New York and London – Billions of dollars have been stolen from decentralised finance (DeFi) protocols, a flourishing alternative financial system that replaces traditional intermediaries with software running on blockchains, according to new research by Elliptic.
Elliptic’s report DeFi: Regulation, Compliance and the Growth of DeCrime reveals that as of November 2021 just over $12 billion in losses have been suffered by DeFi users and investors, due to the malicious exploitation of flaws in decentralised applications (DApps) such as decentralised exchanges (DEXs), lending protocols and asset management offerings. These losses include direct loss of funds stolen from DApps, as well as losses suffered by holders of tokens associated with these protocols.
DeFi platforms have become increasingly popular in recent years, fuelling a boom in cryptoasset use. The “total value locked” (TVL), a measure of the liquidity of DeFi services, increased by a factor of nearly 500, from $500 million in November 2019 to just over $247 billion today.
This rise in popularity of DeFi has attracted a significant increase in associated DeCrime, a term coined by Elliptic to denote financial crime that involves decentralised financial tools such as DApps. Losses due to theft and crime across DeFi platforms have increased by 600% from 2020, with $10.5 billion being stolen since the beginning of 2021 compared with $1.5 billion last year. More than $12 billion in total has been lost due to malicious exploitation of DeFi.
Tom Robinson, Chief Scientist at Elliptic, said: “The DeFi ecosystem is an incredibly exciting and fast-moving space, with financial services innovation happening at light speed. This is attracting large amounts of capital to projects that are not always robust or well-tested. Criminal actors have seen the opportunity to exploit this”
According to the report, the prevalence of DeFi theft and crime is largely due to the untested and immature nature of the technology available. Mistakes in the design and development of decentralised apps are the most common cause, giving rise to bugs which hackers can exploit, accounting for $10.8 billion of all losses. Another $1 billion in losses are the result of exit scams (where a DApp creator intentionally leaves a ‘backdoor’ in the code that allows them to steal users’ funds) and the theft of “admin keys”.
“Decentralised apps are designed to be trustless in that they eliminate any third-party control of users’ funds”, said Robinson. “But you must still trust that the creators of the protocol have not made a coding or design mistake that could lead to a loss of funds.”
Robinson said: “DeFi looks set to become an increasingly important part of our financial system, making financial services more accessible, efficient and competitive. But we are still at the experimental stage and DeFI users face significant risks. As the technology matures and becomes better-regulated, losses will fall and DeFi will become a practical alternative to the banks, asset managers and exchanges that we currently rely upon.