DeFi continues to bleed millions of dollars to hackers each month, prompting one security expert to offer a controversial solution to the problem – namely, the centralization of certain aspects of decentralized protocols.
Nanak Nihal Khalsa, the co-founder of Web3 security startup Holonym, said he understands that introducing centralization would certainly be contentious in an industry that prides itself on being “uncensorable”. But he argues that it’s possible for DeFi protocols to achieve a delicate balance that stops anyone from blocking day-to-day transactions while preventing large amounts of funds from being stolen.
“If we want everyday people to use crypto, we should strive to design and implement ways to prevent ‘scary transactions’, and this can be done by adding centralization in places that are okay to be centralized,” Khalsa said.
Khalsa’s comments came in reaction to a recent report by the crypto security firm Peckshield, which revealed that DeFi protocols lost $85.5 million to hackers in November, bringing the industry’s annual loss to more than $2.43 billion so far in 2024.
Last month, Peckshield recorded more than 30 separate hacking attacks, with the biggest losers being Thala, which lost $25.5 million in crypto funds, and DEXX, which was drained of $21 million via a protocol hack.
The report highlights how DeFi protocols are increasingly being targeted by hackers, due to the ongoing prevalence of vulnerabilities in their underlying code and smart contracts. While November’s losses were lower than the $102.42 million stolen in October, more money was stolen from DeFi platforms than in the prior month.
Along with Thala and DEXX, platforms including Gifto, Polter Finance and Delta Prime also fell victim to multi-million dollar hacks last month.
Khalsa says these latest incidents lend more weight to the argument that the DeFi industry will never be able to rely on smart contract audits alone, as it simply isn’t possible to uncover every vulnerability that creeps into their code.
“Audits are somewhat mature by now already,” Khalsa pointed out. “I don’t think we’re going to see any more huge leaps in terms of security audits.
Rather, the Web3 industry needs to learn from its counterparts in Web2, which suffers from comparatively fewer hacking incidents due to the way its systems are centralized, Khalsa said. He said Web2 has become very good at preventing fraud because it has come up with various systems and tools that can detect when hackers are trying to process a malicious transaction, and block them from withdrawing funds.
“This is what your credit card and your bank does, and that’s why they are considered by most people to be secure,” Khalsa argues. “If the banks allowed users to perform any transaction without checking its safety first, I guarantee that hacks would happen in that industry far more frequently, and for much larger amounts, than we see now. The losses would far exceed Web3’s losses.”
The problem is that, if a DeFi protocol is able to block suspicious transactions, it would also have the ability to block legitimate withdrawals. That would mean it’s no longer resistant to censorship, and it would be enormously controversial, as crypto is founded on the ideal of being censorship-resistant.
However, Khalsa points out that it’s possible to introduce only a limited degree of centralization into Defi protocols.
“We don’t have to centralize the entire protocol, as there is a whole spectrum of control that can be introduced,” he argued. “For instance, we can program smart contracts to only block transactions above $1 million, if they meet specific criteria that marks them as suspicious. That would prevent huge protocol drains, without censoring users’ daily activities.”
Khalsa also called for DeFi protocols to work harder to prevent incidents such as phishing attacks, which remain one of the most common causes of DeFi hacks.
“There are a ton of tools out there, like Blockaid, Tenderly, Alchemy, Blowfish and GoPlus,” he said. “They [protocols] should be sure to alert users or enforce policies based on balance changes and potential threats that are detected by these tools.”
In addition, he urged DeFi protocols to stay on the ball, pointing out that the rapid response of Thala’s team meant that it was able to recover $25.2 million of the total $25.5 million that was stolen, due to the quick actions it took.
“Response time matters a lot; the sooner you respond, the sooner you can block an attacker from withdrawing the funds to mixers or exchanges,” Khalsa noted. “Larger companies often train their employees to quickly and effectively respond to security incidents, and it very often works.”
