Report: ‘Centralisation Issues’ Are Biggest Culprits of DeFi Attacks

A recent report by blockchain security firm CertiK has revealed that in its analysis of 1,737 decentralised finance (DeFi) projects, centralisation was the primary reason behind the vast majority of hacks, exploits and scams.

The amount of funds lost in DeFi in 2021 more than doubled the amount lost in 2020.

Security in this space has never been more important

— CertiK (@CertiK) January 11, 2022

DeFi in 2021: Losses vs Market Cap

According to the report, 2021 witnessed US$1.3 billion in crypto lost to 44 hacks, exploits or scams. This was approximately US$500 million more than 2020, however it is worth noting that 2021’s losses represent 0.05 percent of crypto’s total market capitalisation, compared to 2020 which was 17 percent.

While the percentage of total market capitalisation lost to hacks and exploits decreased in 2021, the rise in value locked meant the dollar value lost was greater than in 2020. This is a definite step forward, but it shows that the ecosystem still has progress to make before DeFi feels like a safe place in which to deploy capital.

CertiK Report

CertiK noted that the majority of DeFi platforms exploited in 2021 were unaudited, a fact it found “disappointing” and which “highlights the amount of work to be done before DeFi is seen as a secure place to invest and innovate in”.

Nonetheless, DeFi’s incredible growth, in excess of 1,000 percent, “reflected the persistent demand for security solutions in a rapidly expanding industry”.

DeFi by Name Only?

DeFi’s raison d’etre is to make financial products more readily accessible to a broader audience through distributed ledger technology. This suggests that it exists to specifically disintermediate middlemen such as brokerages, exchanges, or banks. However, as noted in the report, centralisation issues lay at the heart of most DeFi exploits:

By far the most common vulnerability found was centralisation risk. Single points of failure can be exploited by dedicated hackers and malicious insiders alike.

CertiK Report

To illustrate, as reported by Crypto News Australia, DeFi protocol bZx was exploited for more than U$55 million in November as the result of private key mismanagement. This was an example of privileged ownership (found in 76 out of 1,737 audits) that allowed the attacker to gain complete control of all contracts the key controlled.

As CertiK quite correctly notes:

Centralisation is antithetical to the ethos of DeFi and poses major security risks.

CertiK Report

Despite its promise and total value in DeFi increasing tenfold in 2021, the innumerable instances of DeFi hacks, leaks, exploits and breaches, as well as clear evidence of centralisation, suggests that DeFi in its current form remains some way out from achieving its intended goal of finance for everyone.

Agreed but I wonder how solvable that problem is ?

Defi’s claim is to be “Finance for everyone” but currently it’s finance for people who can read smart contracts or trust “centralised” auditing firms

— Hardisk (@Hardisk) December 12, 2021