DeFi Hacks Have Decreased — Don’t Celebrate Just Yet
By Shane Farrell
Marketing Lead
Chainalysis’ Crypto Crime Report always makes for an interesting read — and the 2024 edition doesn’t disappoint.
The headline finding was that “2023 saw a significant drop in value received by illicit cryptocurrency addresses, to a total of $24.2 billion” from $39.6 billion.
While that is undoubtedly good news, there are a few caveats to bear in mind. First, the lower figure is an estimate that is likely to increase as more data becomes available. Second, 2022 seems to have been an outlier year — a high point in crypto crime. 2023 is more in line with 2021 and significantly larger than previous years. Third, crypto markets were bullish for the first part of 2022. And as the authors note, there is a likely correlation between bullish prices and illicit activity in crypto: both savvy investors and conniving criminals delight in a bull market.
While the Chainalysis report covers a spectrum of illicit activity in crypto, the focus of this blog — and that of Thesis Defense more generally — is on-chain security. In other words, security issues that stem not from user behaviour but rather are linked to how code is written. Within these parameters, three observations stood out:
1 Some Chains Are More Susceptible To Hacks Than Others
Halborn, a security company specializing in web3 and blockchain solutions that is cited in the Chainalysis report, reports that Ethereum Virtual Machine (EVM)-based chains and Solana are among the most targeted chains.
The company doesn’t have public data for 2023, but their 2022 findings are indicative. In that year, Ethereum accounted for approximately half of all attacks in DeFi , followed by Binance Smart Chain (now known as BNB Smart Chain) at 22%, Polygon at 10% and Solana at 6%.
So what accounts for this targeting of EVM-based chains? Two reasons cited in the Chainalysis report are: the popularity of the EVM-based chains and their capacity to execute smart contracts.
It’s true. The overwhelming majority of total value locked (TVL) in DeFi is on EVM-based chains. DeFi would hardly exist without smart contracts. But smart contracts, which automatically execute the terms of a contract without the involvement of third parties, need to be very well written and rigorously audited, as they can be susceptible to hacks.
But there is another factor. “Attacks that are successful on one EVM-based chain are likely to work on another EVM chain since they are similar under the hood,” according to Thesis Defense’s Senior Project Manager Bashir Abu Amr. From an attacker’s perspective, it makes sense to target multiple chains with a similar methodology and see what works.
2 Prioritize Growth Over Security At Your Peril
The Crypto Crime Report’s second observation resonates strongly with our experiences at Thesis Defense: a recurring issue where protocol operators prioritize growth over the crucial implementation and maintenance of robust security systems.
There is no doubt that building projects that offer real value to customers and could bring you tremendous personal success is exciting. But these ambitions must be balanced with a solid security foundation. That is why we strongly encourage projects to take a ‘security by design’ mindset, where security is baked into the design of a project rather than a nice add-on once the project is close to completion. Like a house built on a poor foundation, solving the problem at the end can be more time-consuming and costly than at the beginning.
Besides adopting a security mindset, projects can undergo security audits from expert auditors in line with security best practices. However, the reality is that only a fraction of projects do so. Indeed, in their 2023 Security Report, security auditing firm Hacken reveals that “In 2023, only 10% of exploited contracts underwent any form of audit, and merely half of these were relevant, matching the deployed blockchain code.”
Clearly, there is a long way to go before security is prioritized to the levels it should be in crypto. But as I’ll explain in the next section things are moving in the right direction, and that should be acknowledged.
3 DeFi Hacks Have Dropped — But It’s Too Soon To Say Why
Despite the challenges, the recent data offers grounds for optimism.
As the Chainalysis report notes, “Both the drop in raw value stolen from DeFi, and the relative decline in on-chain vulnerability-driven hacking over the course of 2023 suggests that DeFi operators may be getting better at smart contract security.”
The reason for this cautious framing is that, as stated previously, the drop in the number and value of hacks in 2023 is no doubt influenced by the relative drop in the value of crypto in that year. To put things in perspective, Crypto’s market cap started 2022 at $2.31 trillion and ended the year at just $829 billion.
From Abu-Amr’s vantage point, the bear market in 2023 definitely contributed to a drop in on-chain hacks. However, he believes the improvement in DeFi security standards is possibly the more convincing explanation: “I think that the main reason is that we know now how to better deal with and safeguard against DeFi vulnerabilities, at least the ones we know.”
Conclusion: 2024 Will be a Telling Year
As it stands, there simply isn’t enough data to determine the extent to which security standards are improving. No doubt, Chainalysis’ 2025 report will go some way towards answering that question. Save for a massive correction, we have now entered a crypto bull market — and we fully expect a bump in the number of crypto hacks. But will it be below 2022? Well, that’s the hope.
But regardless of the numbers, crypto as an industry still has a long way to go before security best practices are adopted across projects. As well as designing projects from a security perspective and keeping alert to new threat vectors, the number of projects seeking expert security audits is still shockingly low. Moreover, the motivation for projects seeking audits is not always security-driven. In fact, the unspoken reality is that many — but thankfully not all — projects seek audits more to satisfy funders and investors, than because they are security-minded. This is changing. But there is still a lot of work to be done.
At Thesis Defense, we pride ourselves on our expertise. Our team of security auditors have carried out hundreds of security audits for decentralized systems across a number of technologies including smart contracts, wallets + browser extensions, bridges, node implementations, cryptographic protocols, and dApps. We offer our services within a variety of ecosystems including Bitcoin, Ethereum + EVMs, Stacks, Cosmos / Cosmos SDK, NEAR and more.
To learn more about our services and get a free quote, schedule a call or email us @ defense@thesis.co. For more information about Thesis Defense, visit us on our website, blog and X (Twitter).
