DeFi is plagued by flagrant bugs leading to $10 million in losses over the past week
|- Three DeFi protocols lost nearly $10 million of user funds in a week.
- The industry is still immature and vulnerable to exploits.
The past week brought a lot of excitement and a lot of grief at the same time. While Bitcoin traders celebrated the two-year high reached by the pioneer cryptocurrency and harboured aspirations for the new records by the end of the year, DeFi players had to grapple with numerous hacks and exploits.
FXStreet previously reported that hackers stole $100 million from the DeFi sector since the start of the year; however, nearly $10 million were lost within the last seven days.
Percent, Acropolis and Value betray users trust
On November 12, someone hacked the DeFi yield farming project Akropolis through an exploit that involves Curve and siphoned about $2 million of users funds in DAI tokens. Notably, the project developers claimed that their smart contracts had been audited twice, but the attacker still managed to use the flash loans scheme to drain Akropolis's YCurve and USD pools.
Akropolis (AKRO) dropped by 25% in a matter of hours and continued sliding down. At the time of writing, the token's price has settled at $0.009, down from $0.014 registered before the hack. The asset is ranked 365th, with a current market capitalization of $18 million.
Two days later, Value DeFi, another yield farming protocol, lost $6 million to hackers via the flash loan technique. Ironically, the team claimed that it had improved its vaults' security to withstand this type of attack.
According to Emiliano Bonassi, a so-called whitehat hacker and the co-founder of DeFi Italy, the hacker launched a complicated and multi-stage exploit using two flash loans taken from different lending protocols. Namely, they took 80,000 ETH on Aave and 116 million DAI in Uniswap, deposited them to the Value DeFi's multi-stablecoin vault, and performed numerous swaps between USDT, USDC and DAI, exploiting the vulnerability of vault's withdrawal method.
— Emiliano Bonassi | emiliano.eth (@emilianobonassi) November 14, 2020
— Emiliano Bonassi | emiliano.eth (@emilianobonassi) November 14, 2020
Before running away with the loot, the thief sent $2 million back to the protocol. Later on, a crypto trader, aka @CryptoDeFi137, noticed that the protocol creators were in talks with the hacker, asking them to return $5 million of user funds.
Value DeFi transaction details
The governing token of the project, VALUE, lost 25% immediately after the hack to trade at $2. At the time of writing, VALUE is changing hands at $2.15, having recovered 5% on a day-to-day basis. Based on the data provided on the project's official website, less than $1.5 million locked in the hacked Multistables Vault from $3 million right after the incident.
Percent Finance was not actually hacked. However, the protocol users also lost nearly $1 million in USDC, WBTC and ETH. Their tokens were irretrievably frozen on smart contracts following the interest rate model update. The users were not able to do anything with their coins while the team was working on the solutions to return the funds or compensate users for losses.
The price of the Percent Finance token (PCT) crashed by nearly 90% after the incident. At the time of writing, PCT is trading at $0.02 from $0.14 on November 4.
Three lessons to be learned from the week of DeFi hacks
1. DeFi is an opportunity and a considerable risk at the same time
The skyrocketing popularity of the DeFi industry exposed the critical vulnerabilities of the DeFi ecosystem. Despite the explosive growth of the projects involved in the decentralized finances, most of them are highly insecure and vulnerable to hack attacks.
Speaking in the interview with the host of Unchained Podcast Laura Shin, the co-founder of Ethereum Vitalik Buterin noted that the interest rates in the DeFi protocols are significantly higher than in traditional banks, and people tend to underestimate risks related to smart contracts. He also added that even audited and well-known platforms were not immune to hacks and errors.
2. DeFi tokens are vulnerable to losses
DeFi tokens earned by yield farmers can become useless in a matter of minutes. The experts drew parallels with the ICO boom in 2017 when the assets bought during the token sale underwent a standard boom-and-bust cycle. Most of them have zero value now, while their investors went broke.
Something similar is happening now in the DeFi industry, where even the tokens of well-established projects like Compound and Uniswap experienced a sharp price decrease from the levels registered at the launch.
3. The industry is a Wild West territory
DeFi is often touted as a future of the global financial system that will replace the legacy system with its clumsy and costly institutions. However, at this stage, the industry is still at the early stages of its evolution. Being mostly unregulated, it offers scope for manipulations and wrongdoing. Meanwhile, users are not protected by anyone, meaning that they will be left alone with their losses in case of a hack attack, exit scam or code error. This is something to consider before rushing to a new red-hot project.
Information on these pages contains forward-looking statements that involve risks and uncertainties. Markets and instruments profiled on this page are for informational purposes only and should not in any way come across as a recommendation to buy or sell in these assets. You should do your own thorough research before making any investment decisions. FXStreet does not in any way guarantee that this information is free from mistakes, errors, or material misstatements. It also does not guarantee that this information is of a timely nature. Investing in Open Markets involves a great deal of risk, including the loss of all or a portion of your investment, as well as emotional distress. All risks, losses and costs associated with investing, including total loss of principal, are your responsibility. The views and opinions expressed in this article are those of the authors and do not necessarily reflect the official policy or position of FXStreet nor its advertisers.