Rob Behnke
March 2nd, 2022
DeFi thefts have grown astronomically in recent years. According to Chainalysis’ Crypto Crime Report 2022, the number of DeFi hacks more than doubled between 2020 and 2021 from 117 to 250. These hacks were also much more valuable with about $3.2 billion in cryptocurrency stolen, compared to about $800 million the previous year, a 1,330% increase.
Many different drivers have contributed to the rise of DeFi hacks. Here are 5 reasons why these DeFi hacks are growing more common and more expensive.
One of the reasons why the number and value of DeFi hacks are going up is that there is simply more money to steal. At the end of 2020, DeFi protocols had a total value locked (TVL) of about $25 billion. A year later, DeFi projects held about $88 billion.
This 3.5x increase is only a little lower than the 4x growth in the value of DeFi hacks in the same period. This indicates that the amount of value stolen from DeFi projects is roughly keeping pace with the growth in the value of these projects.
DeFi is built around the open-source mindset, and most DeFi projects open source their code for analysis and for reuse by other projects. As a result, many DeFi projects are built using components forked or copied from existing projects.
This use of open-source code can bring significant benefits. For example, OpenZeppelin’s library contracts are high-quality and enable users to avoid common smart contract vulnerabilities.
However, open source also has its downsides. With the low barrier to entry, it is easier for scammers to roll out projects for rug pulls, enabling them to steal value invested by users.
Code reuse also can cause vulnerable code to pop up in multiple places or create a false sense of security if a DeFi project uses trusted libraries but tweaks them, as was the case in the Qubit hack.
Another impact of open source is that it makes it easier for attackers to identify the vulnerabilities that exist in smart contract code. With access to application source code, attackers can search for vulnerabilities and use static code analysis tools to find bugs.
Vulnerability exploitation is a growing attack vector in the DeFi space. Between 2020 and 2021, code exploits grew from accounting for about 40% to over 50% of attacks. In 2019, a code exploitation attack was relatively unknown in the DeFi space.
Smart contract platforms are already complex ecosystems. Smart contracts are programs that run on top of the blockchain and can interact with other blockchain-based programs. Increased complexity makes security more challenging.
As the DeFi space grows more mature, the complexity of these protocols and their interactions continues to increase. Today, DeFi protocols implement sophisticated functionality, and bridges enable interactions between smart contracts hosted on other blockchains. This increased complexity makes business logic errors more likely and makes it harder to identify and correct vulnerabilities in smart contract implementations.
Security audits are essential to the security of DeFi projects. These audits can help to identify smart contract vulnerabilities and business logic issues before they are deployed to the blockchain and put the project and its users at risk.
A lack of smart contract audits is one of the leading causes of the rise in DeFi hacks. Of the ten most expensive DeFi hacks in 2021, not a single one had undergone a security audit. This “test in prod” approach to DeFi security led to over $1 billion in losses from these ten projects alone.
DeFi is a promising and rapidly-growing application of blockchain technology. However, widespread hacks damage its reputation and can hinder growth and adoption.
In our Top 10 DeFi Hacks of 2021 article, we noticed a common trend: a lack of security audits. Slowing the rise of DeFi hacks requires auditing smart contracts before deployments. To learn more about how to improve the security of your DeFi project through smart contract auditing and advanced penetration testing, reach out to our blockchain security experts at halborn@protonmail.com.