The rise of decentralized finance, or DeFi, could be paving the way toward a fully decentralized financial ecosystem. Yet, given the innovative nature of DeFi, the sector remains in constant development and is therefore prone to a number of vulnerabilities.
Unsurprisingly, one of the biggest challenges currently facing the DeFi sector is security threats. This has become apparent as more DeFi hacks continue to wreak havoc across the crypto community. Most recently, the largest DeFi hack within the crypto industry took place. The Poly Network hack resulted in over $600 million dollars removed, and then returned, from Binance Chain, Ethereum and the Polygon Network.
To further put this in perspective, crypto intelligence firm CipherTrace revealed in their latest “Cryptocurrency Crime and Anti-Money Laundering” report that DeFi hacks totaled $361 million by July 2021, accounting for three-quarters of the total hack volume of the entire crypto industry for this year. This represents a 2.7 times increase from 2020. Moreover, DeFi-related fraud accounted for 54% of major crypto fraud volume at the time CipherTrace’s report was published. This is considerably higher compared to last year’s total, which was only 3%.
DeFi hacks necessary to help sector mature
While unfortunate, some in the crypto industry believe that DeFi-related crime will actually advance decentralized finance moving forward.
For instance, chief financial analyst of CipherTrace John Jefferies told Cointelegraph that the recent hacks and fraud will help DeFi in the short term: “If an anonymous hacker can steal millions of dollars from unnamable victims, then it’s clear this sector needs more effective security controls."
Specifically speaking, Jefferies explained that DeFi crimes will spark an acceleration of Know Your Customer, or KYC, legislation in respect to decentralized exchanges, or DEXs. This is extremely important to regulators given the fact that DeFi protocols are accessible without KYC processes.
A recent report from Merkle Science — a predictive risk and intelligence platform — elaborates on the dangers of no KYC, noting, “anyone sitting in any country may access DeFi protocols without the need to go through KYC — unintentionally providing bad actors access to financial services for illicit activity.” The report further states that “the lack of KYC also means that users often need to over-collateralize to access services such as loans.”
Given the “decentralized” nature of DeFi, KYC and Anti-Money Laundering (AML), regulations are not enabled. Unlike centralized exchanges (CEXs), DeFi protocols aspire to create an alternative to traditional financial systems by replacing intermediaries with smart contracts, or self-sufficient code embedded in blockchain networks. As such, DEXs do not have ownership over users’ funds at any point, potentially eliminating the need for KYC or AML.
Although this is the case, some would argue that DeFi protocols are not actually decentralized. Lior Lamesh, co-Founder and CEO of GK8 — a cybersecurity company — told Cointelegraph that although DeFi is supposed to be decentralized, it’s not because the smart contract owner (the individual who uploaded the DeFi protocol to the blockchain) has control over the network. According to Lamesh, this creates even bigger security issues: “By compromising the smart contract owner's private key, the whole economy of the protocol can be destroyed right away. It is worse than hacking a single DeFi user, as this means hacking all DeFi users at once.”
Jefferies further stated that most DEXs are only decentralized in name, pointing out that many are centralized in nature. He believes this will facilitate the eventual cleanup of DEXs with KYC and AML policies:
“I believe regulators are supportive of DeFi and the goals of DeFi and the ability to have this new programmable money created with code. There are lots of people in the U.S Government that see DeFi as true innovation and I hope the industry gets to a point where we have the on and off ramps cleaned up so DeFi can thrive.”
However, this may be easier said than done. According to DappRadar, the total value locked in DeFi over the past year exceeds $108 billion. The rise of DeFi is forcing regulatory bodies to implement guidance against money laundering, terrorism financing and other illicit activity. The best example of this can be seen in the latest Financial Action Task Force, or FATF, updated guidance for virtual assets and virtual asset service providers (VASPs).
Yet, Merkle Science’s latest report notes that the way in which DeFi platforms are structured, making it improbable for these ecosystems to identify intermediaries who would be responsible for AML and KYC compliance. The document further states that the challenges faced by centralized VASPs in regards to the updated Travel Rule will be even more difficult for the DeFi ecosystem to comply with since this guidance wasn’t created with DeFi in mind. Jefferies explained that the FATF has been discussing ways of classifying DEXs as VASPs, but this consultation will not be finalized until October this year, so the Travel Rule may or may not apply to DEXs.
Given the long-term challenges related to implementing DeFi regulations, others in the industry believe that the rise of DeFi hacks will serve as an immediate wake-up call for better security protocols.
Mitchell Amador, CEO and founder of Immunefi — a bug bounty platform for DeFi protocols — told Cointelegraph that regulations will have no impact on the future of DeFi. Rather, better security procedures will be necessary for reducing DeFi-related crime. “You will still see hacks occur, but these will become much more difficult,” Amador said.
According to Amador, the latest Poly Network hack demonstrates that DeFi is still a new and experimental technology, one that comes with great risks in managing financial assets. As such, Amador noted that it shouldn’t come as a surprise that there are bugs in the smart contract's code, yet, these vulnerabilities must be prevented moving forward:
“One key lesson here is that bug bounties are a must-have, otherwise hackers will continue hacking into these systems. We saw that the Poly Network hacker gave the stolen funds back, but why wasn’t there an incentive for him in the first place?”
Amador added that the DeFi hacks happening now are stimulating for security: “The number of people finding vulnerabilities in code is increasing and new security projects are developing. This is really the silver lining here. I’m optimistic that crypto and DeFi will be much safer in 12 months from now.”
DeFi must slow down development cycles?
While DeFi hacks may be impossible to prevent, it’s clear that these vulnerabilities will result in a stronger crypto ecosystem moving forward. This may come in the form of better regulations, tighter security protocols, or both.
In the meantime, Amador believes that one thing is certain — DeFi builders must slow down development cycles: “Code bases are nascent or not well reviewed and therefore rushed to market." As a result, he believes there is very little time for DeFi projects to run tests, get code reviewed or even think like an actual hacker: “Once we slow down development cycles to review code, we should see a dramatic drop in hacks, especially in new protocols.”
A lack of regulation, developing security audit processes and speed of innovation are challenges that the DeFi space must overcome moving forward. In particular, the speed of innovation is important since the DeFi space is still maturing and the risks associated with these protocols must be accessed carefully.
While these factors must be taken into serious consideration, Amador pointed out that the fast-paced nature of the cryptocurrency sector may create challenges when it comes to slowing down development: “Crypto moves so fast, so I’m not sure how realistic this is. But if you have a great team, you can oftentimes resist pressure and take time to build things correctly. This will ultimately save time with security hassles down the road.”