Paul Vigna, formerly a reporter for The Wall Sheet Journal, is the co-author of “The Age of Cryptocurrency: How Bitcoin and the Blockchain Are Challenging the Global Economic Order.”
DeFi swaps out one set of risks for another and until that changes independent DeFi protocols will not be suitable for the mass market.
The Great Crypto Crash of ‘22 was no doubt exacerbated by the weak internal controls at a handful of critically important, opaque private companies, and in many ways it echoed past crises in the traditional financial markets. DeFi proselytisers think decentralised finance could be the solution. They are half right, at best.
Three Arrows Capital, a private, Singapore-based hedge fund, borrowed billions to fuel bets it placed in DeFi markets. When the market turned south, Three Arrows couldn’t meet its margin calls. Firms it had borrowed from included Genesis Global Capital and Voyager Digital. Both have filed for bankruptcy protection. The firm still owes 27 creditors $3.5 billion.
Three Arrow’s collapse sparked waves of tumult across the crypto space, which led to the downfalls of Celsius Network and FTX among others. There’s no clarity about whether these upheavals are over.
This bonfire has elicited some amount of boasting from DeFi practitioners who’ve argued that the factors that drove the CeFi crypto collapse – the misuse of customer funds, the overleveraged and undercollateralised speculation – couldn’t happen in DeFi since it’s transparent and non-custodial. “The vision of DeFi is a financial system where what happened at FTX is not just improbable, but impossible,” DeFi index fund provider Index Coop DAO wrote in an opinion piece in Decrypt.
Centralised financial crises like the one in 2008 and the one in crypto last year are “a sales pitch for DeFi,” according to Hart Lambur, the co-founder of DeFi protocol UMA. DeFi protocols provide the transparency that centralised entities like FTX or MF Global lacked, he argued.
What these arguments miss, however, is that DeFi is rife with its own unique set of risks.
On Sunday, January 15, an unknown actor executed a flash-loan attack on the DeFi lending protocol Midas Capital. In a matter of seconds, $660,000 worth of cryptocurrency was gone. There have been four such exploits so far this year, according to data from DefiLlama, including a $120 million exploit of BonqDAO.
Such exploits are absolutely routine. There were 54 such attacks in 2022 – better than one a week. Those attacks cost investors a combined $3.2 billion last year.
The biggest attacks all resulted in losses of hundreds of million. Axie Infinity gamers lost a combined $624 million when the Ronin Network was exploited in March. BNB Bridge lost $586 million in August. Wormhole was exploited for $326 million in February. Nomad Bridge, $190 million in August. Beanstalk, $181 million in April.
What’s most alarming about that list is that all of those projects were popular and ostensibly transparent. Ronin Network was a platform for moving crypto tied to the popular game Axie Infinity. BNB Bridge is a product of Binance.
DeFi supporters will say “code is law” and ask you to read the transparent code for yourself. But most investors are not coders and have no ability to audit the code themselves. It is virtually impossible for potential users, to say nothing of the creators themselves, to uncover any faults.
Moreover, arguing that DeFi is better than CeFi misses one key fact: the chain-linked meltdown that destroyed FTX, Celsius, Voyager, Three Arrows and others started with a collapse in DeFi.
In the spring of 2022 the DeFi platform Terra imploded. Terra, the product of a group called Terraform Labs, was an “algorithmic” stablecoin that purportedly would maintain a $1 value via arbitrage trading of a related cryptocurrency, Luna. At their peak, each crypto had a circulation value of roughly $20 billion. So $40 billion combined.
A lending protocol called Anchor Protocol was built on top of Terra. Anchor attracted capital by offering a 19% interest rate, and most of those tens of billions were on the platform specifically to get that payout. As the market dropped, the payout became untenable. When it did, all the leveraged bets – including massive ones like those from Three Arrows – unwound. Rapidly. The $40 billion disappeared virtually overnight. What had been a general crypto selloff – Bitcoin was down roughly 50% from its highs – became a death spiral.
DeFi backers argue Terra wasn’t really DeFi, but that’s disingenuous. The goal of DeFi isn’t that code writes itself. Every string of code is written by somebody, somewhere. The goal of DeFi is that it’s transparent enough that no one party can manipulate it. Terra was DeFi, it collapsed spectacularly, and it took most of crypto down with it.
It should be noted here that the rest of DeFi has continued to operate, albeit at far lower valuations. Liquidity pools are transparent and liquidations, when they happen, are orderly because positions are overcollateralised to begin with. Again, DeFi solves TradFi problems.
What DeFi lacks are formal standards for coding and operating its services to minimise its other new, unique problems, but it’s not clear where they will come from. A new European law likely to go into effect later this year called MiCA, or Market in Crypto-Assets, doesn’t currently address DeFi (or NFTs and other new innovations for that matter). There is a proposed bill in the US called the Digital Commodities Consumer Protection Act, or DCCPA, that does address DeFi. But its prospects are unclear.
The bill was bitterly opposed by the industry, with many arguing the bill as originally written would have effectively banned DeFi applications. The fact it was championed by disgraced FTC founder Sam Bankman-Fried didn’t help. In January one of its two sponsors – Senator Debbie Stabenow of Michigan – announced she would be leaving Congress after her term ends in 2025 and the fact remains the US Congress has yet to pass any crypto legislation.
Code audits are one promising development for DeFi. The idea here is that a third party will examine a DeFi project code and look for problems. There are now a number of firms offering the service.
The problem is that the audits themselves may be lacking. In October, a DeFi project called Team Finance, which had $3 billion under management, was exploited to the tune of $15.8 million. The group behind the service said its smart contract “was audited by a reputable audit firm.”
Bugs are hard to find until they actually get exploited. Massive companies like Microsoft and Apple are constantly shipping updates that account for new bugs on software that may be decades old. Launching untested DeFi programmes, no matter who backchecked them, is risky.
At some point, crypto winter will end and a new growth cycle will begin. If DeFi is going to be more than a curiosity or a relic, the industry needs to make security a top priority.