Oh &#%!@… Seriously!? Top DeFi Debacles of 2021

This article is part of our Year in Review series.

In 2021, DeFi blossomed from being a niche within the crypto space to a full-fledged industry as investors recognized the potential of the open economy.

Total Value Locked, a measure that quantifies the crypto assets locked in DeFi protocols, soared over 12x to $250B from $18.7B at the beginning of the year.

DeFi investors enjoyed astronomical returns this year, but it wasn’t always smooth sailing.

The juiciest yields in DeFi can generally be found in degen territory, where hundreds of millions in assets are entrusted to unaudited smart contracts run by anonymous developers. And with that sort of money at stake, the space naturally attracts scammers and black-hats.

From rug-pulls and flashloans to frontend exploits, we’re going to look at nine DeFi protocols where things went awry in 2021.

PancakeBunny

PancakeBunny, a yield aggregator on Binance Smart Chain, once had over $10B in Total Value Locked. In May 2021, the project was hit with an exploit that utilized flashloans to manipulate its price oracles and drain $45M worth of crypto assets.

TVL has fallen to $215M and $BUNNY is down 99.8% from its peak.

Anubis DAO

Anubis DAO combined two of the fall’s hottest trends: meme coins and Olympus forks. The project launched a token sale and investors piled in to the tune of 13.6K ETH ($60M). Sadly, they never got to see the protocol in action, as all the ETH was rugged midway through the presale.

EasyFi

EasyFi is a lending protocol on the Polygon network. In April 2021, an attacker managed to gain access to the project’s admin keys and stole $60M worth of $EASY tokens, which remain 90% off their highs.

Thorchain

Thorchain is a popular cross-chain DEX that allows native token swaps across different blockchains. Its multi-chain network, called ChaosNet, launched in April with much fanfare, sending the project’s $RUNE token to all-time highs.

Thorchain suffered a series of exploits. $RUNE continues to languish at just a third of its value in May.

Badger DAO

Badger DAO’s mission is to ‘Bring Bitcoin to DeFi’ and they’ve made great progress over the last year, with TVL peaking above $2B in February.

On Dec. 1, Badger was hit by a front-end exploit that prompted users to grant token approvals to a malicious contract. $120M in crypto assets were stolen, including 896 BTC ($50M) reportedly belonging to crypto lender Celsius.

$BADGER lost half its value following the exploit. A restitution plan is in the works.

CREAM Finance

DeFi money market CREAM Finance can’t seem to catch a break.

After a re-entrancy attack in August that saw $23M drained from the protocol, the project was hit for the fourth time on Oct. 27. A flashloan exploit left all the CREAM v1 vaults nearly bare, with $130M in crypto assets lost, making it DeFi’s third-largest exploit at the time (now fifth).

$CREAM tokens are down 80% in the wake of the disaster.

Compound Finance

On Sep. 29, a buggy update that made it into production caused Compound Finance to pay out millions in excess $COMP token rewards to users of the DeFi lender.

While $80M in $COMP tokens were initially thought to be at risk, the problem was ‘compounded’ when it was discovered that anyone could refill the vulnerable vault with tokens by calling a function on the relevant smart contract.

The Compound team was powerless to stop it due to the seven-day governance process the protocol uses, and another $69M worth of $COMP was eventually lost.

At $147M, this remains DeFi’s third-largest hack.

Poly Network

For the largest DeFi hack ever, this was certainly a strange one.

On August 10, over half a billion dollars worth of crypto assets were stolen from Poly Network, a cross-chain protocol that facilitates token swaps across multiple blockchains including Ethereum, Binance Smart Chain and Polygon.

Post-hack, the Poly team exchanged a series of messages with the hacker over Etherscan after which the stolen assets were returned, a rare occurrence in the anonymous world of DeFi.

There’s still a lot that doesn’t add up about the whole affair, with some speculation that it may have been a publicity stunt.

Iron Finance

A list of DeFi debacles would not be complete without the spectacular implosion of Iron Finance, the algorithmic stablecoin on Polygon that was the darling of yield farmers over the summer.

Total Value Locked peaked above $3B. At one point, the majority of stablecoins on the Polygon network were deployed in the protocol.

After weeks of eye-watering yields and a skyrocketing token, it all came crashing down on June 16. The protocol suffered a ‘bank run’ and its $TITAN token fell from $62 to nearly zero in just 16 hours.

Billionaire investor Mark Cuban, who had earlier praised the project, was so shaken by the experience that he went on CNBC the next day to call for stablecoin regulation.