Hacktober’s $718M Losses Threaten DeFi

October hasnt been kind to crypto, with $730 million lost to 18 hacks this month alone, driving the 2022 total loss to $3 billion.

With decentralized finance, or DeFi, as the prime target, its becoming a serious enough problem that calling 2021 The Year of the Hack may have been premature on the part of blockchain data firm Chainalysis, which specializes in tracking cryptocurrencies.

What is unique thats happening lately in the crypto space is the rate at which hacking is growing, said Kim Grauer, head of research for Chainalysis, told PYMNTS Karen Webster. It was the fastest growing subtype of crime out there of any type of crime we track and we track many and we had predicted that that was going to subside in the short term to medium term because it simply had to, to build trust in the industry.

But, she added, thats not what weve been seeing.

Instead, 2022 is just $220 million away from surpassing 2021s record $3.2 billion in stolen funds.

And, Grauer added, DeFi itself is in jeopardy.

The reputational risk is huge, she said. I cant emphasize that enough. Having a hack happen every day makes it so that every trader, everyone involved in DeFi has an awareness that they could be the victim of a hack. And thats not healthy for sustainable long-term growth. Thats not healthy for the industry. That is, in fact, a major reason why people are likely not getting into DeFi, not testing the waters.

If the problem cant be overcome, she added, I dont see a way DeFi can continue to grow and bring in more users.

The More Things Change

At the same time, Grauer pointed out, the problem is not insurmountable, as the sparsity of hacks against centralized exchanges shows.

That wasnt the case just a few years ago in 2019, when centralized exchanges were being cracked at an alarming pace.

It felt insurmountable at that time, Grauer said. But we are now in a totally different place where people recognize the security of centralized exchanges. And so, the hope is that DeFi and decentralized services follow that same trajectory.

Among the lessons DeFi is learning is the need for strong and ongoing code audits, as well as other technical solutions, she said. Another is that companies and DeFi developers cannot afford to wait to launch code audits and use other tools to protect their projects. However, that can be harder for DeFi projects, which, despite being decentralized, often have voting procedures that require some degree of consensus.

That said, hacking is not unique to the cryptocurrency world, Grauer said, pointing to hacks, phishing scams and even old-fashioned bank robberies that traditional finance, or TradFi, has wrestled with since its inception.

More and Less

One major difference is scale, she added.

Its an outlier dependent problem in the sense that it just takes one big hack and then suddenly you have a $600 million loss, Grauer said. Whereas in TradFi, multi-billion-dollar scams happen, but they generally take months if not years and have huge numbers of victims.

Its really a different ball game when youre dealing with the potential of one major incident versus millions of small incidents and scamming, she said.

From a reputational standpoint alone, Grauer argued, its an industry wide problem.

But if companies and DeFi developers prioritize bringing in code audits and bug bounties, its something that could be implemented relatively quickly, she said. But its a question of getting industry wide practices adopted, and getting those to be standards.

One good place to start, she said, is by building code monitoring projects so that code libraries are updated when bugs are found. Thats a problem because many blockchains are built with a good deal of copy-paste development.

That means that if theres an exploitable bug, it kind of cascades.

Transparencys Silver Lining

The silver lining, Grauer said, is that because it all happens on an immutable blockchain, everything is transparent.

That means Chainalysis 24-hour incident response team can track stolen funds quickly, working with exchanges and other money services businesses to freeze them at exchanges where stolen funds have to be off-ramped into fiat. Thats why a lot of stolen funds have been left stranded for years once the eyes of the industry are on them, they become more difficult to cash out.

It’s something of a double-edged sword, Grauer said. With hacking, we can tell you everything thats happening and that kind of puts a magnifying glass on the negatives, on the seedy underbelly of cryptocurrency.

But, she added, its also a positive.

You cant do this in traditional finance, Grauer added. You just call us up and we are on the case tracking the funds, the best investigators in the industry. So, even if you are hacked, theres forever a footprint of where your funds went, and its just a matter of getting it investigated.