Yet another decentralized lending and algorithmic stablecoin protocol was hacked yesterday, with $3.5 million stolen from its treasury via what appears for now to be a one-off exploit.
As a result, Nirvana Finance’s NIRV stablecoin lost its peg — it’s at 15 cents as of this writing, and the ANA token used to maintain it is down 80%. ANA was also used to provide collateral for NIRV loans. If that sounds familiar, that’s because another decentralized finance (DeFi) algorithmic stablecoin, terraUSD, and its LUNA partner coin failed on a spectacular scale in May, costing investors $48 billion.
See also: How a Stablecoin’s $48B Collapse Rippled Across Crypto
But that’s where the similarity ends. TerraUST died in loss-of-confidence based run, while ANA/NIRV was hacked and tricked it into releasing the entire $3.5 million worth of Tether’s USDT stablecoins in its treasury wallet, CoinDesk reported on Wednesday (July 27).
DeFi hacks are becoming more frequent, with the amount lost — $4 billion — now surpassing the $3.2 billion lost to centralized cryptocurrency exchange hacks, according to blockchain analytics firm Crystal Blockchain. That’s significant when you consider that the data on centralized hacks goes all the way back to 2011, while the DeFi data only dates back to 2020 — and that, really, DeFi barely existed before 2021.
Long-term, crypto scams like Ponzi schemes and rug pulls are the biggest losers, accounting for $7.3 billion of the $14.5 billion stolen in the past dozen years.
“The most popular method of crypto-theft until 2021 was the infiltration of cryptocurrency exchange security systems — currently the tendency has moved to DeFi hacks,” Crystal said in its just-released Crypto & DeFi Hacks, Fraud & Scams Report. “This can be explained by the fact that the technology is new and still has a lot of vulnerabilities.”
More to the point, the technology is often rushed out the door by developers eager to get started, often without having the code reviewed by experts. And then updates are done by votes run by controlled DAOs — decentralized autonomous organizations run by self-executing smart contracts.
Learn more: PYMNTS DeFi Series: Unpacking DeFi and DAO
Nobody to Blame?
DeFi staking and lending platforms, as well as decentralized exchanges (DEXs), have a core strength that happens to be their core problem: At least in theory, no one is in charge.
Also read: DeFi Is the New Big Thing in Crypto. But What Is It? Here’s Everything You Need to Know
The way DeFi projects work is that someone builds a platform, start mintings the cryptocurrency tokens that will be used on it, and distributes them in some way. Frequently, this is an airdrop — giveaway — to early users and supporters as the platform picks up traction, with the developers and backers keeping a hefty chunk of tokens for themselves.
Read more: DeFi Series: DeFi’s Very Real Risks
The thing is, that leaves no one with real skin in the game. Yes, some DeFi projects come from well-regarded teams funded by venture firms. But even then, the goal is to make the project self-governing, and that has other consequences like the general lack of anti-money-laundering (AML) and regulatory compliance — although some larger projects are beginning to add that.
See: Fed, Bank of England Lead Charge for Global DeFi Regulations
In other cases, DeFi projects are built and launched by developers who hide their identity behind Twitter and Discord account names. The No. 10 DeFi project by total value locked (TVL) — invested — is SushiSwap, a staking protocol with a TVL of $1.38 billion, according to DappRadar. It was created by someone known only to backers as Chef Nomi, who basically cut and pasted it from a rival platform and added a way to give users some more earnings, stealing away its stakers.
Chef Nomi made off with most of the $14 million, although he returned it all a few days later when users cried foul, Decrypt reported on Sept. 11, 2020. He apologized for his actions, saying he saw taking the funds as a developers reward when he gave up control, not as a scam. Plenty of others, Crystal noted, have just taken the money and run.
But SushiSwap thrived, and perhaps because of it the bad taste it left in people’s mouths at the beginning, it has become an AML compliance early adopter. On the other hand, it was hacked to the tune of $3 million in September 2021.
Also read: Top DeFi Exchange SushiSwap Builds in Controls as AML Measures Loom
Another problem with DAO control is that it relies on pseudonymous, one-token, one-vote management. Issues range from speed — one DeFi project was unable to patch code that led to an eight-figure exploit because the smart contract had a week-long voting period for any updates built into its language — to fairness.
See: In DeFi’s Brave New World, ‘Ruthless’ DAO Governance Aims to Run a Better Company
In the case of MakerDAO, voters refused to compensate victims of an exploit, even though the project had funds available. In another, voters took $100 million worth of airdropped tokens from someone they felt had gamed the system during the giveaway. And with no one in charge and many voters anonymous, who do you sue?
Read more: DeFi’s Achilles’ Heel on Display: Vote Could Take $100M in Crypto from an Investor
When things go wrong, a popular phrase is “Do your own research” — blaming the victim for things like coding flaws that a more centralized project might have caught after paying for a review.
What those hacking numbers show is that DeFi has a basic problem relatively common in tech —magnified by the free-for-all control and vast sums to be gained. And while there is a fair amount of cut-and-paste in DeFi platform development, the mindset matches crypto’s basic innovate and disrupt at all costs mindset, but on steroids.
See: Why 2022’s Tech Wreck Doesn’t Have to Mean a Dotcom Crash Landing
And as PYMNTS’ Karen Webster noted recently, pouring money into something unlike anything and everything done before without even a nod to existing technology and processes isn’t the way to build a stable entrepreneurial ecosystem.
But then again, DeFi isn’t really trying to do that.
For all PYMNTS crypto coverage, subscribe to the daily Crypto Newsletter.