Hacktober’s $718M Losses Are an Existential Threat to DeFi

October hasn’t been kind to crypto, with $730 million lost to 18 hacks this month alone, driving the 2022 total loss to $3 billion.

With decentralized finance, or DeFi, as the prime target, it’s becoming a serious enough problem that calling 2021 The Year of the Hack may have been premature on the part of blockchain data firm Chainalysis, which specializes in tracking cryptocurrencies.

“What is unique that’s happening lately in the crypto space is the rate at which hacking is growing,” said Kim Grauer, head of research for Chainalysis, told PYMNTS’ Karen Webster. “It was the fastest growing subtype of crime out there of any type of crime we track — and we track many — and we had predicted that that was going to subside in the short term to medium term because it simply had to, to build trust in the industry.”

But, she added, “that’s not what we’ve been seeing.”

Instead, 2022 is just $220 million away from surpassing 2021’s record $3.2 billion in stolen funds.

And, Grauer added, DeFi itself is in jeopardy.

“The reputational risk is huge,” she said. “I can’t emphasize that enough. Having a hack happen every day makes it so that every trader, everyone involved in DeFi has an awareness that they could be the victim of a hack. And that’s not healthy for sustainable long-term growth. That’s not healthy for the industry. That is, in fact, a major reason why people are likely not getting into DeFi, not testing the waters.”

If the problem can’t be overcome, she added, “I don’t see a way DeFi can continue to grow and bring in more users.”

The More Things Change

At the same time, Grauer pointed out, the problem is not insurmountable, as the sparsity of hacks against centralized exchanges shows.

That wasn’t the case “just a few years ago in 2019,” when centralized exchanges were being cracked at an alarming pace.

“It felt insurmountable at that time,” Grauer said. “But we are now in a totally different place where people recognize the security of centralized exchanges. And so, the hope is that DeFi and decentralized services follow that same trajectory.”

Among the lessons DeFi is learning is the need for strong and ongoing code audits, as well as other technical solutions, she said. Another is that companies — and DeFi developers — cannot afford to wait to launch code audits and use other tools to protect their projects. However, that can be harder for DeFi projects, which, despite being decentralized, often have voting procedures that require some degree of consensus.

That said, hacking is not unique to the cryptocurrency world, Grauer said, pointing to hacks, phishing scams and even old-fashioned bank robberies that traditional finance, or TradFi, has wrestled with since its inception.

More and Less

One major difference is scale, she added.

“It’s an outlier dependent problem in the sense that it just takes one big hack and then suddenly you have a $600 million loss,” Grauer said. Whereas in TradFi, multi-billion-dollar scams happen, but they generally take months if not years and have huge numbers of victims.

“It’s really a different ball game when you’re dealing with the potential of one major incident versus millions of small incidents and scamming,” she said.

From a reputational standpoint alone, Grauer argued, it’s an industry wide problem.

But if companies and DeFi developers prioritize bringing in code audits and bug bounties, “it’s something that could be implemented relatively quickly,” she said. “But it’s a question of getting industry wide practices adopted, and getting those to be standards.”

One good place to start, she said, is by building code monitoring projects so that code libraries are updated when bugs are found. That’s a problem because many blockchains are built with a good deal of copy-paste development.

That means that if there’s an exploitable bug, “it kind of cascades.”

Transparency’s Silver Lining

The silver lining, Grauer said, is that because it all happens on an immutable blockchain, everything is transparent.

That means Chainalysis’ 24-hour incident response team can track stolen funds quickly, working with exchanges and other money services businesses to freeze them at exchanges where stolen funds have to be off-ramped into fiat. That’s why a lot of stolen funds have been left stranded for years — once the eyes of the industry are on them, they become more difficult to cash out.

It’s something of a double-edged sword, Grauer said. “With hacking, we can tell you everything that’s happening and that kind of puts a magnifying glass on the negatives, on the seedy underbelly of cryptocurrency.”

But, she added, it’s also a positive.

“You can’t do this in traditional finance,” Grauer added. “You just call us up and we are on the case tracking the funds, the best investigators in the industry. So, even if you are hacked, there’s forever a footprint of where your funds went, and it’s just a matter of getting it investigated.”