Decentralized Horror: Roundup of the Year’s DeFi Nightmares

8 mins
31 October 2020, 12:01 GMT+0000
Updated by Ana Alexandre
31 October 2020, 14:03 GMT+0000
In Brief
  • DeFi has been the driver of momentum for all things crypto, in 2020.
  • BeInCrypto dug into the DeFi nightmares, flash loan frights, smart contract code chills happened this year.
  • Some have turned some kind of profit, but a few have got completely "rekt," and that is where the bad stuff comes in.
  • promo

Decentralized finance (DeFi) has no doubt been the driver of momentum for all things crypto this year, but it has not been without its share of horror stories.
To mark Halloween, we will be digging into the DeFi nightmares, flash loan frights, smart contract code chills, hideous hacks, scary scams, and terrifying rug pulls so far this year.

But first the good…

Before we delve into the dark depths of DeFi depravity, let’s start on a positive note. If 2017 and 2018 was the year of ICOs, 2019 was the year of stablecoins, 2020 has definitely been the year of decentralized finance. Billions of dollars in crypto collateral has poured into a rapidly expanding array of decentralized exchanges, automated market makers, and liquidity farming pools as traders and investors seek greater returns on their digital assets. Since the beginning of 2020, this figure, known as total value locked (TVL), has surged almost 2,000% to top $12 billion in October. This surge in crypto collateral has made other milestones possible such as the highest ever amount of wrapped (or tokenized) Bitcoin (BTC) at over 147,000 BTC, and almost 8% of the entire Ether (ETH) supply, or 9 million ETH, locked into DeFi protocols. DeFi tokens have been the best performing of the year, though many have corrected heavily over the past month or so. A few people with already big bags have made bigger fortunes, a lot of people have turned some kind of profit, but a few have got completely “rekt,” and that is where the bad stuff comes in.

And the bad begins with bZx

The first quarter of 2020 was a little quiet for DeFi, but TVL did build up to top the $1 billion milestone for the first time in early February, which was also the same month the first high profile industry exploits occurred. Lending and margin trading protocol bZx was the first serious victim of 2020 with two flash loan exploits that resulted in the loss of nearly $1 million in user funds. The malicious actor managed to exploit a low-liquidity Uniswap market in order to make one single transaction, known as a flash loan, in order to net a profit of around $350,000. A second attack within a week resulted in the loss of a further $600,000 in ETH from bZx, which suspended operations following the exploit. The exploits created a wave of criticism from DeFi detractors and Bitcoin maximalists, at the time, who said that the fact bZx was able to freeze the platform during both attacks showed that it was ultimately a centralized platform.

Maker “Black Thursday”

DeFi markets were bubbling away nicely until the middle of March when the world’s financial and crypto markets crashed in the wake of the escalating Covid-19 pandemic. Ethereum, which serves as the foundation for the DeFi industry, crashed 55% in less than a week leading to a day dubbed “Black Thursday” for MakerDAO, the world’s leading DeFi protocol, at the time. The Black Swan event resulted in the mass liquidation of the vast majority of Maker vaults resulting in around $4 million in Dai being under-collateralized. No code was exploited, but many vault owners lost all of their collateral resulting in both a class-action lawsuit against the Maker Foundation and an executive poll to compensate victims. Stability fees were adjusted and the Dai Savings Rate was set to zero, it still has not moved from that level.

April Fools

Crypto and DeFi markets slowly started to drag themselves out of the trough in April, but the exploits did not stop there. A wrapped version of Bitcoin called imBTC was attacked using something called an ERC-777 token standard reentrancy attack, on April 18. The attacker was able to siphon a Uniswap liquidity pool for all of its value, an estimated $300,000, by using something called “hooks” to request more funds before external balances could be updated. Bitcoin itself was not affected, but those providing liquidity to the pool were in pain. A few days later, Chinese lending platform dForce was also drained of all its liquidity using the same exploit. The hacker repeatedly increased their ability to borrow all other assets and made off with around $25 million in funds. dForce was blamed for replicating Compound Finance’s early code, which did not safeguard against such attacks.

Summer of farming (and hacking) begins

By the middle of 2020, DeFi TVL had recovered to hit a new all-time high of just under $2 billion and things were really starting to heat up in the nascent sector. Momentum was being driven by Compound Finance which was the first DeFi protocol to kick off the liquidity farming frenzy that would dominate the next three months. On its first day of trading, the protocol’s COMP token became the most valuable DeFi asset, making it a market cap “unicorn” as it reached a billion dollars. There were accusations of market manipulation involving some of the world’s largest centralized exchanges as COMP hype surged along with its prices. With more capital and crypto collateral flooding into the space, there were bound to be more hacks and exploits. In mid-June, an exploit was discovered in the Bancor smart contracts that resulted in the draining of as much as $460,000 in tokens, though the platform rapidly deployed a fix stating that all funds were safe. Balancer was the next DeFi protocol to get exploited as $500,000 in wrapped Ether was pilfered from its pools using an arbitrage attack. The protocol stated that an attacker was able to drain funds from two pools that contained tokens with transfer fees, often referred to as deflationary tokens. A series of flash loans and arbitraged token swaps were carried out in this well-planned incursion. bZx was back in the news in July with a dubious token sale that sparked off a DeFi fairness debate. Jumping on the liquidity mining train, bZx launched its own token which was manipulated by “block snipers” artificially pumping prices and making off with almost $500,000 in profits. The following month was not without its fair share of hacks and exploits either as a protocol offering options for Ethereum and DeFi tokens called Opyn was hacked in August. At least $370,000 in the stablecoin USDC was lost because of a double-spend attack on its ETH put options by attackers exploiting flash loans.

Yam and Sushi sagas

By mid-August, Yam Finance kicked off the food farming frenzy that would result in billions of dollars in crypto collateral being shifted from protocol to protocol as degenerate farmers (degens) hunted down the next quick earner. Yam ran on unaudited smart contracts so it wasn’t long before a code bug was discovered that affected the rebasing of the governance token resulting in the platform appealing to whales to save it. A governance vote followed to essentially restart the platform and “Save Yam.” Vampire mining began at the end of August when SushiSwap forked from Uniswap to offer better rewards and SUSHI tokens. Within a few days, over a billion dollars flowed through Uniswap into SushiSwap and token prices surged. The horror story happened on Sept. 6, when the anonymous founder known only as Chef Nomi sold $8 million worth of SUSHI tokens causing the token price to collapse. The protocol was handed over to FTX derivatives exchange CEO Sam Bankman-Fried (SBF), who took control with a consortium of DeFi whales through a multisig smart contract.

Pulling the rugs

A slew of DeFi doppelgangers followed with the aim of replicating SushiSwap’s success with a useless food themed token, but most of them failed to do so. A few of them including Pizza, Hotdog, and Kimchi were pump and dump schemes, or rug pulls as they became known in the DeFi industry. Even more DeFi clones appeared such as Pancake, BakerySwap, and Burger, which started to switch to Binance’s Smart Chain to avoid the escalating transaction fees on the Ethereum blockchain. By the end of September, there were too many DeFi yield farming protocols to count and token prices began their inevitable slide. Uniswap was among the largest of the year after it airdropped UNI tokens to users and opened four liquidity mining pools, which attracted over $2 billion in collateral.

Gas price crisis

One undesirable outcome of the entire summer of DeFi madness was the unprecedented demand on the Ethereum network, upon which most of it operated. During the peak of DeFi activity, which coincided with the launch of liquidity farming pools on Yam Finance, SushiSwap, and Uniswap, average Ethereum transaction fees surged into double figures. Since the end of April, before any of the “degen farming” began, average gas prices had surged by over 8,000% to their peak in September. Ether became effectively unfeasible for the average person as transaction fees would often cost more than the amount being sent. Layer 2 solutions and Ethereum Improvement Proposals (EIP) such as EIP-1559 were being urgently implemented and discussed to tackle the problem. The talk once again returned to Ethereum killers as alternatives such as Binance Smart Chain, Polkadot, Solana, and NEO’s Flamingo Finance were touted to do a better job. As yet, none of them have managed to “kill” Ethereum.

Millions lost to degen greed

The DeFi nightmares were not over and one of the most recent hacks occurred in mid-October, when hordes of degenerate farmers piled into an unaudited and unreleased smart contract from DeFi protocol Yearn Finance. Protocol founder Andre Cronje posted a few teasers regarding a project he was developing for a “gaming multiverse” non-fungible token economy called Eminence Finance. Within hours, around $15 million had poured into the EMN smart contract and a few hours after that a hacker made off with it all. The hacker returned around $8 million but kept the rest, which prompted the disgruntled “investors” to plan legal action against the Yearn team and start their own platform. The most recent DeFi nightmare of 2020 came on Oct. 26, when a sophisticated flash loan arbitrage attack on the Harvest Finance protocol resulted in the loss of $24 million in stablecoins in around seven minutes.

DeFi token dump

By the end of October, the majority of summer’s DeFi darlings had dumped displaying chart patterns that looked like most altcoins did by the end of 2018. Messari’s DeFi returns index showed the current state of the market with the majority of the newly launched tokens being battered by double-digit losses. Several longer living tokens including those from Aave, Loopring, Synthetix, Kyber Network, and Gnosis were still way up from their prices at the beginning of the year, but the newcomers such as Curve, Swerve, bZx, Sushi, UNI, and Compound were bleeding out by Halloween.

Battle hardening DeFi

While all of the above sounds like the stuff of nightmares that any investor would want to avoid, DeFi has actually proved that there is a real need for crypto-based finance that puts the investor in control, not the bank or CEO. There will always be disparagers to new technology and change, and those who prefer to focus on its weaknesses as opposed to working on making it stronger and more resilient to such exploits. As the DeFi ecosystem evolves, these “teething problems” which have only occurred over the past few months will be ironed out. New “smarter” protocols will emerge as these DeFi nightmares battle-harden the industry and foster more innovation and evolution. Tokens will come and go, and greed will always be a part of the financial industry.  However, as we have seen with the wider crypto industry, the strongest protocols will survive despite some of the horrors that have plagued the sector this year. NOTE: The views expressed here are those of the author’s and do not necessarily represent or reflect the views of BeInCrypto.


The information provided in independent research represents the author’s view and does not constitute investment, trading, or financial advice. BeInCrypto doesn’t recommend buying, selling, trading, holding, or investing in any cryptocurrencies