Poly Network, a decentralized finance, or DeFi, platform, announced on Tuesday that it was hacked.
Initially, over $600 million was stolen, making it one of the largest DeFi hacks to date. Assets stolen included about $253 million in tokens on Binance Smart Chain, $266 million in Ethereum tokens and $85 million in USDC on the Polygon network, according to cryptocurrency wallet addresses disclosed by Poly.
DeFi applications and protocols aim to recreate traditional financial systems, such as banks and exchanges, with cryptocurrency. Most run on the Ethereum blockchain.
Experts say that the hacker was able to exploit an issue the cryptography, or coding, of the network.
To authorize the movement of funds, users sign off using cryptographic signatures, or a string of letters and numbers similar to a password. In this case, the hacker likely targeted a weakness in the cryptography that allowded them to sign off on the transfer of assets.
As of Wednesday morning, however, the hacker returned over $4.7 million back to the Poly Network.
Although this was one of the largest hacks to date, it is nothing new to the DeFi space. DeFi-related theft, hacks and fraud hit an all-time high in the first seven months of the year, according to CipherTrace. From January to July, around $474 million has been lost.
Although the hackers appear to be returning a portion of the stolen funds, this situation is another reminder that it's important to fully understand the risks before investing in DeFi, experts say.
"The significant amount of funds stolen demonstrates that investors must be vigilant and cautious when allocating to this nascent space," John Wu, president of Ava Labs, a team supporting development of DeFi applications on the Avalanche blockchain, tells CNBC Make It. "[D]ecentralized software is experimental and there are significant risks."
The risks of DeFi
Smart contracts, or collections of code that carry out a set of instructions on the blockchain, are essential for DeFi applications to run. But if there is an issue with a developer's code, then there could potentially be weaknesses within a DeFi protocol that hackers can easily exploit.
"A technical flaw or bug in a DeFi protocol can be merciless. Newer, more complex, and novel systems create large technical risks," says Robert Leshner, founder and CEO of DeFi firm Compound Labs.
Any developer could potentially create a DeFi platform, without any audit necessary. Because of this lack of oversight, it can be difficult for investors to know how vulnerable a protocol may be.
These huge risks are, in part, why experts warn that you should only invest as much as you can afford to lose. They also recommend conducting thorough research before allocating funds to cryptocurrency-based DeFi.
Though investors should not assume any DeFi application or protocol is totally safe, longer-standing, audited systems might be a better bet. "[W]hen [built] correctly, these systems can function safely," says Leshner. "When built incorrectly, these systems jeopardize the funds of users."
Also, unlike with a traditional bank, there is no regulation or insurance on your money when you use DeFi.
But, there is potential for more regulation, especially in the U.S., which could be helpful in making it safer to use.
"While the crypto industry still has a long way to go to address the security gaps, as demonstrated by numerous hacks and rug pulls, we expect this type of illicit behavior to decrease as the industry moves increasingly toward regulation," says Timo Lehes, co-founder of DeFi protocol Swarm Markets.
Sign up now: Get smarter about your money and career with our weekly newsletter
- 'People have been participating without understanding the risks': Here's what to know about cryptocurrency-based DeFi
- You could be leaving your crypto wallet open to hackers—here's how to protect it
- A 'significant' upgrade to Ethereum activated that will impact its supply