Michaël van de Poppe - 23 March 2022
DeFi growth and hacks
By now most of you probably already know what DeFi is. For those that don’t; DeFi is short for Decentralized Finance. It comprises all types of financial services, instruments, and products built on blockchain technology. Some examples are borrowing and lending, payments, (option) trading, asset management, insurance, staking, liquidity providing, and much more. DeFi brings the traditional finance world to the blockchain by providing alternative solutions that empower communities. The key thing about DeFi products and platforms is that they do not rely on central financial intermediaries. Whilst replacing the middleman by code, another key aspect of DeFi is to enhance capital efficiency. Due to its decentralized and open source nature, DeFi projects and platforms can build on top of each other bringing interesting products to the crypto markets.
DeFi blew up in the summer of 2020 due to a combination of decentralized Automated Market Makers and other yield-offering projects. The crypto industry was presented with a new way of earning income and due to the profitability it quickly became popular. In the past year the DeFi industry has significantly grown, although it also has seen some significant drawdowns. This post highlights the growth of DeFi over the past year, while also touching on the risks of exploits and hacks it brings with it.
The growth in DeFi can best be demonstrated by the Total Value Locked in DeFi protocols and products on the Ethereum mainnet. The chart below displays Gross Value Locked (GVL) and Net Value Locked (NVL) with the NVL excluding assets that are double-counted in multiple protocols. Year to date the NVL has grown exponentially (although this chart may not show that), from $13bln to $62bln. More and more retail investors and institutions are recognizing the value of DeFi and the potential it has to change the financial landscape.
An example is Grayscale, the largest provider of crypto investment trusts to institutional investors with over $40bln Assets Under Management (AUM). The company recently launched their own DeFi fund offering their customers to be exposed to the most popular DeFi tokens without having to buy the tokens directly. It is interesting to note that Uniswap makes up for over 50% of their holdings in their new fund.
Another very good example that reflects the growth and popularity of DeFi is Convex Finance. This project only launched in May this year, but already has captured a TVL of $6bln. Convex is built on top of Curve. The platform simplifies the process of liquidity providing and staking on Curve, while also boosting the returns. Convex is a really good example of the composability of DeFi and the benefit of capital efficiency it can bring to the crypto space.
Unfortunately, it isn’t all fairy tales and good news from DeFi. Due to the profitability and popularity of yield farming, and the lock-up of huge sums of money in decentralized protocols, malicious actors entered the scene as they too saw opportunities to earn large sums of capital. One of the more popular ways to steal money from users is infamously known as ‘rug pulls’. The malicious actor creates a coin or a yield-farm. He then goes on popular platforms to promote the product, once enough people are lured in he then either withdraws the liquidity or mints an infinite amount of new tokens to drain the liquidity pool of capital. This phenomenon started on Ethereum, but really became a widespread issue on the Binance Smart Chain in its glory days earlier this year. ‘Rug pulls’ are a problem without a real solution and continue to be a problem on all chains.
‘Rug pulls’ are done by the developer, who intentionally scams his investors. It also happens that third parties come in and steal funds or liquidity from a project. As projects rely on people to code smart contracts, there is always the chance that the security fails or that there are bugs in the code. Third parties can exploit those bugs and security flaws to get access to funds locked in the project and, subsequently, drain them. These risks are amplified by protocols building on top of each other, utilitizing the composability of DeFi, but also putting more users and funds at risk. Recently, defiyield released a webpage with a database of all major hacks and exploits. Not only is the total value in $ of the lost funds tracked, but one can also find more detailed information of how and when the exploit happened. As of writing over $2bln funds are lost and currently Polynetwork is taking the “crown” with a loss of $600mln. Eventually, after pressuring the hacker, the funds were returned.
With the growth of DeFi and the increased rate of exploits and hacks, crypto users were looking to protect themselves against these risks. Enter insurance tokens. These are blockchain-based insurance solutions which dedicate themselves to covering smart contract risk. The largest insurance provider is Nexus Mutual (NXM) with a market cap of almost $1bln. Users can join the mutual to become members and buy cover to protect themselves against hacks in smart contract code. On their tracker page you can find various metrics including ‘Active Cover Amount’, displaying how much Ether is covered historically. Right now it sits at $500mln, which translates to just over 0.5% of the TVL in DeFi. These stats show that insurance tokens are not the most popular, but from the graph we learn that it has grown significantly over time.
Another simple way to protect users from smart contract risk is through audits. In the past year there has been a surge in audit companies that are specialized in reviewing smart contracts on possible flaws. Even then, some flaws still slip through the cracks and audits cannot be trusted completely.
Other insurance protocols:
And even those protocols are prone to smart contract risk. On December 29, 2020, it was reported that Cover was exploited by various actors. Attackers found a way to mint a huge amount of new tokens and dumped those on the market, causing the price to plummet. Cover got rid of the old token and has released a new coin.
The rise of DeFi brought a lot of new attention, tools, and money to the crypto industry. All kinds of financial products and services were brought to the blockchain in a decentralized manner. As more and more people were using these products and money flowed into DeFi projects, malicious actors found ways to exploit smart contracts and steal those funds. In total, over $2bln has already been stolen, but it is probably way higher. As DeFi is here to stay, sadly so are exploits and hacks. A reminder to always take care of your security.
Since the inception of DeFi, insurance tokens and solutions have grown in popularity as users sought ways to protect themselves against smart contract risks. At the time of writing, Nexus Mutual is the largest blockchain insurance project and covers about 0.5% of the TVL in DeFi.
Insurance tokens and audits do not protect you completely from smart contract risks. Always make up your own evaluation of projects you want to invest in and never invest more than you are willing to lose. This is especially true in DeFi which is still a crypto ‘Wild West’. It may seem that there is a huge amount of money to be made in DeFi, but your money is always at risk.