As the U.S. financial community increasingly embraces (and legitimizes) cryptocurrency, it is also embracing new forms of operation — specifically decentralized finance, or DeFi, where there is no central intermediary as is typical in conventional financial systems.
In some ways, proponents have argued, this may spread potential threat risk. But, as a recent pair of major cyberattacks on crypto platforms could attest, it is more likely that these DeFi platforms present more risk, at least in the short term.
Earlier this week, cryptocurrency trading platform BitMart confirmed Dec. 4 that cyber-thieves had made off with $150 million; and hackers stole $120 million from the BadgerDAO crypto network, another DeFi platform, on Dec. 1. In the BitMart case, the company said in a prepared release that the hack was caused by a stolen private key, linked to at least two active wallets. It appears that the BadgerDAO theft is likely also due to a compromised key in the network’s user interface, not in the core protocol contracts on blockchain.
For Dominic Williams, founder and chief scientist at Dfinity, a Swiss nonprofit organization that develops the Internet Computer, a decentalized open-source blockchain, these recent attacks “couldn’t be a more clear-cut example of why DeFi services need to move away from Web2 interfaces.”
“The legacy services are still susceptible to legacy exploitation,” Williams said. “If you need this API to interact with a blockchain, you lose the benefits of a trustless, decentralized service. For DeFi to truly 'work,' it needs to be done wholly on-chain.” The problem, he contended, is that most currently deployed chains lack the “scaling and versatility needed to make this a reality.”
DeFi lending protocols have become popular of late because speculators typically see far higher yield opportunities on platforms like BadgerDAO, as compared with centralized cryptocurrency platforms like BlockFi and Celsius. (That said, Celsius confirmed it also lost millions in the BadgerDAO hack, as these platforms often work together.) And, as always, cybercriminals follow the money.
In the case of both attacks, critics point out that this underscores the overwhelming need for these networks to utilize multi-factor authentication, to better protect against these old-school attacks BadgerDAO and BitMart are among the top cryptocurrency attacks in the past year, but they’re far from the only ones — or even the largest. In early August, cybercrooks stole more than $600 million in cryptocurrency from Poly Network, making it the largest theft so far in the DeFi financial sphere, according to Saket Modi, CEO and co-founder or Safe Security, adding that “attacks on decentralized finance platforms are rising sharply.”
“Financial services organizations implementing decentralized finance must be cautious of IT security concerns, especially in the absence of regulations, which are otherwise extremely stringent in the space,” Modi said, adding that FSIs can benefit from adopting platforms that use data science and risk quantification models to monitor the severity of vulnerabilities in real-time. “Financial services organizations also need to understand their top risks and potential impacts to make data-driven decisions to mitigate such risks.”
Paul Bischoff, privacy advocate with Comparitech, said that the BitMart hack ranks as only the sixth largest cryptocurrency heist, and BadgerDAO as the ninth largest, in terms of the amount of funds lost. “Although blockchains are reasonably secure and reliable, the same isn't always true for the exchanges where people buy, sell, and trade crypto,” Bischoff pointed out.
“Exchanges, even though they function like banks, are not insured by the FDIC or other agencies,” Bischoff said. “If the exchange loses assets that belong to its customers via an external hack or inside job, customers might have no recourse to recover their funds.”
Indeed, black-hat hackers have reportedly stolen at least $10.5 billion this year from DeFi-based platforms worldwide — with overall losses tallied at well over $12 billion in total — seven times as much as last year, according to Elliptic, a London-based firm that tracks digital ledgers and cryptocurrencies. (And, it’s important to note: That estimate was released in mid-November, before the BadgerDAO and BitMart heists were even announced.)
In the end, industry experts say, the world of decentralized finance is a trade-off: In exchange for freedom from government regulation, monitoring and the potential for greater competition and upside, these platforms are quite a bit riskier than most conventional financial instruments. But, according to Beyond Protocol CEO Jonathan Manzi, the “emergence of DeFi represents a paradigm shift in the world of finance.” And it is a sea change which is likely to affect the financial industry in general.
“One one hand, it’s given millions access to flexible loans, high-yield savings, and other sophisticated investment products without the regulatory barriers associated with traditional finance,” Manzi said, pointing out that factors such as credit score, employment verification and other forms of financial scrutiny are “irrelevant in DeFi, viewed as oppressive and obsolete by crypto maximalists.”
“Opportunity is not without cost, however , and with freedom and upside comes significant responsibility and risk,” Manzi said. “The aforementioned regulatory vacuum in DeFi has created what many term as an ‘anything goes, wild west’ atmosphere. And they’re not wrong.”