Investors pull $15bn from DeFi as latest hack sparks security fears

Decentralised finance investors are getting cold feet after North Korean hackers stole almost $600 million from onchain apps in the first four months of the year.

On Saturday, hackers from the hermit kingdom struck Kelp DAO, a restaking app on Ethereum, stealing $294 million from users.

In the aftermath, investor deposits in major DeFi apps — measured by a metric called Total Value Locked — dropped by more than $15 billion, according to data from DefiLlama.

Deposits on Aave, the biggest DeFi app, fell by $10 billion — around 22% of its total deposits before the Kelp DAO exploit. Morpho and Sky, the next two biggest DeFi lenders, saw their deposits decline by $1.7 billion and $600 million respectively.

These protocols were affected by the hack because they had integrated Kelp DAO’s rsETH token, 116,500 of which was stolen by the hackers.

Even unaffected apps on different blockchains have been impacted.

Kamino, the biggest lending market on the Solana blockchain, also experienced some $280 million of outflows since April 18.

Blockchain-based DeFi apps which offer yields on crypto deposits are vying to draw in institutional capital as asset managers from the broader financial industry pile into the asset class.

Yet the risks of using DeFi apps are increasing.

North Korean hackers are getting better and better at breaking into them, for one thing.

The nation state’s ability to execute fewer but far more damaging attacks demonstrates “increasing sophistication and patience,” according to a December Chainalysis report.

At the same time, artificial intelligence is also making crypto hacking cheaper, easier, and faster. Bad actors are now using the technology to search through thousands of lines of code a second, identifying vulnerabilities that have slipped by developers and auditors.

Nothing new? 

Hackers targeting DeFi apps isn’t a new phenomenon. But what has investors spooked is that the trend is getting worse.

Last year was the worst on record for cryptocurrency hacks, with total losses exceeding $3.4 billion according to crypto security firm Chainalysis. The fact that losses this year have already surpassed $771 million doesn’t bode well.

Security experts have noted that the recent hacks from North Korea’s Lazarus Group are becoming more sophisticated compared to previous attacks.

In Saturday’s $293 million theft from Kelp DAO, the attackers forged a legitimate-looking cross-chain message which required deep coordination and relied on a complex, cross-chain setup.

When Solana-based app Drift was hacked for $285 million on April 1, it was the result of a months-long operation that combined social engineering and abuse of niche features in the Solana blockchain.

To be sure, even traditional financial institutions can fall prey to hacks.

In 2016, North Korean hackers tried to steal almost $1 billion in funds belonging to Bangladesh’s central bank. While the attackers were able to get away with around $101 million, most of the transactions were blocked.

But in DeFi, transactions usually can’t be blocked or reversed. Code is typically the final arbiter over what actions users can and cannot do, and if hackers find vulnerabilities or other points of failure, the money can be lost for good.

Based on previous DeFi thefts perpetrated by North Korean hackers, it’s likely only a small amount of the funds stolen in the Kelp DAO hack can ever be recovered.

Tim Craig is DL News’ Edinburgh-based DeFi Correspondent. Reach out with tips at tim@dlnews.com.