DeFi Users Lost $10.5 Billion to Theft and Fraud in 2021, Mostly on Ethereum: Report

Risk management firm Elliptic says DeFi users have lost $12 billion to hacks and scams over the past two years.

3 min read
Hackers. Image: Shutterstock

In brief

  • DeFi theft and fraud resulted in $1.5 billion in losses last year.
  • This year, the figure has ballooned to $10.5 billion, aided by higher asset prices.

Hacks, thefts, rug pulls, and fraud schemes. What do these decentralized finance exploits all have in common? Someone on the other end loses money.

And not just a little. Try $10.5 billion in 2021, up from $1.5 billion last year, according to a new report from risk management firm Elliptic.

Decentralized finance, or DeFi, refers to the blockchain-based applications that allow people to bypass banks and other traditional financial intermediaries to lend, borrow, save, or trade with peers using automated smart contracts wired into protocols.

The sector has over $250 billion in digital assets flowing through its veins, according to data collected by DeFi Llama. As recently as June 2020, that figure was less than $1 billion. Increased use of protocols, as well as rising prices for the underlying coins and governance tokens that power them, have created a virtuous cycle for those deeply invested in the space.

But increased popularity—not to mention expansion from Ethereum to networks such as Solana and Binance Smart Chain—also means DeFi has more funds to steal, even as many projects struggle to keep up with the swiftly moving sector.

Elliptic sums up the problem facing DeFi projects in its report: "Many are startups with relatively immature cybersecurity, and the irreversible nature of crypto transactions make it very challenging to recover these funds. This has made them tempting targets for attackers ranging from lone hackers to nation states."

And sometimes cybersecurity mistakes aren't so unintentional but are instead the products of "backdoors introduced by their creators in order to steal users' funds."

According to Elliptic, in the past two years $2 billion has been stolen directly from decentralized applications. It attributes an additional $10 billion in losses to declining token value as a result of fraud or theft; though it's a squishier number to pin down, these protocol losses ascribe a value to decreased consumer confidence in the product.

The vast majority of losses from the last two years, $8.6 billion, have come from Ethereum, the home of decentralized finance. Ethereum originated lending protocols like MakerDAO, decentralized exchanges such as Uniswap, and derivatives products like Synthetix. Binance Smart Chain protocols have been responsible for $2.5 billion in losses since 2020.

By Elliptic's metrics, users should be most concerned by lending protocols, which allow people to borrow cryptocurrency from pools of their peers. Responsible for over one-third of losses, these protocols are just as vulnerable to code exploits as they are to economic exploits—for example, flash loans in which users borrow large sums, manipulate market prices to create an arbitrage opportunity, then pay back the money.

As the space matures, attacks may be confined to fly-by-night protocols and risky platforms. For now, though, Elliptic wants users to keep their guards up. DeFi, it says, has become a "tempting honeypot for hackers."

Stay on top of crypto news, get daily updates in your inbox.