridge bugs, to human error and lack of secure software development, to name a few.”
And Puterbaugh points out that even with out-of-the-box controls and configurations enabled, customizations and integrations could create weaknesses in overall security.
Best Practices for Strengthening DeFi Security
Despite the challenges, there are nevertheless best practice approaches that DeFi platforms should implement.
For example, Puterbaugh advocates implementing access controls with every new application deployment, along with ongoing checks for access conflicts or application vulnerabilities, as key, especially when it comes to easily portable digital currency.
Additionally, “companies in the DeFi space need to perform regular internal and external testing of their platforms to continually ensure that they are proactively mitigating threats,” according to Steinkamp. He adds that companies should also implement additional strong security measures as part of transactional security, including multi-factor authentication and alert triggers on suspicious and/or malicious transactions.
Every layer helps, he adds. “Which would you rather try to gain access to: a house with the door open or a castle with a moat and a drawbridge? he says. “DeFi companies will continue to be prime targets for cyber thieves until they put in place adequate security and process controls to make attacking their platforms less attractive.”