Elliptic’s report “DeFi: Regulation, Compliance and the Growth of DeCrime” decribes how, as of November 2021, some US$12B equivalent in losses have been suffered by DeFi users and investors. The principle explanation: malicious exploitation of flaws in decentralised applications (DApps) such as decentralised exchanges (DEXs), lending protocols and asset management offerings.
Such losses include direct loss of funds stolen from DApps, as well as losses suffered by holders of tokens associated with the associated protocols. (Elliptic is a provider of cryptoasset risk management solutions, like Discovery.)
Tom Robinson, Elliptic’s Chief Scientist: “The DeFi ecosystem is an incredibly exciting and fast-moving space, with financial services innovation happening at light speed. This is attracting large amounts of capital to projects that are not always robust or well-tested. Criminal actors have seen the opportunity to exploit this.
“Decentralised apps are designed to be trustless in that they eliminate any third-party control of users’ funds. But you must still trust that the creators of the protocol have not made a coding or design mistake that could lead to a loss of funds.”
Elliptic’s definition of DeFi
If you need to borrow money for a house, obtain insurance for your car or send money to your family overseas, you generally do so through intermediaries. It could be a bank, money remittance company or insurance broker. These intermediaries provide efficiency and convenience.
Arguably, it is in their economic interest to stifle innovation and restrict access to those who need financial services the most. For example, banks earn more than half of their revenues by acting as intermediaries in credit markets. They take assets from those willing to lend and, in turn, lend them to those wanting to borrow them.
Decentralized Finance (DeFI) lending and borrowing, allows centralised intermediaries such as banks to be replaced with automated, decentralised, non-custodial DApps. Here DeFI refers to the use of platforms – such as Ethereum – which:
- offer an alternative financial system that is open for anyone to use
- allow centralised intermediaries to be replaced by decentralised applications (DApps).
Over the past two years, the DeFi ecosystem has flourished. DApps offering decentralised lending, exchange, asset management and derivatives have gained significant traction. The ‘total value locked’ (or TVL), a measure of the liquidity of DeFi services, has increased from $500M in November 2019 to just over $247B at the end of 2021.
Theft and problems in DeFi
Wherever there are concentrations of value, there will be crime. DeFi is no exception. With >$247B stored in DeFi protocols, this represents a tempting target for hackers. Equally, the deep pool of liquidity attracts money launderers.
One of the main motivations behind DeFi is the removal of third-party control of users’ assets. Instead of a service provider taking custody of your funds in order to provide financial services, a smart contract holds these. The funds only move according to the rules set out in the contract’s code (which is auditable by DApp’s users).
Nevertheless, billions of dollars in cryptoassets are still disappearing from DApps. According to the Elliptic research, many DApps have bugs or design flaws. These are then exploitable by third parties.
In parallel, some DApps are fraudulent by design – having backdoors with the hidden purpose of stealing users’ funds. Indeed, it is possible to categorise the types of theft as falling into two principle ‘classes’:
- direct losses – funds stolen from a DApp, resulting in losses for its users
- protocol losses – losses in the value of tokens linked to a DApp (for example, governance tokens) as a result of the fraud.
There are, then, two main types of exploit according to the report:
- code exploits
- economic exploits.
The first type of bug is a coding error in one of the smart contracts that make up a DApp. As with other types of software, a single character out of place can have huge consequences — and in the case of DeFi, loss of users’ funds. Losses of cryptoassets due to exploitation of these bugs are ‘code exploits’ – see the example (from the report) below.
Economic exploits involve errors in the design of a DeFi service rather than the actual code. By exploiting ‘loopholes in the way a DApp operates, users can secure profits when using them (aka ‘economic exploits’). Because many DApps are ‘composable’ by design they combine with other Dapps (the ‘money lego’ concept). Such combinations can create new loopholes that did not exist for the individual DApps. This makes economic exploits complex as well as difficult to diagnose.
According to Elliptic, “one of the most common types of economic exploit involves manipulating asset prices in order to take advantage of arbitrage opportunities on DeFi services that would not otherwise have existed. The arbitrage is often conducted using assets obtained through large ‘flash loans’ — unsecured crypto loans that can be borrowed and repaid very quickly — over the course of a single transaction.”
Enterprise Times: what does this mean
The Elliptic report on DeFi is an intelligible and valuable read. For those not in the know, it provides a broad base of information and understanding.
Built on an open infrastructure, the attraction of DeFi is that it is usable by anyone with an internet connection. This promises far broader access to the financial services currently enjoyed by a privileged few. It also means that anyone is free to innovate, to build their own financial services for a global market. In principle, this should increase choice and competition.
What should, however, alarm almost everybody is the following Elliptic statement: “Much of the code used in DeFi is open source, and many DApps use code that has been forked from that used by a single DApp. This means that a bug in the code of the original DApp can cascade and lead to losses from a number of different DeFi services.”