DeFi Risks and Hacks
The dark side of "code is law"
In DeFi, there are no customer service hotlines and no FDIC insurance. If a smart contract has a flaw, the money can be drained instantly. Over $5 billion has been stolen in DeFi hacks since 2020.
Understanding how protocols break is the first step to protecting your funds.
Types of DeFi Hacks
1. Logic Bugs (Smart Contract Exploits)
A developer makes a mistake in the code. The most famous is the reentrancy attack, where a hacker tricks a contract into sending them funds repeatedly before the contract can update their balance to zero.
2. Oracle Manipulation and Flash Loans
DeFi protocols need to know the price of assets (e.g., "What is the price of ETH?"). They get this from "oracles" or by checking DEX pools.
A Flash Loan allows anyone to borrow tens of millions of dollars with no collateral, provided they return it in the same transaction block. Hackers use flash loans to massively disrupt a DEX pool's price, forcing the lending protocol to read the fake price. They then exploit the confused protocol (e.g., borrowing $10M against collateral that is temporarily reading as worth $100M).
3. Bridge Hacks
To move assets from Ethereum to Solana, you use a "bridge." A bridge works by locking your Ethereum in a smart contract and minting equivalent tokens on Solana. Bridges hold massive amounts of crypto, making them prime targets. Some of the largest hacks in crypto history ($600M+) have been bridge exploits where hackers forged signatures to enable the funds.
How to Evaluate Protocol Safety
If you are going to deposit funds into DeFi, follow this checklist:
- Lindy Effect (Time on Market): Has the protocol been holding over $100 million for more than a year? Hackers follow the money. If it has held a massive bounty for a year without being hacked, it is significantly safer than a protocol launched yesterday.
- Audits: Go to the protocol's documentation. Have they been audited by top-tier firms like Trail of Bits, OpenZeppelin, or Consensys Diligence? (Note: An audit is not a guarantee of safety, but lack of an audit is a massive red flag).
- Bug Bounty: Do they offer millions of dollars to "white hat" hackers who find bugs and report them safely? (Check Immunefi).
- Admin Keys: Can the developers change the code whenever they want? If the developers get hacked, the protocol gets drained. Look for protocols governed by a DAO or requiring a multi-sig (multiple people to sign off on changes).
Key takeaways
- DeFi hacks usually stem from smart contract logic bugs, oracle manipulation, or bridge exploits.
- Flash loans weaponize market manipulation, allowing hackers with zero capital to execute massive attacks.
- Time on the market (Lindy effect) and high TVL are the strongest indicators of battle-tested code.
- Always assume new protocols are extremely high risk.
Quiz: DeFi Risks and Hacks
1 / 5What is an oracle manipulation attack?