Navigating the Landscape of DeFi Exploits: Insights from our New Dashboard
A Closer Look at DeFi’s Breaches Through IntoTheBlock’s Interactive Dashboard
The decentralized finance (DeFi) ecosystem is a labyrinth of innovation and complexity, presenting both novel opportunities and tough challenges at the same time. As part of our ongoing effort to demystify this domain, our Research team is proud to introduce a new dashboard in our suite of Perspectives focused on key metrics for analyzing DeFi exploits.
This tool, conceived from extensive analysis by the ITB Research team, offers a clear and detailed view of the various vulnerabilities plaguing the DeFi ecosystem.
Since 2016, the DeFi ecosystem has witnessed 123 incidents, leading to staggering losses totaling $58.78 billion. A breakdown of the value lost year by year paints a telling picture:
- In 2016, the nascent stage of DeFi saw losses amounting to $60 million related to The DAO hack, an early indicator of the vulnerabilities in this emerging field.
- By 2020, as DeFi started gaining more traction, losses escalated to $157.20 million, underscoring the growing pains of a rapidly expanding industry.
- The following year, 2021, marked a significant surge, with losses mounting to $3.96 billion. This spike reflected both the increasing adoption of DeFi and the sophistication of exploits.
- The year 2022 witnessed the most dramatic increase, with an alarming $53.58 billion lost, led by Terra’s collapse.
- In 2023, though still significant, losses decreased to $1.02 billion, possibly indicating a maturation in security protocols and a better understanding of risk management in DeFi.
The Terra Collapse: A Case Study in Systemic Risk
The Terra/Luna crisis serves as a reminder of the fragility inherent still in certain aspects of DeFi. The loss of over $50 billion was unprecedented and on par with some of the largest financial debacles in history. It was precipitated by the depegging of the TerraUSD (UST) stablecoin, not only affecting individual and institutional investors but also inducing a liquidity crisis across the entire cryptocurrency landscape. This incident put in focus the need for greater diligence and risk management in novel DeFi mechanisms.
Here is a segregation of the value lost by each quarter, which particularly stands out the Terra loss. After that the trend has remained variable, with the amount lost per quarter oscillating in the 6 figures band:
Technical Vulnerabilities: The Predominant Threat
DeFi protocols face two principal categories of attacks: economic and technical. Economic exploits manipulate protocol parameters for undue gains, while technical exploits target the programmatic functions of protocols, often leading to unauthorized fund withdrawals. Our dashboard provides an in-depth look at these vulnerabilities, helping users understand and navigate these risks.
Our findings underscore that technical vulnerabilities are the major source of DeFi exploits. Most of these vulnerabilities arise from issues within smart contracts, a large portion of which are written in Solidity. The intricacies of Solidity contracts, especially the complex interactions between them, often give rise to unforeseen edge cases or security oversights. Predominant among these are reentrancy attacks and integer arithmetic issues like overflow and underflow. It has been so far quite common to see up to 10 different technical security issues per quarter:
Different protocols in DeFi are exposed to different risks. Lending DeFi protocols generally carry higher risks compared to decentralized exchanges (DEXs) due to their inherent operational complexities and exposure to multiple risk factors. Lending protocols are exposed to risks like liquidity crises, where a sudden market downturn can lead to mass loan defaults and the inability for lenders to withdraw their assets. Additionally, lending protocols are more susceptible to smart contract vulnerabilities and oracle failures, as they often rely on external price feeds for collateral valuation. In contrast, DEXs primarily facilitate asset swaps, with risks largely confined to impermanent loss and less complex smart contract vulnerabilities, making their risk profile generally lower than that of lending protocols.
Private Key Compromises: A Common Attack Vector
Another critical vector in DeFi exploits is the compromise of private keys. The management of private keys in DeFi protocols is a critical attack vector due to their role as cryptographic ‘passwords’ that control the funds deposited in smart contracts. This centralizes risk in a few or unique key holders, creating a single point of failure susceptible to human error, phishing, or security breaches.
The Ronin hack, executed in March 2022, stands as one of the most substantial key compromises in the sector. Attackers infiltrated the Ronin Network, crucial for the game Axie Infinity, by exploiting private key vulnerabilities, leading to an unauthorized withdrawal of around $624 million.
The loss or unauthorized use of these keys is not just a breach of security but also contradicts the very ethos of DeFi’s decentralization. Our dashboard highlights in dark yellow the reiteration of large losses incurred due to such compromises, emphasizing the need for better key management practices among many DeFi protocols.
Lending Protocols vs. DEXs: A Comparative Risk Analysis
Different protocols in DeFi are exposed to different risks. Lending DeFi protocols generally carry higher risks compared to decentralized exchanges (DEXs) due to their inherent operational complexities and exposure to multiple risk factors. Lending protocols are exposed to risks like liquidity crises, where a sudden market downturn can lead to mass loan defaults or an inability to withdraw deposits. Additionally, lending protocols are more susceptible to smart contract vulnerabilities and oracle failures, as they often rely on external price feeds for collateral valuation. In contrast, DEXs primarily facilitate asset swaps, with risks largely confined to impermanent loss and less complex smart contract vulnerabilities, making their risk profile generally lower than that of lending protocols.
Our analysis indicates that lending protocols in DeFi are more susceptible to risks compared to decentralized exchanges (DEXs), but not by much. Moreover, recently we have seen a surge in DEX vulnerabilities, led by Curve finance exploit due to a compiler bug on the Vyper programming language, and Kyberswap, due to a flaw in their concentrated liquidity mechanism:
The Role of Auditors: One Line of Code at a Time
The meticulous work of DeFi auditors is crucial in safeguarding the DeFi ecosystem. By thoroughly reviewing and evaluating smart contracts, they play a pivotal role in preventing financial losses arising from vulnerabilities. Our dashboard acknowledges and highlights the importance of these professionals in the DeFi space.
For example, audited losses totaled $54.21 billion across 74 incidents but only $2.95 billion were in the scope of the auditories, highlighting how there are common attack vectors that are often out of the scope of the traditional smart contract technical reviews. Unaudited losses were lower at $4.57 billion from 49 incidents, suggesting smaller-scale exploits, or less secure systems that are not audited. Additionally, $51.26 billion in losses were classified as ‘out of scope’ across 17 incidents, although it might seem very odd at first, but this could be explained due to several key factors:
- Non-Technical Issues: Auditors primarily focus on technical aspects like functional logic validation security and smart contract vulnerabilities. Issues stemming from governance decisions, economic model flaws, or user errors are typically not within their scope.
- Scope Limitation of Audits: Audits usually have a defined scope, focusing on specific aspects of a project. Vulnerabilities outside this scope, such as those in peripheral systems or integrations with other platforms, might not be detected.
- Post-Audit Changes: Projects might introduce changes to their code or operations after an audit, which could introduce new vulnerabilities not covered in the original audit.
- Protocol decision: ultimately, each protocol determines the specific codebase of their system to undergo auditing. Consequently, they may opt to exclude certain critical components from the targeted code.
The relationship between DeFi incidents and auditor performance is a complex one. Our dashboard illustrates how certain auditing companies have higher incident counts than others, although one might argue that this does not necessarily prove a lack of quality. Often, these numbers are a reflection of the volume of audits conducted. This insight urges a more nuanced approach to assessing auditor performance in DeFi, beyond reflecting in the usual indicators like the amount lost under their auditories or the number of exploits that were audited by them.
The ITB Research Team’s Methodology
This dashboard is designed to offer a clear and detailed view of the research conducted by the ITB Research team. For over a year, we have been deeply analyzing the DeFi ecosystem, focusing on identifying and understanding the nature of various exploits. Our methodology not only quantifies these security breaches but also provides a qualitative analysis, using Rekt News and DeFiLlama as primary data sources.
Our research is only focused on the DeFi ecosystem. As such, we intentionally exclude data related to attacks on centralized exchanges (CEXs), phishing incidents, or cases involving impermanent loss. This specificity ensures that our analysis remains relevant and targeted to the dynamics of DeFi protocols.
We are committed to maintaining the relevance and accuracy of this dashboard, and we plan to refresh our findings every quarter. Please be aware that the information we provide, while meticulously researched, should be used with an understanding of its limitations. The data provided is a critical tool for understanding risks in the DeFi space, but it should be part of a comprehensive risk assessment strategy. We caution against using this information as the sole basis for making investment or security decisions.
