London-based cryptocurrency trading platform Wintermute saw cyber attackers make off with $160 million this week, likely due to a security vulnerability found in a partner’s code. The incident shows deep concerns about implementing security for this financial sector, researchers say.
Wintermute founder and CEO Evgeny Gaevoy took to Twitter to say that the robbery targeted the company’s decentralized finance (DeFi) arm, and that while the incident could disrupt some operations “for a few days,” the company is not existentially affected.
“We are solvent with twice as much equity left,” he tweeted. “If you have one [money-management] deal with Wintermute, your money is safe. There will be an interruption in our services today and potentially for the next few days and will return to normal after.”
He also said around 90 assets were affected and appealed to the culprit: “We are (still) open to treating this as a white hat [incident]so if you are the attacker – get in touch.”
Meanwhile, he explained to Forbes that the “white hat” comment means that Wintermute is offering a “bug bounty” of $16 million if the cyber attacker returns the remaining $144 million.
Filled with profanity
He also told the outlet that the theft is likely traced back to a bug in a service called Profanity, which allows users to assign a handle to their cryptocurrency accounts (usually account names consist of long, gibberish strings of letters and numbers). The vulnerability, disclosed last week, allows attackers to uncover keys used to encrypt and pry open Ethereum wallets generated with profanity.
Wintermute used 10 profanity-generated accounts to make quick trades as part of its DeFi business, according to Forbes. DeFi networks connect different cryptocurrency blockchains to create a decentralized infrastructure for borrowing, trading and other transactions. When news of the bug broke, the crypto firm tried to take the accounts offline, but due to “human error,” one of the 10 accounts remained vulnerable and allowed the attackers into the system, Gaevoy said.
“Some of these [DeFi] technologies also involve third-party integrations and connections where the company may not have the ability to control the source code, which leads to additional risk for the company,” Karl Steinkamp, director at Coalfire, told Dark Reading. “In this case, a vanity is the Provider of digital asset addresses, Profanity, was exploited in the attack … An expensive and preventable mistake for Wintermute.”
DeFi exchanges will grow as a target
Analysts with Bishop Fox found earlier this year that DeFi platforms lost $1.8 billion to cyber attacks in 2021 alone. With a total of 65 incidents observed, 90% of losses came from unsophisticated attacks, according to the report, which points to the difficulty of to lock down the sector which is dependent on automated transactions.
And just last month, the FBI issued a warning that cybercriminals are increasingly exploiting vulnerabilities in DeFi platforms to steal cryptocurrency, with $1.3 billion worth seized between January and March 2022 alone.
Researchers note that improved adoption and price appreciation of digital assets has and will continue to attract the attention of malicious individuals—as will the lax security posture in the DeFi space.
“Many of these companies are growing at such a rapid pace that customer acquisition is their primary focus,” says Mike Puterbaugh, CMO at Pathlock. “If internal security and access control are secondary to ‘growth at any cost’, there will be gaps in application security that will be exploited.”
The obstacles to strengthening DeFi security are numerous; Wintermute’s boss noted that finding suitable tools is difficult.
“You need to sign transactions instantly within seconds,” Gaevoy told Forbes, adding that Wintermute had to create its own security protocols since tools are missing. He also admitted that Profanity did not offer multi-factor authentication, but the company decided to use the service anyway. “At the end of the day, that’s the risk we took. It was calculated,” he added.
Steinkamp notes, “Depending on the architecture of the DeFi platform, there can be several challenges to securing them. These can range from risk from third parties, to crypto-bridge failures, human errors and the lack of secure software development, just to name a few.”
And Puterbaugh points out that even with out-of-the-box controls and configurations enabled, customizations and integrations can create weaknesses in overall security.
Best practices for improving DeFi security
Despite the challenges, there are nonetheless best-practice approaches that DeFi platforms should implement.
For example, Puterbaugh recommends implementing access controls with each new app deployment, along with ongoing checks for access conflicts or application vulnerabilities, as key, especially when dealing with easily portable digital currency.
Also, “companies in the DeFi space must routinely conduct internal and external testing of their platforms to continuously ensure they are proactively mitigating threats,” according to Steinkamp. He adds that companies should also implement additional enhanced security measures as part of transaction security, including multi-factor authentication and alert triggers for suspicious and/or malicious transactions.
Every layer helps, he adds. “Which would you rather try to gain access to: a house with an open door or a castle with a moat and a drawbridge?” he says. “DeFi companies will continue to be prime targets for cyberthieves until they implement sufficient security and process controls to make attacks on their platforms less attractive.”