Cointelegraph Consulting: Recounting 2021’s biggest DeFi hacking incidents

Compound Finance is just one of the latest victims of DeFi hacking incidents in 2021. On Sept. 30, its errant token distribution bug within the Proposal 062 exposed a flaw in which $70 million–$85 million in excess COMP tokens were wrongly distributed to users. 

Yet, an extra $65 million was placed in a vulnerable vault a few days later, resulting in at least $150 million in COMP tokens at risk. But, while Compound was able to remedy the entire situation, it shows how vulnerable the decentralized finance (DeFi) sector can be at times due to its nascency.

Last year, the total value locked (TVL) in DeFi was a mere 5% of what it’s currently worth $255 billion. The change marks an explosive 1686% growth. Even with the Compound debacle, and most recently with decentralized trading platform BXH that drained $139 million from an attack due to a leaked admin key, TVL actually increased over the last month, appreciating by 14.27%.

One reason why investors have flocked to DeFi protocols is to search for higher returns. The rock-bottom interest rates of 2020 that lacked a clear framework for an increase caused investors to look for other avenues to park their cash. Locking crypto assets to DeFi protocols and to supply liquidity for such services became an attractive option, as it offers more attractive returns. What ensued was a yield farming boom in 2020 that prevailed up to this year.

Counting the incidents

The rising popularity of DeFi is a double-edged sword for the young sector and the entire cryptocurrency space as a whole. Since 2012, 534 blockchain hacking incidents have taken place with 169 events coming in 2021 alone, according to Chinese cybersecurity firm Slow Mist. Hacks grow in sophistication and target various areas in the space.

Nevertheless, the biggest hack to ever take place occurred in 2021 and was carried out by an unknown hacker on cross-chain protocol Poly Network. The result was an equivalent of $610 million in tokens stolen, topping MtGox and Coincheck. The attack pocketed about $273 million from the Ethereum network, $85 million in USD Coin (USDC) from the Polygon network and $253 million from Binance Smart Chain. It also removed sizable amounts of renBTC, wrapped Bitcoin (wBTC) and wrapped Ether (wETH).

The incident with Poly Network is one of many DeFi hacking instances in 2021. Poly Network was fortunate to recover all of the funds. Cream Finance, on the other hand, was not so lucky. The decentralized lending protocol comes in at a distant second, and the attack it took — which was twice this year — had nearly $150 million wiped out and is still trying hard to recover. Overall, the total amount of money lost due to blockchain hacking this year is nearly $7 billion, which is a $2.5 billion increase from last year.

Calls for audit

Poly Network, Compound and Cream Finance have made it to the top three by the number of funds affected (totaling $906 million). Like Cream Finance, there are also other notable protocols in which exploits took place more than once in the same year, like THORChain and Value DeFi.

Also, albeit negligible at $1.5 million in contrast to the affected funds of the rest of the other victims, Merlin Labs, a yield optimizer built on BSC, was attacked thrice — initially twice in the same week and once more a month later. Furthermore, what’s surprising is that it was audited by Hacken 11 days before the attack.

Security experts recommend a smart contract to undergo an audit, usually through independent auditors. An audit could help detect and possibly rectify smart vulnerabilities in code and check the reliability of the smart contract's interactions. 

Kava Labs CEO Brian Kerr told Cointelegraph in May 2020 of how critical it is for anyone who wants to use a DeFi protocol to first check audits and peer reviews. But even then, he warns of associated technical and market risks since the sector, again, is still new.

Download the 34th issue of the Cointelegraph Consulting Bi-weekly Newsletter in full, complete with charts and market signals, as well as news and overviews of fundraising events.

Among the projects that fell victim to attacks this year, only about 15 DeFi protocols were audited out of the 40 affected. But it’s worth noting that the affected funds for the audited protocols were significantly less than those that weren't audited. For each audited company, the amount of loss was almost 60% less than those that were unaudited. As a whole, 20.3% of the affected funds in all the protocols hacked this year were from protocols that were audited, while 79.67% or about $1.3 billion were from those that were unaudited.

The four major reasons DeFi protocols get hacked include coding mistakes, developer incompetence, misuse of third-party protocols, and business logic errors. The most common among these and possibly the most dangerous is developer incompetence, which is also a direct consequence of coding mistakes. Inadequately qualified developers rushing to launch a project without a rigorous third-party check could be more susceptible to exploits.

This is the reason why there is an ongoing push for an extra measure in improving security protocols in the industry. Audits, particularly smart contract security audits and secondary auditing, are just two ways to achieve this. As Kerr said, an investor's technical diligence is also warranted in scrutinizing a DeFi protocol before investing.

Still, the light at the end of the tunnel is that these hacks could be essential in advancing the DeFi sector. CipherTrace Chief Financial Analyst John Jefferies told Cointelegraph back in August that such crimes will spark an acceleration of know-your-customer, or KYC, procedure acceptance particularly with the decentralized exchanges, orDEXs, which can be critical in getting regulatory approval.

As DeFi matures, especially with the advent of layer-one blockchains competing against Ethereum, the hacking events as of late are perhaps just the tip of the iceberg, and the poorly designed and unaudited protocols could be in a whole heap of trouble.

Cointelegraph’s Market Insights Newsletter shares our knowledge on the fundamentals that move the digital asset market. The newsletter dives into the latest data on social media sentiment, on-chain metrics, and derivatives.

We also review the industry’s most important news, including mergers and acquisitions, changes in the regulatory landscape, and enterprise blockchain integrations. Sign up now to be the first to receive these insights. All past editions of Market Insights are also available on Cointelegraph.com.

Cointelegraph Consulting: ERC-20 token's market cap overtakes Ethereum’s   Sept. 18, 2020
Jump Crypto replenishes funds from $320M Wormhole hack in largest-ever DeFi 'bailout'   Feb. 3, 2022
Finance Redefined: Alchemy raises $200M, Bunny goes DAO, Feb. 4–11   Feb. 12, 2022
Another depeg — Acala trace report reveals 3B aUSD erroneously minted   Aug. 17, 2022
Celer Network shuts down bridge over potential DNS hijacking   Aug. 18, 2022