Recounting 2021’s biggest DeFi hacking incidents

Compound Finance is just one of the latest victims of DeFi hacking incidents in 2021. On Sept. 30, its errant token distribution bug within the Proposal 062 exposed a flaw in which $70 million–$85 million in excess COMP tokens were wrongly distributed to users. 

Yet, an extra $65 million was placed in a vulnerable vault a few days later, resulting in at least $150 million in COMP tokens at risk. But, while Compound was able to remedy the entire situation, it shows how vulnerable the decentralized finance (DeFi) sector can be at times due to its nascency.

Last year, the total value locked (TVL) in DeFi was a mere 5% of what it’s currently worth $255 billion. The change marks an explosive 1686% growth. Even with the Compound debacle, and most recently with decentralized trading platform BXH that drained $139 million from an attack due to a leaked admin key, TVL actually increased over the last month, appreciating by 14.27%.

One reason why investors have flocked to DeFi protocols is to search for higher returns. The rock-bottom interest rates of 2020 that lacked a clear framework for an increase caused investors to look for other avenues to park their cash. Locking crypto assets to DeFi protocols and to supply liquidity for such services became an attractive option, as it offers more attractive returns. What ensued was a yield farming boom in 2020 that prevailed up to this year.

Counting the incidents

The rising popularity of DeFi is a double-edged sword for the young sector and the entire cryptocurrency space as a whole. Since 2012, 534 blockchain hacking incidents have taken place with 169 events coming in 2021 alone, according to Chinese cybersecurity firm Slow Mist. Hacks grow in sophistication and target various areas in the space.

Nevertheless, the biggest hack to ever take place occurred in 2021 and was carried out by an unknown hacker on cross-chain protocol Poly Network. The result was an equivalent of $610 million in tokens stolen, topping MtGox and Coincheck. The attack pocketed about $273 million from the Ethereum network, $85 million in USD Coin (USDC) from the Polygon network and $253 million from Binance Smart Chain. It also removed sizable amounts of renBTC, wrapped Bitcoin (wBTC) and wrapped Ether (wETH).