DeFi: hard security lessons from exchange hacks

Hacks in the cryptocurrency world get a lot of airtime.  Coverage tends to portray a sector beset by persistent security issues.  And while those challenges are undoubtedly present, reporting rarely illustrates the significant advances the cryptocurrency sector has made.

In recent years, virtual asset service providers (VASPs) have been at pains to introduce measures to enhance security.  For centralised exchange services (CEX), the effect has been noticeable.

A few years ago, in 2019, every successful high-value hack was on a centralised exchange (CEX).  Our data shows there were nine hacks that year, each of more than $1 million.  The total stolen among these nine was $265.7 million.  

Prior to that, in 2018, there were seven hacks of CEXs with a total value of $1.07 billion, over half of which was attributable to the $534 million theft of funds from Japan-based CoinCheck in January 2018.  

In contrast, so far this year, only two CEXs have suffered hacks:

1. Bitrue, which lost $23 million in an exploit in April.  
2. GDAC, a Korean exchange which lost $13 million in a hack, also in April.

These are two of only three hacks of centralised exchanges to occur in the last 18 months.  The other being the November 2022 theft of funds from FTX amid its collapse.  That event saw an estimated $415 million disappear from the exchange in somewhat mysterious circumstances, but that’s a tale for another time.

Implementing stronger Security Measures

Hoptrail’s data suggests CEXs are becoming much more effective in combatting hackers and dealing with external security issues.  A combination of better monitoring, training, and implementation of security procedures has enabled them to reduce the effectiveness of theft or exploits.

More broadly - and as Hoptrail pointed out recently - onchain theft is not as fruitful an avenue for bad actors as before.  Stolen funds are under constant monitoring by law enforcement, analytics and security firms, onchain sleuths, and disgruntled victims.  Its increasingly difficult to cash out.  In a recent example, hackers ended up handing back most of the $196 million stolen from Euler Finance, a DeFi protocol.  

Since 2019 the total value of high-value hacks has been less than $500 million a year.  These are often driven by one-off events that constitute a large proportion of that total.

For example CoinCheck’s 2018 hack accounted for 50% of stolen funds that year. This year, Bitrue’s theft accounts for two-thirds of all assets stolen. The lowest in percentage terms was 25% with Liquid’s $90 million hack in 2021 - still a sizeable contribution, without which exchange hacks wouldn't be looking like such hot property for the mainstream media.

Nonetheless, the overall trend - for both the number of hacks on CEXs and the total value stolen - is flatlining, and has been since 2018. And this is in large part due to measures taken by exchanges to bolster security and audit protocols, and to separate out customer and exchange funds through stronger wallet structures and custodial solutions.

Many exchanges have also sought to bolster their reserves against such events. Among the 25 exchanges that we have proof of assets data on, the average asset holding is $3.3 billion. Removing Binance and that drops to $1.8 billion. Smaller but still sizeable enough to handle a significant theft. To put it another way, $500 million is now less than 1% of assets held on the 25 of the world’s largest exchanges.

Lessons for DeFi

Theft in the DeFi world exploded in 2021. This started with the $80 million exploit of EasyFi and ended the year with the $140 million hack of play-to-earn fantasy game and marketplace Vulcan Forged. The average amount stolen in largescale DeFi hacks since 2021 is just over $159 million across 25 separate incidents.

These are big numbers.  DeFi has plenty to learn from the experiences of CEXs.  But there are steady improvements in security measures and instances of high-value theft has started to fall.

Smart contract auditing, pen testing, and security reviews are increasingly common in the DeFi space, as too is the emergence of security infrastructure to support and protect more complex operations without compromising on decentralisation.

Part of this response has been driven by an 'annus horrobilis' in the crypto space in 2022, which saw several high-profile collapses of blockchains and exchanges, culminating in FTX's spectacular bankruptcy in November.

Between March and June 2022, the DeFi space experienced back-to-back exploits of prominent protocols: first the $320 million Wormhole hack, then the $540 million exploit of the Ronin Network.  This was followed by the $182 million hack of Beanstalk and the $80 million Fei hack, and rounded off with the $100 theft from the Harmony Horizon Bridge.  All for a total of $1.22 billion within three months. Bad luck or just poor security?

Either way, these events caused a major rethink in terms of security measures, compliance protocols, and smart contract analysis that appears to be bearing some early fruit.

Putting the Gala hack to one side, only $337 million has been stolen in hacks from DeFi protocols in the last 13 months, and more than half of that has been handed back.

That isn't to say that DeFi has found the answers.  Its certainly too early to know if this is a sustained trend.  And perhaps important to mention here is that these figures do not account for instances of lower level theft - particularly within the NFT space, which has seen a persistent level of exploits and phishing attacks this year.

But the direction of travel this year has shown that decentralised services are adapting to these issues while taking notes from the experiences of centralised services. Who said scaling a new financial system would be easy?!

cryptodefihack

‍