OpenPad is a community-run launchpad, decentralized venture capital, incubator & accelerator, offering domain-agnostic deeply-vetted, insurance-based, and allocation-guaranteed token sales. We do not provide investment or financial advice, and all projects reviewed are done objectively in accordance with established reporting and information dissemination best practices. Before investing in any Web3-related project, you should conduct your research. As a result, OpenPad is not liable for any losses incurred due to a consumer’s investment decision.

Decentralized Finance Risks

51% attacks: This is one of the common blockchain security threats. It is more common in the case of Proof-of-Work protocols due to the design of their consensus algorithm. The issue could arise when hackers gain control over a major share of the computational power and rewrite the contents of the distributed ledger or even open the doors to double-spend attacks.
An example of this is Bitcoin Gold in 2018 with over $18 million lost due to double spending; Vertcoin with about $100,000 stolen; Ethereum Classic with more than one 51 percent attacks since 2019, wherein the second attack the double-spending reached $5,6 million.
Access control failure: The privileged functions of some smart contracts provide the owner of these contracts with access to enforce them through the specification of calls to the function. Often the access controls are implemented in the wrong way or are not implemented at all, and hackers could gain privileged access to a smart contract and use it to their advantage.
Cryptographic failures: This occurs when sensitive data is insufficiently protected and, as a result, it suffers data leaks or is exposed to unauthorised audiences.
Code failures: A great example of this is the attack against the Poly Network in August 2021, when over $600 million worth of crypto was stolen. Poly Network pleaded with the hacker to return the money, and sure enough, nearly half of the sum was returned two days later.
Stolen or leaked private keys: Private keys are the code you need to access transactions sent to your public key address. This could include, for example, a compromised MetaMask interface (an application for interacting with the Ethereum blockchain). There are also malicious versions of MetaMask, resulting in crypto losses. Also, poor practices for crucial generations, like a lack of randomness, can lead to a private critical vulnerability.
Such is the case with the Mt. Gox exchange, which had its wallet credentials continuously stolen beginning in 2011, until 2014, grand theft of a total of 850,000 BTC.
Another example is the Coincheck exchange based in Tokyo, which in 2018 suffered an attack on its hot wallet, and the stolen NEM coins amounted to $534 million.
More recently, less than a year ago, the cybersecurity company Intezer discovered an elaborate and sophisticated campaign whose goal was to steal crypto users' private keys to their digital wallets. The scheme was named “Operation ElectroRAT” (RAT stands for remote-access-Trojan). The hackers built three unique applications to carry their malware and three malware versions for the Windows, Linux, and macOS operating systems. The attackers focused on members of the crypto community by promoting the apps on forums and social media channels. More than 6,000 victims of this malware have been reported.
Flash loan attacks: A common issue that might lead to a security breach is the incorrect token value calculation in the liquidity pools. Usually, the value of tokens in a pool is determined by its existing condition rather than external oracles. Attackers generally introduce an imbalance in the pool during a specific transaction, which leads to an incorrect calculation of the token value.
The most recent flash loan attack happened in May 2021 at PancakeBunny, a BSC-powered yield farming aggregator, which suffered an exploit that caused its token to plummet by 95%.
The largest flash loan hack was in February 2021, when the Alpha Homora protocol drained $37 million using Iron Bank, Cream’s lending platform.
Another similar attack occurred in July 2021 on ApeRocket’s BSC platform and Polygon fork, costing users $1,26 million.
Front-running attacks: Before being broadcasted, transactions are stored in mempools of each node prior to being added to the ledger in blocks. Malicious actors use this segment of time to create their version of the transaction with higher transaction fees, as blockchain miners generally arrange the transactions in order of their fees. That’s how the attacker’s transaction comes before the original one.
In March 2021, the DODO DEX experienced a smart contract hack where attackers could steal nearly $3.8 million in cryptocurrency from several of DODO’s crowdfunding pools. Later, $3.1 million of the stolen assets were returned.
Ponzi schemes and rug pulls: Sometimes, users can fall victims to an insider attack by owners and developers of the protocol who misuse their privileges and drain its value.
A Ponzi scheme named “OneCoin” was launched in 2014, which is rumoured to have cost its investors more than $4,4 billion (other sources have claimed as much as $19,4 billion, but it is impossible to say for certain). The project was not traded on cryptocurrency exchanges as it had its platform.
In 2018, the customers of the Italian exchange BitGrail were reported to have had their Nano was stolen, which amounted to $120 million. Its director was later accused of hacking his exchange.
Some of the ways to prevent DeFi hacks
  • Testing the DeFi protocol in a testnet or beta phase before the official launch can prevent specific business logic errors. According to Hacken, a leading security consultancy company focusing on blockchain security, the arbitrage check function should have a lower tolerance value than 2% (arbitrage is the strategy of taking advantage of price differences in different markets for the same asset type).
  • It is also advised that deposit functions should not be accessible to third-party smart contracts, or if they are, certain value limits should be set.
  • Using decentralised pricing oracles like Chainlink and Band Protocol could reduce the attack vector, especially for flash loan exploits, instead of relying on a single DEX for their price feed.
  • Audits from a third party do not always guarantee that a protocol is free of coding errors. Still, it signals to the community that you are taking all measures to mitigate any risks of protocol vulnerabilities.
  • Traders can still fall victims to scams and fraud, so checking a project’s white paper, team, community activity, exchange listings, number of security audits, and backing from institutional investors is vital to deciding on whether to invest or not.
As the DeFi industry grows, so will the malicious attacks. After being hacked, scammed, or having your funds sent to the incorrect place, you rarely find assistance resolving the problem. Adequate personal protection, like keeping your private keys safe and having a secure lip, is of the utmost importance. The more money that flows into the DeFi sector, the more hacks, exploits, crimes, and fake projects will keep springing up here and there.
The DeFi space needs better tools for preventing human mistakes and errors. Even though one of the benefits of DeFi is that it eliminates intermediaries, on the other hand, there is no one to take responsibility for user errors besides the users themselves.
Economic and crypto volatility could become a new reality, and every new fact creates new opportunities. Some projects die, some survive, and others thrive. Volatility creates an opportunity for those who have more to gain than lose.
Copy link
On this page
Decentralized Finance Risks