Decoding DeFi Risks: Exploring the Data Behind $50B+ in DeFi Losses

The DeFi space has created a myriad of opportunities for its participants – from six figures airdrops, to permissionless access to credit. Through tokenized ownership systems on-chain, DeFi applications amassed over $70B in deposits within less than a decade.

The growth of the DeFi space has been remarkable, but has also been accompanied by an unfortunate rise in exploits, leading to substantial capital losses. According to IntoTheBlock, a staggering $58.78 billion was lost to DeFi exploits between 2020 and 2023, reflecting the vulnerabilities inherent in this burgeoning ecosystem.

Source: IntoTheBlock DeFi Exploits Perspectives

The year 2021 witnessed a notable rise in value lost, with nearly $4 billion succumbing to exploits. However, the situation escalated dramatically in 2022, witnessing a staggering $53.5 billion in losses. The total amount lost decreased substantially to $1B in 2023, as there was no systemic collapse like Terra’s and less bridge exploits. Although the losses dipped in 2023, the challenges posed by these risks remain a significant hurdle for wider DeFi adoption.

The nature of these losses can vary significantly. Not all of these are considered “exploits” by the common definition, but they are all subject to a fault cracking – either from someone purposefully causing it or the underlying system being fragile – leading to depositors losing their funds. The factors behind these losses can be broadly categorized within two categories:

Technical Risks

These arise from potential vulnerabilities in a protocol's code, leaving room for exploitation by internal or external actors. Infamous incidents such as The DAO hack, executed through a re-entrancy attack, and the Ronin Network bridge exploit, a breach in a multi-sig wallet, exemplify how technical risks can lead to malicious capital extraction. These also include infamous rug pulls where developers have access to deposits unbeknownst to users.

Economic Risks

These stem from imbalances in the supply/demand dynamics of a protocol, resulting in losses for depositors. Economic risks can emerge from market activity, price manipulation, governance controls, or flawed mechanism design. Examples include the Terra/UST collapse, where supply minting failed to sustain UST's peg, and oracle manipulation attacks, where attackers artificially inflate an asset's price to bypass borrow limitations

Source: IntoTheBlock DeFi Exploits Perspectives

As it’s pictured above, the majority of incidents leading to losses in DeFi comes from technical risk factors. On a quarterly basis, there are on average 6 technical exploits of over $1M happening in DeFi since 2020, making up about 73% of all incidents. In terms of losses, however, a staggering $53B has been lost due to economic risks.

The type of risk exploited often aligns with a protocol's category, such as algorithmic stablecoins collapsing primarily due to economic factors, while bridges, being complex from a developer standpoint, fall victim to technical hacks.

Source: IntoTheBlock DeFi Exploits Perspectives

Algorithmic stablecoins stand out as the primary source of losses in DeFi, surpassing losses from all other categories combined. Outside of Terra’s $50B losses, Iron Finance and Neutrino also led to hundreds of millions of losses for this category. On the other hand, lending protocols, although exploited more frequently in terms of incidents, contribute to a smaller portion of the overall losses.

These are factors worth considering for any user looking to deploy capital into DeFi. Similarly, another key factor to consider when reviewing a protocol is how many times it has been audited.

Source: IntoTheBlock DeFi Exploits Perspectives

Unaudited protocols have been exploited 50 times and led to over $4.5B in losses for DeFi users. Then there are auditors with a better track record than others, which is why it is typically worth looking for protocols with more than one auditor prior to depositing assets.

After depositing, unfortunately there is typically little users can do to protect themselves against technical risks. Even if they have advanced knowledge of solidity and other smart contract programming languages, technical exploits usually happen within one block making them very difficult to mitigate.

On the other hand, economic risks can often be more foreseeable and manageable both for the user and the protocol developers. De-pegging events arise from market movements, typically accompanied by weak incentive assumptions. Bad debt resulting from “highly profitable strategies” also tend to come from hours of artificial price activity in order to manipulate oracles’ data. Impermanent loss can also be actively monitored and potentially even hedged.

This mitigable nature of economic risks arguably makes them more important to monitor for active DeFi users. Through IntoTheBlock’s Institutional DeFI Unlocked report, we shed some light on the nature of these risks and indicators to track to manage risk in DeFi. Ultimately, through this report and the newly-released DeFi Risk Radar platform, we aim to educate users at scale and drive broader usage of DeFi building on the back of more transparent risk management data.