Decentralized finance, the once red-hot slice of the crypto universe that was at the center of this year's collapse of the digital-asset world, is facing a rapidly increasing new challenge: financial hacking.
After hackers for years sought to exploit coding flaws to siphon funds from crypto projects, more assailants are now using the automated software programs that power DeFi platforms to manipulate transactions to gain control of the millions of dollars in assets locked in various protocols that allow users to borrow and lend without intermediaries.
Over the past weekend, the DeFi application Mango DAO
The rising trend appears to fall into a gray area legally, putting the industry at a
"We're sort of driving cars without seat belts right now," said
'Financial hacking'
The Mango attacker used two accounts funded with the stablecoin USD Coin to take large positions in Mango perpetual swaps, which are futures that allow traders to keep a position open. That helped to push up the token's spot price, which allowed the exploiter to use the now more valuable position as collateral for loans that drained roughly $100 million from the protocol, leaving depositors with nothing.
"This is different from the code exploits we've typically seen this year in hacks of DeFi services, and not something that increased security measures can simply prevent," said Erin Plante, vice president of investigations at the crypto-security firm Chainalysis.
The incident amounts to "financial hacking," a phenomenon unique to crypto, according to Steve Walbroehl, co-founder and chief information security officer of Halborn, a blockchain-security startup. In these scenarios, perpetrators are taking advantage of the interconnectedness of different DeFi platforms as well as the lack of credit checks and other safety controls used in traditional finance. They then subvert the market to their own benefit.
"This whole open financial system of democratized service and access to funding is great, but also opens up vulnerabilities for it to be used as a weapon against itself," Walbroehl said.
Mango's decision only seemed to embolden the self-declared alleged exploiter, who goes by Avraham Eisenberg on Twitter. Just days after Mango reached the agreement, he has begun to circulate similar strategies for use on the Aave lending platform. Eisenberg declined to confirm his identify when contacted by Bloomberg News.
Hypothetically, someone demonstrates a profitable trading strategy on Aave V2 in Minecraft chain. They show how you can turn $100M into $200M, and possibly into $500M. How much should Aave pay them? — Avraham Eisenberg (@avi_eisen)
Chris Tarbell, co-founder of the cybersecurity firm NAXO, said Aave should take the tweet as a threat. "It's not an arrestable offense — no threat of bodily harm, but if I were internal to this company, I'd certainly be worried. This is using weaknesses in the system to his advantage."
Tarbell, who is also a former Federal Bureau of Investigation special agent and has helped arrest the notorious crypto hacker and darknet website operator Ross Ulbricht, said exploits like the Mango hack are illegal.
"Someone holds $150 million that's not their property and uses your own property against you — to me that's a crime," Tarbell said.
On Wednesday, the Eisenberg account claimed that they had been advised that Aave "is perfectly safe." They provided their trading strategy in a text message screen-shot, which provided a playbook similar to the Mango attack.
I've been advised aave is perfectly safe so here's the potential trading strategy. Not financial or legal advice, but if you do make 9 figures on this feel free to send a tip
Note that starting with more initial capital increases success odds and profit percentage
Tarbell said Eisenberg's tweets show that the exploiter perhaps crave admiration. "Someone comes in and commits a bank robbery, they rarely take the mask off," he said. "This guy takes off the mask."
— With assistance from Emily Nicolle and Philip Lagerkranser.
