- DeFi customers lost $10.5 billion to theft in 2021.
- The Poly Network breach remains the biggest in crypto—not just DeFi.
Since just about anybody can fire up a DeFi protocol and implement some smart contracts, defects in the code are frequent. And with DeFi, there are numerous unscrupulous parties eager and able to exploit such shortcomings. Millions of dollars are placed on the line when that occurs, often with little protection for consumers. DeFi customers lost $10.5 billion to theft in 2021, according to a November analysis by Elliptic. But, first, let us take a look at the top 3 DeFi exploits.
Poly Network: $611 Million
The Poly Network breach remains the biggest in crypto—not just DeFi. Fortunately, however, the drama that started on August 10, 2021, concluded pleasantly three days later after a series of strange events. The crime started when a hacker discovered a weakness in Poly Network’s “contract calls”—pieces of code that enable the protocol. The hacker soon made off with $611 million in several cryptocurrencies, forcing Poly to post a letter of sorrow with the greeting “Dear Hacker.”
Wormhole: $326 Million
The most devastating cross-chain occurrence happened in January 2022, when Wormhole, a famous bridge, lost $320 million in Wrapped Ethereum (wETH). WETH is a cryptocurrency tied to the price of Ethereum on a 1:1 ratio. The hacker attacked the bridge’s leg on Solana, where customers must first lock Ethereum inside a smart contract to acquire an equal amount in Wrapped Ethereum. The hacker managed to discover a way around this by minting WETH without locking up ETH in Wormhole.
Compound: $150 Million
It surfaced in October 2021 that Compound had a bug, “the best-kept secret in DeFi,” that enabled debtors to claim more than their allotted portion of COMP. The flaw impacted two of its vaults or pools of cash under the smart contract. Users would call a specific function on the Reservoir vault, which would replenish another vault, Comptroller. That vault would automatically send enormous sums of COMP to incorrect addresses. The leaky tap resulted from an issue introduced in an initial protocol upgrade.