Hacks of decentralized finance (DeFi) protocols have become a “full-time job” for professional attackers, according to the founder of blockchain security firm ImmuneFi.
Speaking to Decrypt at Web Summit 2024, ImmuneFi founder Mitchell Amador said that DeFi hacking has become “an infinitely sustainable and viable business”—though the crypto space is “unquestionably” getting safer.
DeFi hackers, he said, are “looking for more damage, more than ever—and their skills are also applicable in a number of different areas.” He explained that, “even if they're not getting sustainable hacks over the interim, they could be doing MEV, or other ways to monetize their very unique skillset.”
Despite that, Amador told Decrypt, the crypto space is “getting much safer, and at a very quick clip.” He pointed to the results of ImmuneFi’s Q3 2024 report, which found that losses from crypto hacks had dropped by 38% year-over-year, to just under $424 million.
In the year to date, Amador said, crypto losses from hacks have totaled “just over a billion dollars,” versus around $3 billion in 2022, and around $1.8 billion in 2023. “This is despite the increasing value of the industry as a whole, and the increasing value in on-chain assets as well. So on a per capita basis, the risk per dollar of value is going off a cliff.” While hacking incidents are up, he said, “we’re seeing very few of the large cases.”
He highlighted the October 2024 hack of Radiant Capital for $50 million as an example of the increasing sophistication of DeFi hacks, pointing the finger at North Korean hackers. “They went after the private keys by compromising the underlying machines and spoofing transactions in this funky kind of man-in-the-middle attack, which is very exotic.” Hackers are increasingly using social engineering to exploit vulnerabilities in DeFi protocols, he said, adding that “human beings are always the weakest link.”
In order to harden the world’s largest smart contract blockchain against attacks, ImmuneFi is hosting the Ethereum Protocol Attackathon, “the world’s largest code contest,” with a $1.5 million reward pool up for grabs.
“We’ve got hundreds and hundreds of hackers,” Amador said. “They’re all going to be throwing themselves at the Ethereum code base with $1.5 million on the line in order to show that they can find mission critical bugs and disclose them in time.”
“This is a new kind of procedure that the Ethereum Foundation has never done before,” he said, expressing his hope that the contest becomes a regular event, “hardening each and every new major iteration of the blockchain.”
While blockchain security is “the most picks-and-shovels, stable part of the crypto industry,” Amador expects the sector to be “indirect beneficiaries” of the incoming Trump administration and its crypto-friendly positioning.
Trump's proposed U.S. strategic Bitcoin reserve, Amador said, is “creating pressure” on European ministries to “begin adopting crypto more aggressively and to become much more friendly as a result,” adding that, “I’ve seen this with my own eyes.”
“It does seem like it’s going to be a huge net benefit to the industry in terms of overall industry growth and friendliness,” he said, adding, “This is going to drive security activity in turn.”
For its part, ImmuneFi is planning to expand into “automated technologies,” including a “pretty big AI agent” that will coordinate the crowdsourcing of “proactive security measures,” Amador said.
“We’re taking the next logical step for bug bounties,” he added, “but they’re going to look completely different in two or three years than they do today—and it should be pretty wild.”
Edited by Andrew Hayward