Unlock the Editor’s Digest for free
Roula Khalaf, Editor of the FT, selects her favourite stories in this weekly newsletter.
An unregulated corner of the cryptocurrency industry once touted as the future of finance is facing an investor exodus after two high-profile hacking incidents sparked concerns about the safety of “decentralised” projects.
Nearly $14bn has been pulled from the so-called decentralised finance space, according to data firm DefiLlama, after North Korean-linked hackers stole $290mn from Aave, the largest lender in the sector, triggering an industry bailout. That came just weeks after hackers stole $280mn from DeFi exchange Drift last month.
The episodes mark a big blow for DeFi, where automated contracts are used to replace traditional intermediaries, such as banks and brokers, and where the security of the underlying blockchains is seen as critical. It also comes as traditional financial institutions explore the adoption of blockchain technology.
“The fallout is severe,” said Lucas Tcheyan, research associate at crypto group Galaxy, adding that the hacks “undermine[s] arguments that crypto offers a safer and more transparent alternative to legacy financial rails”.
DeFi enjoyed explosive growth in 2020 during what insiders dubbed “DeFi summer” — a period of rapid development that saw the market’s estimated size grow from less than $1bn to about $180bn by 2021. The sector, which aims to make finance accessible, has expanded into an interconnected network of financial applications.
But those connections have been exposed as a liability after hackers targeted a weak link, almost leading to Aave’s collapse. The market has shrunk to about $86bn since then, close to its lowest point in a year.
On April 18, North Korean-linked hackers stole roughly $290mn worth of a token linked to a coin called ethereum from KelpDAO, a venue that allows users to earn higher rewards by lending their tokens without locking them up. Thieves used that as collateral to borrow from Aave.
The ploy left Aave with up to $230mn in bad debts and led high-profile crypto figures, including the co-founder of Ethereum Joseph Lubin and crypto billionaire Justin Sun, as well as infrastructure companies LayerZero and Mantle, to orchestrate a recovery in order to prevent a cascading crisis.
Stani Kulechov, founder and chief executive of Aave, said the sector suffered “a substantial stress test”, adding that the bailout “was about restoring the whole state of DeFi, avoid[ing] contagion and ensuring that the whole ecosystem overcome[s] this incident, not solely Aave”.
Many see the bailout as antithetical to the spirit of DeFi and the disillusionment with traditional finance that fuelled its growth. Supporters have often cited government bailouts of big banks during the 2008 global financial crisis as evidence of the failures of mainstream finance and a reason for their belief in the decentralised sector.
The bailout revealed these companies are “feigning decentralisation”, said Adam Morgan McCarthy, senior research analyst at crypto analytics company Kaiko.
“It’s realistically 12 to 20 men who have been in crypto for 20 years who have a vested interest in keeping each other’s thing alive so the price of theirs doesn’t go down,” he added.
Most DeFi projects have seen the prices of their tokens — a sign of how traders and the wider sector value their projects — decline recently. Aave’s token is down 20 per cent since April 18 and 50 per cent over the past year, while exchange Uniswap’s token is down about 34 per cent on a year ago.
The falls cast doubt over the future of a sector that so far has birthed few successful business models. Among those to have bucked the trend are Hyperliquid — a trading platform that has seen users flock to its oil derivatives in the wake of the war in Iran — and prediction markets platform Polymarket.
Polymarket operated in the unregulated DeFi space for years but is facing increased scrutiny over alleged insider trading and a number of suspiciously well-timed bets. US authorities recently charged a soldier for placing bets on the platform related to information about the capture of Venezuela’s leader.
In a sign of the pressure on Polymarket to move away from its decentralised roots, it has since announced a partnership with an analytics firm to provide more oversight on the platform.
The latest hacks are likely to add to scepticism of the sector among lawmakers and regulators. US senators, including Elizabeth Warren and Bernie Sanders, had already introduced legislation opposing government bailouts for crypto companies in the event the industry suffered a crash.
The head of the world’s biggest crypto tracing company, Chainalysis, last year told the FT that DeFi groups faced serious risk of cyber attacks as they had not prioritised ensuring their platforms were secure.
Senators are now advancing a sweeping bill that sets out a market structure for the entire crypto industry. Protections for developers in DeFi have been a sticking point in negotiations over the legislation, which would establish rules for centralised players who interact with the DeFi space.
Some commentators also warn that recent advances in AI and quantum computing pose further threats to DeFi.
Hackers had become far better at spotting vulnerabilities in the sector, said Friederike Ernst, co-founder of Gnosis, a decentralised technology firm, adding that the latest hack may have been aided by AI.
“People in the ecosystem need to understand: we’re easy targets,” she said. “The guardrails aren’t yet in place. It’s a dangerous time to be in DeFi.”
