How can DeFi facilitate malicious operations?
Updated: Apr 14
DeFi is revolutionizing the concept of finance and opening flourishing opportunities for all crypto-savvy. But how always happens for good things; everything has its downsides. The same goes for DeFi and its dark side, which always favors more malicious operations, going against the first purpose for which it was created: to democratize finance.
Decentralization and the lack of regulation
We’ve already spoken about DeFi and its related benefits, downsides, and solutions. But today, due to the sanctions imposed by the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) on the virtual currency mixer Tornado Cash, it’s become essential to talk about the lack of regulation that distinguishes the world of Decentralized Finance, and how to recognize all DeFi’s red flags.
DeFi protocol security and malicious operations
Decentralized landing and trading platforms are released daily due to high-interest earning opportunities. With the increase of interesting crypto projects, the chances of scams also increase. For these reasons, paying attention to the project before investing money is important. It’s essential to always read the whitepaper and understand how the project wants to solve the problem, but also to read the code, because many mistakes are hidden in the lines of code, and they could cheat you. The most common are function permission (modifier), typos, incorrect number of digits, or variable value assignment. Keep in mind that if you aren't able to read and understand the code of a smart contract (because you’re not a developer but only smitten with crypto and blockchain), there are useful tools like Token Sniffer for Ethereum or PooCoin for Binance Smart Chain(BSC), KuChain (KCC) and Polygon(Matic) that run automated audits of contracts to check if they contain any malicious code. Moreover, they should never miss in your tools belt; they can identify the trending and newest token and also the latest scams.
There are a lot of significant entries concerning DeFi security issues that you need to take into account. Among them are
Wrong liquidity pool estimates;
Inefficient access control;
Compromised private keys.
Identifying security vulnerabilities in the industry of DeFi protocols will provide enough protection for your investments.
An interesting article about top 10 DeFi security best practices.
A much-discussed case in the world of decentralized protocols is TornadoCash, a dApp that implements zkSNARK proof to obscure transactions. Let’s see what it is and why the U.S. Department of Treasury has sanctioned it.
What is Tornado Cash relayer?
“Tornado Cash is a virtual currency mixer or a cryptocurrency tumbler that operates on the Ethereum blockchain and facilitates anonymous transactions by obfuscating their origin, destination, and counterparties, with no attempt to determine their origin. Tornado Cash receives various transactions and mixes them before transmitting them to their recipients. While the purpose is to increase privacy, mixers like Tornado are commonly used by illicit actors for money laundering.”
U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC)
Tornado Cash is also a DAO (Decentralized Autonomous Organization) with a proper project governance token called TORN, and ERC-20. It’s shuddered down due to the sanctions and lost more than half its value this week. Several DeFi protocols, such as Aave, dYdx, and Uniswap, have banned some users from interacting with Tornado Cash.
In a few words, Tornado Cash is a crypto mixing service that mixes potentially identifiable funds with others to obscure the trail back to the fund’s source. The U.S. Treasury has banned it for suspected illicit cyber activities, including facilitation of heists, ransomware schemes, fraud, and other cybercrimes. Also, its developer Alexey Pertsev has been arrested in the Netherlands for malicious use of the code.
Is Tornado cash untraceable? U.S Government investigation and bans above the suspected virtual currency mixers Tornado Cash and Blender.io
“In August 2022, the OFAC sanctioned the virtual currency mixer Tornado Cash, which has been used to launder more than $7 billion since its creation in 2019. This includes over $455 million stolen by the Lazarus Group, a Democratic People’s Republic of Korea (DPRK) state-sponsored hacking group sanctioned by the U.S. in 2019, in the largest known virtual currency heist.
Tornado Cash was subsequently used to launder more than $96 million of malicious cyber actors’ funds derived from June 24, 2022, Harmony Bridge Heist, and at least $7.8 million from August 2, 2022, Nomad Heist. As amended, today’s action is being taken under Executive Order (E.O.) 13694 and follows OFAC’s May 6, 2022, designation of virtual currency mixer Blender.io.“
So reads the official statement on the website of the U.S. Department.
A dip dive into Tornado Cash sanctions.
What have we learned about Tornado Cash and DeFi's unregulated platforms?
This case has shown us that a regulatory plan for the world of DeFi is crucial. Small steps have been made, and regulation is “almost” occurring. It could be wise and far-sighted in this historical period to think about developing your project using the HyFi. To learn more about this concept, read our article on hybrid finance, an innovative way to merge CeFi and DeFi.