Back to all stories
FBI Recommends Audits and Active Monitoring for DeFi Projects
FBI Recommends Audits and Active Monitoring for DeFi Projects

The FBI issued a Public Service Announcement regarding the rise of cyber hacks on DeFi platforms. Here are the key takeaways from the announcement on how investors can better protect themselves when engaging with DeFi platforms.

The crypto community has recently witnessed a ramp-up in authorities’ regulatory and law enforcement efforts in order to go after Web3 hackers and scammers. This coordinated effort even led to the ban of Tornado Cash, followed by the arrest of smart contract developer, Alexey Pertsev. In addition to this enforcement angle, authorities are also encouraging investors to take preventative measures to avoid losing money to Web3 hacks. On August 29, 2022, the FBI issued a Public Service Announcement warning of the threat of DeFi hacks and giving clear recommendations in order to reduce the risk.

Here are 5 tips shared by the FBI and how CertiK can help:

1 - Verify the Project has been Properly Audited

The FBI advises to make sure a DeFi project has conducted one or more rigorous code audits performed by independent auditors, to verify that there are no identified vulnerabilities or weaknesses. They also explain that projects who use crowdsourced solutions to identify and patch vulnerabilities are more vulnerable to hackers. Since many fraudulent projects use cheap, unreliable audit services or fake audit certificates, CertiK recommends to verify projects’ audits and evaluations directly on the CertiK’s Security Leaderboard.

2 - Verify the Project has Live Security Monitoring

According to the FBI, every project should allocate resources to an incident response plan. As a part of this suggestion, projects should institute real time analytics and monitoring in order to quickly identify vulnerabilities and respond to indicators of suspicious activity. Indeed, post-deployment on-chain security monitoring has become essential. DeFi users can verify if a specific project implemented the Skynet solution, which continuously scans the contract code, analyzes on-chain performance data, detects and identifies anomalies and displays actionable security and data insights on the CertiK’s Security Leaderboard.

3 - Do Your Own Research (DYOR)

The FBI cautions DeFi investors to thoroughly research platforms, protocols, and smart contracts before making their own investment decisions. In order to facilitate this preliminary research, DeFi users can access 3,700 detailed projects’ evaluations and insights on CertiK’s Security Leaderboard. By navigating through the project’s leaderboard page and their security audit, Web3 investors can ensure the project team has been fully verified and issued a KYC Badge, which is an indicator of transparency, credibility, and accountability.

4 - Avoid Projects who Urge to Invest Quickly

The FBI suggests being wary of DeFi investment pools with extremely limited timeframes to join and rapid deployment of smart contracts. Retail investors should never rush to invest because of a deadline, and project developers should not expedite their deployment before setting up the highest level of security for their users. Building a robust and secure system requires time and resources, and in Web3, when an enterprise is trying to rush retail investors, it is often a red flag for high-risks projects.

5 - Report Crypto-Crimes

Victims of Web3 hacks and scams can report it directly to the FBI, via The report should include the victim’s details, complete information about the transaction(s), all known information about the perpetrator, a summary of how it happened and any other relevant information that could support the complaint. In addition to reporting Web3 crimes to the authorities, users can also warn the community by reporting the incident on the CertiK’s Security Leaderboard. To do so, they can navigate to the project’s Security Leaderboard profile, click on the warning icon at the top right, and complete and submit the reporting form. Community alerts are shared in real-time via @CertiKAlert.