Report: DeFi Fraud, Theft Exceeds $10 Billion in 2021DeFi Market Size Has Exploded, Although Cybersecurity Concerns Abound
More than $12 billion has been lost in decentralized finance, or DeFi, applications in 2021 - $10.8 billion of which is attributed to fraud and theft, a 600% increase from 2020, according to a new report from blockchain analytics firm Elliptic. This comes as DeFi platforms surge in popularity and fuel wider cryptocurrency adoption.
Blockchain-based DeFi projects do not rely on central financial intermediaries to provide traditional financial services. Instead, smart contracts on blockchains allow users to lend or borrow funds, trade cryptocurrencies, earn interest and more. DeFi projects typically rely on open-source software, and at the time of publication, there was some $104.2 billion in total value locked in these DApps, according to tracker site DeFi Pulse. Additionally, over the past year, trading volume on decentralized exchanges, or DEXs, has surged from $18 billion to more than $300 billion each month, according to Elliptic.
The firm's 48-page report, which cites the growth of "DeCrime," says billions have been lost due to "malicious exploitation of flaws" across DEXs, lending protocols and asset management offerings.
"The DeFi ecosystem is an incredibly exciting and fast-moving space, with financial services innovation happening at light speed," says Tom Robinson, chief scientist at Elliptic. "This is attracting large amounts of capital to projects that are not always robust or well-trusted. Criminal actors have seen the opportunity to exploit this."
Robinson and report co-author Chris DePow, Elliptic's senior adviser for financial institution regulation and compliance, say that malicious activity associated with DeFi relates largely to its "untested" and "immature" technology. Some $1 billion in losses relate to exit scams - in which DApp creators craft backdoors in the code to siphon users' funds - and the theft of admin keys, they say.
"Decentralized apps are designed to be trustless in that they eliminate any third-party control of users' funds," adds Robinson. "But you must still trust that the creators of the protocol have not made a coding or design mistake that could lead to a loss of funds."
DApps on Ethereum, the primary DeFi blockchain, saw the highest theft/fraud losses, at $8.6 billion, according to Elliptic. DApps targets most frequently include lending apps, at 34%; DEXs at 17.1%; asset management apps at 16.4%; and cross-chain bridges, which allow tokens to be exchanged on different blockchains, at 13.5%.
"Wherever there are concentrations of value, there will be crime - and DeFi is no exception," the report states, noting that DeFi protocols become a "tempting honeypot for hackers and a deep pool of liquidity" for money launderers.
Users "must [also] trust that the creators of the protocol have not made a coding or design mistake that could lead to a loss of funds," the authors write, saying the platforms - often startups - become targets for both lone hackers and nation-states.
In addition to code exploits - which have amounted to $5.5 billion in losses - the researchers also sound the alarm on economic exploits, or loopholes with the service that can be used to secure steep proceeds. This totaled $5.3 billion in losses.
The blockchain experts say the risk of hacking on DApps remains a top concern - as a single character out of place in the code "can have huge consequences - and in the case of DeFi, loss of funds."
"Much of the code used in DeFi is open source, and many DApps use code that has been forked from that used by a single DApp," Robinson and DePow write. "This means that a bug in the code of the original DApp can cascade and lead to losses from a number of different DeFi services."
The researchers also point to a rise in the use of DApps for money laundering purposes - including proceeds from attacks on centralized exchanges.
"Criminals have turned to DEXs to convert tokens to native assets such as ether," Robinson and DePow write. "Most DEXs do not impose any restrictions on who can use them, keep records of user identities or check deposits for proceeds of crime - making them an attractive tool for criminals."
With heightened visibility on the blockchain, however, law enforcement agencies are now better able to track this activity - or "follow the money" - until the tokens are obfuscated by services such as mixers, which combine users' funds, typically enabling thieves to move and off-ramp their ill-gotten gains.
Emerging risks in DeFi have also left regulators and lawmakers questioning appropriate guardrails.
The Elliptic researchers contend that the resulting "panoply" of regulators claiming responsibility over DeFi protocols "creates a significant problem" - that is, the type and level of regulation to be applied to an inherently decentralized space.
"What is clear, however, is that the current 'caveat emptor' system of self-regulation is not sustainable," they say.
And registration with FinCEN, the U.S. Department of the Treasury's financial enforcement bureau, "is not adequate in meeting regulatory obligations for virtual asset service providers operating within the U.S.," they say. "The implementation of an adequate anti-money laundering program and the collection of required know-your-customer information is vital to meeting the minimum standards set by U.S. federal functional regulators."
Robinson and DePow say that as regulatory pressure mounts, it will become clear that although the system may be decentralized, there is "typically some relevant third party" who can bring the virtual asset in line with the "financial crime expectations of the fiat world."
"So long as there are consequences that may be brought to bear on entities and individuals with the power to change or modify how people use a given DeFi protocol implementation," the report states, "one can be sure that such power will, in fact, be used to avoid those consequences."
Future enforcement actions, then, will likely focus on those behind these "opaque operational models," the researchers say.
This aligns with revised cryptocurrency guidance from the Financial Action Task Force, an anti-money laundering watchdog that advises countries to identify individuals with "control or sufficient influence" over DeFi platforms.
The researchers say such controls are "inevitable" and "will ultimately benefit the sector," especially in rooting out instances of child abuse, terrorism and other crimes.