$2 Billion Self-Hack Highlights DeFi’s Slow Crisis Reaction Problem

Decentralized finance has a control problem it must solve if it is to become the economic force supporters believe — and opponents fear — that it can become.

And fear they do.

In March, Deloitte wrote that in DeFi “traditional financial services face a potentially existential moment that may challenge traditional business models,” adding that it “represents the most significant disruptive force on the global financial system.”

Not to be outdone, the International Monetary Fund in April added that the “absence of governing entities means DeFi is a challenge for effective regulation and supervision.”

That said, DeFi appears to have developed an Achille’s heel, of sorts, in the form of slow reaction time, and solving the weakness may be something of a Catch-22.

While many, if not most, DeFi projects are still not truly and fully decentralized, with developers having what amount to backdoor master keys, the ostensible goal is for them all to be fully run by self-executing smart contracts. Which would make reacting quickly to problems virtually impossible, as that requires centralized control.

Which is a problem in any business, but especially finance. And particularly in a segment with the vulnerability to hackers, DeFi has shown, with more than $3 billion stolen in 2022 alone, according to Chainalysis.

Leaving aside security holes, consider court orders, money laundering responses, a sudden crash in exchange rates — any number of issues that require a fast response.

Not a Game

That problem was on full display again Thursday night (Nov. 3), when play-to-earn blockchain game developer Gala Games revealed that it had effectively hacked its own project, “stealing” more than $2 billion to prevent actual thieves from using a potential exploit it found in its code.

It began at 4:54 p.m. when blockchain security firm PeckShield noticed a huge outflow of funds occurring on a liquidity pool supporting the firm’s cross-chain bridge, which allows users to trade crypto quickly and cheaply for the GALA tokens.

A few minutes later, pNetwork, a blockchain infrastructure provider for Gala, tweeted out: “we noticed pGALA wasn’t to be considered safe anymore and coordinated the white hat attack to prevent pGALA from being maliciously exploited. Funds are safe.”



Unpack that for a minute. They found a “misconfiguration of the @pNetworkDeFi bridge” and instead of turning off the service, the only way to fix it — or at least the fastest way — was to steal it themselves.

And that’s leaving aside that the thought of a $2 billion hack was not shocking. Of course, $718 million was stolen last month in what Chainalysis dubbed “hacktober.”

Way Too Slow

Leaving aside the specifics of Gala Games’ issue, the problem is with how DeFi is governed by the decentralized autonomous organizations, or DAOs, that are at the core of decentralized finance.

DAOs are at their core smart contracts that act independently of human control. But in order to let users update them in any way, from coding upgrades to interest rate changes, there is a voting procedure using governance tokens, a type of cryptocurrency that generally does little more than give holders a say in DAO updates.

The problem is those changes are generally managed in slow-moving a two-stage procedure. First, a change is proposed by someone who writes up its specifics and then tries to raise support for it, generally on social media like project-specific Discord channels.

After a set number of days, a preliminary vote is held — often over several more days — that is essentially a primary election. If the proposal gets enough support, another election is held to pass or reject it. The discussion periods last between days and weeks, as do the polling periods.

Until then, nothing can be done. Which makes robbing yourself sound like a reasonable course of action.

Whether it is a reasonable way to do business is another question entirely.


For all PYMNTS crypto coverage, subscribe to the daily Crypto Newsletter.