A series of sensational hacks including the recent $610-million PolyNetwork heist has triggered speculation that the frenetic pace of growth is making the DeFi (decentralized finance) space increasingly vulnerable. Powered by the rising demand for funds outside the KYC net, the DeFi segment has been growing exponentially and is worth over $108 billion, according to an estimate of the DappRadar website. Security is a growing worry of the DeFi community given the frequency of the hacks.
The hackers returning the entire loot teased off Poly Network does not lessen the breach’s seriousness. It only magnifies the vulnerabilities of DeFis.
A gaping regulatory vacuum, inadequate security audit processes and high pace of innovation are DeFis’ main challenges. Experts suggest slowing down the pace of development has its dividends as the DeFi ecosystem is still maturing and will be a target of hostile access.
A report of crypto intelligence firm CipherTrace has said that DeFi hacks amounted to $360 million as of July (obviously before the $600-million Poly Network episode in August). This was about 75% of all wealth lost to hackers in 2021, already marking a 2.7 times increase from the entire 2020. DeFi vulnerability fears are amplified by the fact that 54% of major crypto fraud in 2021 has been DeFi related incidents, an astronomical leap from 3% in 2020.
While the crypto world has been rattled by a series of high-profile DeFi hacks, there are some who see the worrisome development as a blessing in disguise. They see the proliferation of hacks as evidence of the necessity of more robust security. According to John Jefferies, the fact that an anonymous hacker can grab millions of dollars from unnamed people shows the system needs sturdier security. He considers any regulatory change requiring better KYC norms in decentralized exchanges (DEX) including DeFi as a positive step. Therefore, from the utilitarian point of view, hacks can have a positive impact on the segment.
Predictive risk and intelligence platform Merkel Science says lack of KYC gives bad characters access to vast funding. The lack of KYC also pushes up the financial risk and forces funding agencies to seek unusually heavy collateral buttress.
The basic nature of DeFi as a decentralized platform apparently makes enforcing anti-money laundering (AML) laws difficult.
Unlike centralized exchanges (CEXs), DeFi protocols run alternative processes when compared to traditional financial systems, replacing intermediaries with smart contracts that are self-sufficient codes residing on blockchains. At no point do DEXs own users’ funds, thus making KYC pointless? However, DeFi protocols are at risk if the smart contract owner’s security key is compromised. In such a case, the whole economy based on that protocol could be at risk, says Lior Lamech, founder and CEO of cybersecurity company GK8. Lamech is not a big fan of the sanctity of the decentralized nature of DeFi protocols. To him, they are not truly decentralized because of the control that the owner of the smart contract has over the processes.
Jefferies believes that at some point regulatory pressure is bound to lead to KYC and cleanup of the DEX space. This is because, to him, federal regulators are generally supportive of DeFis. “A lot of people in the US government think DeFi is a true innovation” and cleanup is near helping DeFi thrive, he says.
Federal regulatory bodies across the world are aware of the growing link between money laundering, terror financing and other illegal activities. The updated guidance of the latest FATF or Financial Action Task Force dwells deeply on virtual assets and virtual asset service providers or VASPs.
The regulators, however, face the difficult task of snagging the intermediaries who are responsible for the KYC and AML compliance in a truly decentralized process, says Merkel Science’s new report. Even more difficult will be the challenges that decentralized VASPs face in complying with the updated Travel Rule that was formulated without the DeFi ecosystem in mind. The FATF has not completed even the task of classifying DEXs as VASPs. Until then it is unlikely that DeFis will be brought within a meaningful regulatory framework.
Moreover, the DeFi ecosystem has many regulatory sceptics like Mitchell Amador, CEO of Immunefi, a DeFi protocols bug bounty platform, who confided with Cointelegraph that regulations are unlikely to have much impact on the future of DeFi. Amador wants better security procedures to reduce DeFi-related crime. Hacks will continue to occur, according to the expert, but they will become increasingly difficult as the DeFi ecosystem adapts.
There are some experts who believe the DeFi space needs to slow down the development cycles, considering the frequency of the hacks. Amador is among those who believe the improperly reviewed codes are more vulnerable than those tested over a longer time. For this, a slower development cycle is required. A thriving bug bounty program is also important as vulnerabilities need to be approached wearing the hackers’ hat. Jefferies sees more robust processes in place in the crypto industry in 12 months down the line primarily because of the hacks.