Since 2017, over $8 billion has been lost onchain due to smart contract hacks, infrastructure failures, and rugpulls, according to DeFiLlama. This figure represents only some of the overall losses as loss events such as phishing attacks and scam coins which are harder to track.
In traditional finance (TradFi), investor protections like the SIPC in the US or FSCS in the UK exist. However, in the onchain world, "your keys, your coins" means that the responsibility for the risks comes with the power of self-custody. There is usually no recourse if things go wrong, unlike in regulated TradFi systems.
However, by understanding and mitigating your organization’s onchain risk through DeFi cover, you can fully capitalize on the advantages of blockchain - cost-effectiveness, speed, transparency, and programmability that are unmatched by traditional financial rails.
🎳 Categories of onchain risk
At the highest level, onchain risks can be broken down into three main categories:
1. Pre-transaction risk
This refers to custody or self-custody risks—the potential loss of asset access due to compromised or lost private keys.
2. Transaction risk
These technical, economic, or security risks can occur during transaction execution. Examples include interacting with malicious smart contracts, smart contract errors, price oracle manipulation, stablecoin depegs, or bridge failures.
For instance, imagine a user is trying to swap tokens on a decentralized exchange (DEX). They submit the transaction, but the smart contract they’re interacting with has been compromised or maliciously designed to exploit users. When the transaction is executed, instead of receiving the expected tokens in return, the contract transfers the user's funds to the attacker's wallet without delivering anything in exchange. This is a direct transaction risk because it occurs during the transaction itself and involves technical or security vulnerabilities that lead to an immediate loss of funds.
3. Post-transaction risk
This involves protocol risk, such as depositing assets into a smart contract that later gets hacked or exploited, leading to loss of funds. For example, Euler's $200 million loss is a case of post-transaction risk.
According to data from Chainalysis, Slowmist,and Halborn, in 2023 alone, over $2.1billion in losses were recorded:
- 25% from pre-transaction risks
- 20% during transactions
- 55% post-transaction
✨ Insurance and insurance alternatives in DeFi
Traditional insurance mainly covers pre-transaction risk (i.e. custody). Large custodians and self-custodial wallets often insure their infrastructure against theft or professional liability, though only a fraction of customer assets are typically covered.
However, traditional insurance offers little to no coverage for transaction and post-transaction risks - new risk categories unique to DeFi. Fortunately, insurance alternatives like Nexus Mutual provide cover for these, but users still bear the responsibility of mitigating risks.
(Refer to OpenCover in our tools library to learn to protect your onchain portfolio against hacks, oracle manipulation, and governance attacks.)
🛡️ Mitigating transaction and post-transaction risks
- Transaction risk:
Best practices include using transaction simulators such as Pocket Universe or Wallet Guard, which can protect against phishing and drainer scams. Simulators are often integrated into enterprise wallets like Tenderly or Blockaid. Transaction simulators are tools that help users preemptively evaluate the potential outcome of a blockchain transaction before it is executed. These simulators analyze and simulate what will happen when a transaction is broadcast to the network, providing a "preview" of its effects. These tools may not protect against all risks, like subtle price discrepancies in decentralized exchanges.
- Post-Transaction Risk: The Euler Finance and Hedgey Finance hack are examples of post-transaction risk. Users are advised to ensure the protocols they interact with have passed sufficient audits and have employed comprehensive security measures. For complete peace of mind, there is little an individual can do beyond purchasing Protocol Cover.
How CFOs and accountants can stay safe onchain
Below is an outline of the common activities performed by CFOs and accountants when dealing with crypto transactions, their respective risks, and best practices to mitigate those risks.
Note: The scenario assumes Enterprise wallet (Safe or Ledger Enterprise) where revenue is collected on multiple chains and then aggregated in an onchain treasury to early yield.
If you need help to create a Safe account, refer to our article titled How to authorize a multisig payment using Safe.
👀 Practical case studies of hacks
Case study: Euler Finance hack
Overview:
On March 13, 2023, Euler Finance suffered a major DeFi hack, resulting in a loss of approximately $197 million. This incident underscores the critical need for robust smart contract security in DeFi protocols.
Hack details:
- Exploited function in the donateToReserves function.
- Mechanism: Attackers used flash loans to manipulate the protocol's lending mechanisms. Moreover, they leveraged a flaw in the health score system to create under-collateralized positions.
Impact:
- Total loss: $197 million.
- Assets stolen: ETH, WBTC, USDC, and DAI.
- TVL drop: Euler's total value locked (TVL) plummeted from $264 million to just $10 million.
Had Euler implemented thorough smart contract security measures, such as audits, formal verification, and real-time monitoring—this loss could have been prevented.
Case study: Hedgey Finance flash loan attack
Overview: On April 19, 2024, Hedgey Finance suffered a flash loan attack across the Ethereum and Arbitrum platforms, leading to a loss of approximately $44.7 million. This incident highlights the pressing need for more robust input validation and smart contract security in DeFi.
Hack details:
- Exploited function: Vulnerability in the createLockedCampaign function allowed attackers to manipulate the claimLockup parameter.
- Mechanism: Attackers utilized a flash loan of $1.3 million USDC from Balancer to abuse the vulnerable contract, which resulted in unauthorized token approvals.
Impact:
- Total loss: $44.7 million.
- Assets stolen: USDC, NOBL, MASA, and BONUS tokens.
Security failures: The root cause of the exploit was inadequate input validation, specifically the lack of thorough checks on user-supplied parameters. This flaw allowed attackers to bypass security and approve token transfers to their own contract. This attack calls into question Hedgey’s security practices, particularly around critical features such as token vesting and lockups, which are essential for their DeFi infrastructure.
Aftermath: Despite the gravity of the attack, Hedgey initially praised the attacker in an on-chain message, assuming they were a white hat hacker. The nearly $45 million theft, however, represents a significant breach of trust within their community. Rebuilding that trust will require Hedgey to execute a complete security overhaul, starting with stronger input validation, reinforced access controls, and stringent audits.
Path to recovery: Hedgey Finance faces the immense challenge of regaining trust in the DeFi space. By implementing more rigorous security practices, conducting thorough audits, and being transparent with its users, Hedgey can begin the long road to redemption. This exploit serves as a harsh reminder that in the world of DeFi, security must always be the top priority, as the stakes are high, and the consequences of negligence can be catastrophic.
Other significant DeFi hacks
These examples highlight the importance of strong security measures to prevent substantial losses in DeFi protocols.
😎 Conclusion
CFOs, accountants, and finance professionals navigating this space must understand that smart contracts don’t forgive, and protocols don’t bend. Security isn't just a feature, it’s the foundation for your company’s going concern.
You can’t predict every hack or avoid every attack. But you can prepare. You can learn from the failures of others, adopt best practices, and safeguard your operations. Part of that preparation means securing DeFi cover, ensuring that when things go wrong, and they will, you’re not left to pick up the pieces alone.
DeFi cover, an alternative to insurance, can't prevent the attack, but it can help absorb the damage.
Jeremiah Smith is the Co-Founder and CEO at OpenCover, a leading cover provider protecting individuals and institutions against onchain risks such as malicious transactions, smart contract exploits and governance attacks.
As an entrepreneur and former scientist (Imperial College PhD ’15), Jeremiah has over a decade of experience bridging the gap between technology and product. Jeremiah is a Y-Combinator, Alliance and Lloyd's Lab Alum.