Hackers, exploiters, rug-pullers, and other DeFi miscreants had a prolific 2021.
That’s the upshot from a finding by Chainalysis, the blockchain forensic analysis firm. It said rogues stole $2.2B in digital assets from DeFi protocols last year, a 13-fold increase from 2020. That accounted for more than two-thirds of the $3.2B lost in all crypto.
Chainalysis also found surging instances of rug-pulls and money laundering in the DeFi sector last year, warning that DeFi may be “unlikely to realize its full potential if the same decentralization that makes it so dynamic also allows for widespread scamming and theft.” The firm published the findings in a preview of its 2022 crypto crime report.
While Chainalysis suggests that better communication from industry leaders and regulators may help retail investors learn how to avoid dubious projects, the report forecasts that “more drastic steps” may be needed to “prevent tokens associated with potentially fraudulent or unsafe projects from being listed on major exchanges” in the future.
Chainalysis estimates that 72% of crypto assets stolen in 2021 were taken from DeFi protocols,
The report concludes that the majority of funds stolen from DeFi protocols “can be traced back to errors in the smart contract code governing those protocols, which hackers exploit to steal funds.”
In August, Poly Network suffered the largest crypto hack on record to hackers, losing $610M to a hacker who ultimately returned the funds. DeFi protocols BXH, Vulcan Forged, Cream Finance, and BadgerDAO all suffered hacks worth between $100M and $170M in 2021 also.
The report found that DeFi was the digital asset sector that experienced the largest growth in value received from illicit sources, with the volume of funds laundered via DeFi protocols increasing by nearly 2,000%.
The authors also highlighted the growing prevalence of rug-pulls plaguing DeFi, with rugging accounting for 36%, or $2.8B of the $7.8B total revenue from crypto scams for 2021.
However, 90% of the funds stolen through rug-pulls were attributed to a single event in which the centralized exchange Thodex suddenly suspended withdrawals before its CEO vanished with users’ funds. All other identified instances of rug-pulls involved DeFi protocols.
New Form of Scam
Rug-pulls are described as a relatively new form of scam in which developers build what ostensibly appears to be a legitimate project offering pooled investment or other services requiring users to deposit digital assets, before stealing investors’ funds and disappearing.
“Many investors could likely have avoided losing funds to rug pulls if they’d stuck to DeFi projects that have undergone a code audit – or if DEXes required code audits before listing tokens,” the report suggested.
Chainalysis notes the $2.8B lost to rug-pulls only accounts for the value of funds stolen, and does not consider the impact to investors holding the governance token associated with a project after it suffers a rug-pull.