LONDON - For most of the 13-year life of cryptocurrencies, exchanges were the epicentre for cyberheists. Now, a bigger hacking risk in the growing sector has exploded into view: peer-to-peer crypto platforms.
One such site, Poly Network, was at the centre of a $610 million crypto theft last week, one of the biggest ever. Within days of the heist, the de loot.
The unusual ending to the Poly Network saga belies fast-emerging risks in this growing corner of crypto, where an estimated $80 billion or more is held, interviews with industry executives, lawyers and analysts show.
DeFi sites allow users to lend, borrow and save - usually in cryptocurrencies - while bypassing the traditional gatekeepers of finance such as banks and exchanges. Backers say the technology offers cheaper and more efficient access to financial services.
But the heist at Poly Network - previously a little-known site - has underscored the vulnerability of DeFi sites to crime.
Would-be robbers are often able to exploit bugs in the open-source code used by sites. And with regulation still patchy, there is usually little or no recourse for victims.
Centralised exchanges, which act as middlemen between buyers and sellers of crypto, had previously been the main targets of crypto cyberheists.
Tokyo-based exchange Mt.Gox for instance collapsed in 2014 after it lost half a billion dollars in hacks. Coincheck, also based in Tokyo, was hit by a $530 million heist in 2018.
Many major exchanges, under the regulatory spotlight and striving to attract mainstream investors, have since bolstered security and heists on such scale are now relatively rare.
An onus on security at major platforms such as Coinbase Global Inc has pushed less-secure venues to the sidelines, said Ross Middleton, chief financial officer at DeFi platform DeversiFi.
"What's happened is the big exchanges have got really good (on security) and the smaller exchanges aren't around anymore," he said. "The frontier is definitely DeFi now."
Losses from crime at DeFi platforms are at an all-time high, crypto intelligence firm CipherTrace said last week, with thieves, hackers and fraudsters making off with $474 million from January through July.
The spike came as funds poured into DeFi, mirroring flows into crypto as a whole. According to DeFi Pulse the total value held at such sites is now more than $80 billion, compared with just $6 billion a year earlier.
DeFi specialists say security risks tend to lie at newer sites which may run on less secure code.
"There is a widening security and risk gap between old, battle-tested DeFi protocols, and new, untested DeFi protocols," said Rune Christensen, former head of the body behind high-profile DeFi application Maker.
Proponents says the use of open-source code means vulnerabilities can be quickly identified and solved by users, reducing the risk of crime. DeFi can police itself, they say.
Yet for financial watchdogs and governments across the world looking at regulating the crypto sector, DeFi is increasingly in focus.
U.S. Securities and Exchange Commission (SEC) chair Gary Gensler has signalled he would take a tough stance on DeFi.
Such platforms may be captured by U.S. securities laws, he said in a speech this month, calling on Congress to draft legislation to rein in DeFi and crypto trading.
The SEC this month brought its first enforcement action involving DeFi tech, alleging the company issued unregistered securities and misled investors. The SEC did not respond to further questions on its stance.
Officials at the U.S. Commodity Futures Trading Commission have also signalled greater scrutiny.
Commissioner Dan Berkovitz in June called DeFi a "Hobbesian marketplace - a reference to a 17th century philosopher who saw life without government as "nasty, brutish and short". Unlicensed DeFi platforms for derivatives were violating commodities trading laws, he suggested.
Elsewhere, moves are slower. DeFi is still far from the political agenda in Britain, for instance.
A spokesperson for Britain's financial watchdog said while some DeFi activities may fall under its scope, much of the sector is unregulated.
For some analysts, greater regulation in inevitable, with little sign that DeFi sites can do the job themselves.
"The unfortunate situation is that (Poly Network) was seen as just an average Tuesday in the DeFi world," said Tim Swanson of blockchain firm Clearmatics.
"The industry likes to congratulate itself by claiming it resides on transparent systems, but it has repeatedly shown it is incapable of policing itself."