DeFi defenders locked in a high-stakes race with sophisticated attackers

There are many ways to make money in decentralized finance (DeFi), and there are just as many ways to lose it. In addition to buying the wrong token at the wrong time or becoming a holder of an illiquid non-fungible token (NFT), scams and hacks are also common.
Over the past three years, the tools we use to interact with DeFi, web wallets, platforms, and protocols have become more user-friendly. But at the same time, there has been an increase in phishing attempts, hacks, and fraud. An arms race is underway, with defenders of DeFi working to harden their protocols against attackers. It’s a high-stakes battle with the future of DeFi at stake.
Hackers Will Continue to Hacker
There’s a common misconception that only new users fall prey to hackers. They make mistakes, click on phishing links, or respond to scam messages. While beginners are easy prey, the truth is that anyone can be a target. Even DeFi veterans can fall; all it takes is a moment of inattention.
Web3 platforms that prompt users to sign transactions to confirm wallet ownership are one such weakness. In many cases, it’s unclear what you’re signing or why you’re signing it. All a hacker needs is a compromised Twitter account or front-end code injection to turn a reputable web3 platform into a honeypot.
Defenders will continue to defend
DeFi supporters, including white hats, security researchers, and interface designers, have been fighting back by providing users with tools to detect threats. Browser extensions have been developed that remind users of the permissions they grant each time they sign a transaction, and these can effectively detect malicious signing requests. However, the pop-ups caused by these extra steps run the risk of causing notification fatigue.
Other solutions seek to gain insight into the smart contracts that DeFi users interact with to determine if they contain malicious code. Blockfence has developed an interface that warns web3 users of any dangers they may have inadvertently come into contact with. Its layers of protection combine sophisticated analytics, machine learning algorithms, and accumulated community data to build a larger picture of systemic risk. It recently saw it successfully rescue unsuspecting users from the ETH Denver phishing site.
These solutions must be complemented by tools that can protect against other attack vectors. Bridges, an important conduit for moving funds between blockchains, are a weak link. Last year, $2 billion was lost in bridge attacks, and the industry needs more robust solutions to move assets across chains and identify attacks before millions of dollars are stolen.
From white hat hackers fighting back to more powerful forensic tools for tracking and potentially freezing stolen funds, DeFi users are prepared. But until the amount of cryptocurrency stolen each year starts to decline, it's hard to say the good guys are winning the battle. Despite all the progress, DeFi remains vulnerable.