Most DeFi Protocols Fade After They’re Hacked, Analysis Shows
TVL of hacked DeFi protocols dives by over 90% and fails to recover.
By: Owen FernauData Dive
Euler Finance, a lending protocol which suffered a $200M hack last month, is facing an uphill battle.
After miraculously recouping nearly all lost funds, the question is, can Euler recover from the attack? Data on the top five hacks of DeFi protocols says no.
A survey of the top five hacks in dollar terms shows that each protocol’s total value locked is down by at least 96% since it was hacked. Overall TVL across DeFi decreased significantly less relative to each protocol’s TVL loss since each hack, suggesting that it’s not just depressed asset prices that are responsible for the dips.
TVL dips on top five DeFi hacks. Source: The Defiant
To focus on DeFi hacks in our survey, we excluded bridges, which enable cross-blockchain transfers, and centralized exchanges. We also excluded exploits and bugs which didn’t result in the loss of user funds.
In the case of Euler Finance, DeFi’s most recent major hack, the project’s token is down roughly 28% since the announcement of a successful recovery on April 3, suggesting that investors are still not enthused about the project’s chances. There’s been personnel turnover too, with its head of risk stepping down on April 19.
Michael Bentley, the co-founder and CEO of Euler Labs, the company behind the protocol, called the days after the hack “the hardest of his life,” on Twitter. In a follow-up with The Defiant, he said that the departure of Euler’s head of risk was not related to the hack.
Flash Loans and Price Manipulations
Of course, each hack was different. Beanstalk’s involved a type of hyper-short loan called a flash loan, followed by a governance attack.
CREAM’s, whose attack also used a flash loan, involved manipulating the protocol into thinking that the attacker controlled nearly $3B of assets, according to a breakdown by Rekt. As CREAM is a lending protocol, the attacker was able to deposit some of that $3B as collateral and drain CREAM of all its lendable assets.
The attack on BonqDAO involved manipulating a price feed, so, like the CREAM attack, the protocol would think the hacker had more tokens than they did.
BadgerDAO, the Bitcoin-focused DeFi protocol, fell victim to a phishing attack which allowed an attacker to inject malicious code into its frontend. And the trader Avraham Eisenberg, famously inflated the value of Mango Markets’ MNGO token, and, using the asset as collateral, permanently obtained the borrowed assets.
The tokens for CREAM Finance, BadgerDAO, and Mango Markets, the three assets for which price data is available, are all also down 50% or more since each protocol’s hack.
The takeaway is that coming back from hacks, even after the initial period of patching the vulnerability, is historically difficult. The reputational hit a protocol takes is particularly hard to surmount in DeFi, where users may already be wary about interacting with a sector that’s rife with exploits and rug pulls.
BraveNewDeFi, the head of communications at Nexus Mutual, an insurance protocol, told The Defiant, that a project’s reputational hit depends on the attack’s size. “The larger the exploit, the larger the impact on reputation and trust,” they said. “Once that’s gone, it’s nearly impossible to earn back the trust of users.”
They also said paying users’ back quickly, rather than eventually, helps a project stay viable.
Trust in the project takes a hit even if the team sticks around and continues to build.
That’s the case with BadgerDAO, which has continued to build out new vault products, refined governance processes, as well as a slew of governance proposals dedicated to recovery in the wake of the hack. But the protocol has still struggled to attract deposits.
Others like Uranium Finance, which was hacked for $57M in 2021, folded entirely — the project hasn’t communicated publicly since the attack.
Thorchain, a protocol which enables swaps across blockchains, stands out as relatively resilient among exploited projects. Attackers hit the cross-chain exchange with two hacks of $8M and $5M in July 2021.
While Thorchain’s TVL dropped by roughly 56% to $78M since the attacks, overall TVL in DeFi has dropped 44% in that time. That compares with losses of over 90% in deposits for the biggest hacks.
Thorchain’s relative durability suggests that while most DeFi ships will sink, some can weather a storm – or pirate raid. After a successful recovery effort, maybe, Euler can be one of the latter.