Since 2019, hackers have raided DeFi protocols nearly 500 times, absconding with $6 billion, proving that the smart contracts upon which these platforms rely are no match for smarter miscreants.
hese are trying times in the world of decentralized finance, a blockchain-based system of banking and investment that seeks to cut out traditional middlemen and avoid regulatory entanglements.
In just the last 4 weeks, Curve Finance, a popular cryptocurrency exchange, was hacked for over $70 million after a bug was discovered in its coding language; a crypto lender called Exactly lost $12 million in a security breach; and smaller projects Saddle Finance, Spirit Swap and Hundred Finance abruptly closed.
Hacks, once considered no more than sporadic disruptions, have plagued decentralized finance platforms. Between January and July, the crypto industry saw 145 major hacks -- 117 of them were DeFi-related and totaled approximately $700 million in losses, according to Kim Grauer, director of research at Chainalysis, a blockchain intelligence company. In 2022, 132 DeFi hacks occurred over the same period, resulting in losses collectively worth $1.8 billion.
The allure of automated financial systems and yields once as high as 20% has drawn legions of investors and developers to the DeFi fold over the past few years, yet the road to financial liberation has taken an ugly turn into what now looks like a dead end. The crooks have been attacking DeFi from all sides. The so-called smart contracts that are a hallmark of DeFi, designed to cut out the need for bankers and lawyers, have proven to be chock full of vulnerabilities and as a result these platforms have provided juicy targets for cybercriminals.
These issues have become existential in light of DeFi's rapidly declining market share. The total value locked, or TVL, -- the dollar amount of crypto held in DeFi projects -- is now hovering around $37 billion, according to data aggregator DeFi Llama, -- a low not seen since February 2021. That puts assets in the entire category, which promised to eliminate the need for banks like JPMorgan, below that of a mid-sized regional bank. At its peak in November 2021, the TVL stood at approximately $178 billion.
he biggest deflator of the DeFi bubble has been lower cryptocurrency prices, according to Anders Helseth, vice president of research at K33, a digital assets research firm. With bitcoin and ether trading more than 60% lower than their all-time highs, the value of decentralized protocols holding the tokens has also plummeted.
In addition, rising interest rates on low-risk assets are making DeFi increasingly less attractive for investors, according to Mark Connors, head of research at 3iQ, a Canadian digital asset investment fund manager. One month Treasury rates are yielding 5.56% -- higher than rates on major stablecoins, USDC and USDT, that are ranging from 2.7% to 4.6% on popular decentralized lending protocols such as Aave, JustLend and Compound, according to DeFi Llama.
Many platforms have simply wound down operations in recent weeks. DappRadar, a decentralized applications tracker, has delisted a total of 105 DeFi applications so far this year.
Hacks aren't the only problem. In July, the team behind AlgoFi, a large lender on the Algorand blockchain, announced the platform's closure due to "a confluence of events." Although the developers did not name specific reasons, the designation of Algorand's ALGO token as a security by the U.S. Securities and Exchange Commission in April probably played a part. Following the SEC's labeling, trading platforms Bakkt and eToro delisted ALGO along with a handful of other tokens named by the regulator.
In addition to the SEC's crackdown, lawmakers are also calling for more oversight of the sector. In July, a bipartisan group of senators introduced a bill called the Crypto-Asset National Security Enhancement and Enforcement Act of 2023. If enacted, it would require DeFi platforms to maintain an anti-money-laundering program, keep tabs on customers, and report suspicious transactions to the Treasury Department's Financial Crimes Enforcement Network, i.e. abide by rules for financial intermediaries like banks and securities brokers -- the very middlemen DeFi is seeking to replace with software.
"DeFi and crypto ATMs are part of a largely unregulated technology that needs stronger oversight and guardrails to prevent rampant money laundering and sanctions evasion," said Senator Jack Reed (D-RI) in a statement. "This legislation bolsters the Treasury Department's tools to protect our national and economic security."
The message echoed an illicit finance risk assessment conducted on decentralized finance by the U.S. Department of the Treasury earlier in the year, which advanced the view that decentralized services should implement anti-money laundering compliance under the Bank Secrecy Act.
The threat of regulation isn't as serious a threat to DeFi as have been nearly continuous security breaches that erode investors' confidence. A recent attack on Curve, a major stablecoin exchange with $2.4 billion in deposits, sent shockwaves across the sector as vulnerabilities across multiple projects that use the same programming language were exposed, as were tens of millions of personal loans made by Curve's founder Michael Egorov, which were largely backed by Curve's token CRV.
The episode sparked a liquidation panic: a sharp selloff of CRV following the hack caused the token to drop in value. If the price of CRV would have lost more than 33%, lending protocols would have automatically sold the collateral. The hacker eventually returned around $52.3 million of the $73.5 million in stolen funds, according to blockchain security firm PeckShield. Still, questions around risk management in DeFi have resurfaced.
"Imagine a system where banks failed like every other Tuesday. I don't think a lot of people would be leaving their money there," says Austin Campbell, an adjunct professor at Columbia Business School and managing partner of blockchain-focused Zero Knowledge Consulting. "It's going to be hard to get a significant number of people back using it because the reality is everybody's worried about being hacked all the time."
"We (and many builders in our industry) don't believe this is the end at all -- rather, a call for more responsibly designed protocols," argues Evan Kuo, founder of Fragments, the development company behind the Ampleforth and SPOT Protocols. "DeFi protocols ought to have been, and can be, designed to avoid systemic risks like cascading liquidations."
But hacks and breaches will continue to happen, says David Schwed, COO at blockchain security firm Halborn. "With a simple exploit or a social engineering tactic, I can walk away with $100 million. So the best hackers in the world, including state-sponsored attackers like North Korea's Lazarus Group, are focusing on this market.
The other challenge is it's a relatively nascent market where you are seeing projects that are not very well funded. "You know, a $3 to $5 million check sounds great, but it is not enough to stand up to what I call bank level security or enterprise level security," says Schwed. "By design, [DeFi protocols] are just they're not as slow as a large financial institution that has all the safeguards."
Many DeFi projects are developer-heavy, with very little to no security oversight. In many instances, they look at security, unfortunately, as an afterthought, adds Schwed. "You have heightened risks...I am not saying it's a recipe for disaster, but I'm not surprised that hacks are still happening in 2023."
n the meantime, "the DeFi market is searching for sticky narratives,"says K33's Anders. "But mostly, that turns into short-lived hypes," he adds.
Take friend.tech, an app, which lets users buy and sell "shares" (now called "keys") of their favorite X (formerly known as Twitter) personalities. Just last week it was hailed as crypto's new social media darling. Barely two weeks after its launch, friend.tech's trading fees grew as high as $1.7 million per day, enough to rival major decentralized protocols including Uniswap and MakerDAO. However, its fees have since plummeted, to around $215,000 per day recently, according to DefiLlama. Transactions also declined from the nearly 525,000 per day two weeks ago to just over 51,000 per day, according to data from Dune Analytics.
As DeFi platforms struggle to remain viable, some former users are parking their digital money in another risky and dubious crypto invention known as "liquid" staking. So called liquid staking protocols like Lido allow investors to pledge, or stake, tokens like ether and earn yield in exchange for another token they can put to work in other DeFi protocols and applications like Uniswap to earn even more money. Like DeFi, liquid staking relies on smart contracts and has many of the earmarks of a future bubble. These protocols have already collectively accumulated $20.3 billion -- nearly two thirds of DeFi's total TVL and according to DefiLlama, Lido is now the top staking protocol with $14 billion of cryptocurrency locked inside its contracts.
DeFi be damned, in the world of crypto, hope springs eternal.
Important Information: This communication is marketing material. The views and opinions contained herein are those of the author(s) on this page, and may not necessarily represent views expressed or reflected in other Exclusive Capital communications, strategies or funds. This material is intended to be for information purposes only and is not intended as promotional material in any respect. The material is not intended as an offer or solicitation for the purchase or sale of any financial instrument.