'Financial hacking' plagues DeFi in latest setback for crypto

Decentralized finance, the once red-hot slice of the crypto universe that was at the center of this year's collapse of the digital-asset world, is facing a rapidly increasing new challenge: financial hacking.

After hackers for years sought to exploit coding flaws to siphon funds from crypto projects, more assailants are now using the automated software programs that power DeFi platforms to manipulate transactions to gain control of the millions of dollars in assets locked in various protocols that allow users to borrow and lend without intermediaries.

Relentless Hacking Is Turning All of Us Into Data Nihilists
Chris Ratcliffe/Bloomberg

Over the past weekend, the DeFi application Mango DAO agreed to let a self-proclaimed trader keep almost half of the $100 million in assets he seized in exchange for releasing the rest of the funds while promising no criminal prosecution. The technique used by the Mango exploiter has been tied to other high-profile attacks. Harvest Finance lost $34 million in 2020, while Beanstalk was hit for $182 million in April. On Tuesday, the decentralized credit platform Moola Market suffered a $9 million exploit.

The rising trend appears to fall into a gray area legally, putting the industry at a crossroads. Transgressors and other hardcore crypto enthusiasts consider these maneuvers, as the Mango exploiter wrote, "a profitable trading strategy." That's leading to industry participants to call for greater regulatory clarity to quash the practice, which risks further eroding investor confidence as the blockchain sector contends with a steep market downturn. Others are calling it outright financial manipulation.

"We're sort of driving cars without seat belts right now," said Ken Deeter, a partner at Electric Capital, a venture-capital firm that has invested in companies like digital-asset exchange Kraken and the nonfungible token marketplace Magic Eden.

'Financial hacking'

The Mango attacker used two accounts funded with the stablecoin USD Coin to take large positions in Mango perpetual swaps, which are futures that allow traders to keep a position open. That helped to push up the token's spot price, which allowed the exploiter to use the now more valuable position as collateral for loans that drained roughly $100 million from the protocol, leaving depositors with nothing.

"This is different from the code exploits we've typically seen this year in hacks of DeFi services, and not something that increased security measures can simply prevent," said Erin Plante, vice president of investigations at the crypto-security firm Chainalysis.

The incident amounts to "financial hacking," a phenomenon unique to crypto, according to Steve Walbroehl, co-founder and chief information security officer of Halborn, a blockchain-security startup. In these scenarios, perpetrators are taking advantage of the interconnectedness of different DeFi platforms as well as the lack of credit checks and other safety controls used in traditional finance. They then subvert the market to their own benefit.

"This whole open financial system of democratized service and access to funding is great, but also opens up vulnerabilities for it to be used as a weapon against itself," Walbroehl said.

Mango's decision only seemed to embolden the self-declared alleged exploiter, who goes by Avraham Eisenberg on Twitter. Just days after Mango reached the agreement, he has begun to circulate similar strategies for use on the Aave lending platform. Eisenberg declined to confirm his identify when contacted by Bloomberg News.

Hypothetically, someone demonstrates a profitable trading strategy on Aave V2 in Minecraft chain. They show how you can turn $100M into $200M, and possibly into $500M. How much should Aave pay them? — Avraham Eisenberg (@avi_eisen) October 18, 2022

Chris Tarbell, co-founder of the cybersecurity firm NAXO, said Aave should take the tweet as a threat. "It's not an arrestable offense — no threat of bodily harm, but if I were internal to this company, I'd certainly be worried. This is using weaknesses in the system to his advantage."

Tarbell, who is also a former Federal Bureau of Investigation special agent and has helped arrest the notorious crypto hacker and darknet website operator Ross Ulbricht, said exploits like the Mango hack are illegal.

"Someone holds $150 million that's not their property and uses your own property against you — to me that's a crime," Tarbell said.

On Wednesday, the Eisenberg account claimed that they had been advised that Aave "is perfectly safe." They provided their trading strategy in a text message screen-shot, which provided a playbook similar to the Mango attack.

I've been advised aave is perfectly safe so here's the potential trading strategy. Not financial or legal advice, but if you do make 9 figures on this feel free to send a tip

Note that starting with more initial capital increases success odds and profit percentage pic.twitter.com/HKAF7Y5ogM— Avraham Eisenberg (@avi_eisen) October 19, 2022

Tarbell said Eisenberg's tweets show that the exploiter perhaps crave admiration. "Someone comes in and commits a bank robbery, they rarely take the mask off," he said. "This guy takes off the mask."

— With assistance from Emily Nicolle and Philip Lagerkranser.

Bloomberg News
Cyber security Fraud Cryptocurrency
MORE FROM AMERICAN BANKER