Can DeFi Survive the Hacks?

crypto work if investors get spooked whenever significant assets are lost. Today, I'm joined by Bloomberg reporta Olga Karif and Bloomberg Opinion columnist Parmi Olsen for a look at the scope and effect that these attacks are having on the decentralized financial market place. Olga Harmy, great to have you here, Thank you both for joining, Thank you, thank you. So we're going to start with just some basic principles or you know, frankly crypto. I'm not sure anything ever is really basic,

but algo, we're going to talk about defy hacks. But I want to start with when we say defy or decentralized finance, especially as it relates to these hacks and these exploits, what are we actually talking about. We all know how we can use a bank or a broker to make a trade or to take out a loan, And what Defy is aiming to do is to do the same thing, but without this intermediary such as a bank. So Defy uses computer code to essentially allow you to

do all of the same things. Um, and this computer code can get pretty complicated, so I would be I mean, are you saying I'm borrowing money from a robot? No, you are borrowing money from another person using the same Defy app. Got it. So what this computer code is doing is matching borrowers and lenders without there being like a city bank or a Bank of America or somebody like that in between. Exactly exactly, And what makes these prone to the kinds of hacks that we've seen. We're talking,

you know, six million dollars, five hundred million dollars. Why are these things happening and who are some of the folks being affected by them? Exactly? The numbers have been

staggering and the users are affected. So it's very often who's affected is just the user for trying to do lending or borrowing or trading directly with each other, and the reason this hacks happen is that to avoid using an intermediary, essentially the computer code governing this apps has to get pretty complicated and it's very hard to audited and to make sure there are no bugs, that it's

functioning properly. Uh In Plus the various defy apps that are out there, they're intertwined with each other and they're governed by communities of users very often, and there are so many different sort of new ways for hackers to

try and steal steal funds. And you know, when you say the sums are being very large, I think in your reporting you mentioned that something like two point three billion dollars was stolen from these de five platforms, in which is a more than one thousand percent increase in the year before. And we're in two and we're probably already at that and we're only in you know, the middle of the year. Absolutely so so, just so far this year, just two hacks of ronan Bridge and wormhole Bridge,

they have added up to almost a billion dollars. And you know, PARTI I would love to get your perspective on in any other I guess financial market asset class. If people were just you know, losing a billion dollars at a time that would worry someone. Oh absolutely, I think right now with what's happening to the price of

bitcoin and other crypto assets, essentially they're falling. It's kind of hard to pinpoint whether that is any of that can be attributed to concerns about the security of these DeFi services, because there's this broader sell off happening in tech at the moment. It's affecting a whole lot of

big text stocks. But I do wonder, you know, I'm thinking about the people who are investing in these kinds of services and the people who end up losing money, And you know, you could argue that this is ultimately just the rough path that decentralized financial services UM have

to go to through to become more secure. I thought it was really telling UM with this one hack against a bridge service called Wormhole, and the developers from that service actually reached out to the hacker that robbed them and offered them ten million dollars as bounty in exchange for all the funds, of course, but also to figure out all the details on how they hacked the system. So you know, it's it's like they want justice but almost more than that, they want to learn how to

be more secure. So I think this is the kind of wild West that UM entrepreneurs are operating in and investors are who are going into this. They're you know, they're like pioneers of the wild West, and and with that adventure is going to come a lot of risk. One thing I would note is, you know, the early days of banking were also chaotic. You did not necessarily

have the regulatory framework that you have right now. You know, even f D I C insurance, which in the US is the idea that if your bank goes under for some reason and you have up to two fifty thou dollars in it, the government will attempt to make you whole. Like that number that two dollars was increased as a result of the two thousand and eight Final Crisis, when you know, suddenly the reality that major banks could go under became a clear and present danger as opposed to

theoretical one. So we're always kind of dealing with this idea of vulnerabilities in the financial system. And although I'm wondering, are you seeing anything that is potentially going to make defy less vulnerable or are we way way way off from that. I feel that we are ways away from that. You would think that all of these apps would learn from what happened to them and you know, build more

secure and robust systems. But if you look at a lot of the DeFi hacks that have happened, and I'm thinking, you know, Cream five, for instance, it got essentially hacked in the same way three times last year. Uh you know, it's the same people got hacked three time. Yeah, in the same way through so called sort of flash loans. This is where, uh you the hacker would borrow money and return it in sort of the same transaction, if you will. And so you know, when you look at

this sort of things, you start to wonder. But of course, the industry is doing a lot to fix this problem. So a lot of different startups have sprung up that do code auditing of DEFY projects. They try to find different bugs and prevent hacks. But some of the projects that got hacked last year, they were audited and the auditors missed the bugs that eventually led to the hack.

So nothing, you know, no system is perfect. And I think the main issues that if you want to displace intermediaries, the computer code has to get very very complex and to the point where it's just really hard to find all the bugs in it. And I think this is sort of the main problem that this industry is grappling with. You know, it's just is set up in a way that makes it more vulnerable to hackers than a lot

of other services. Party you wrote in one of your columns, you know, I think it may have been in January that this exact thing that Olga is describing it seems to undermine the idea that Web three, or what we like to call Web three, is necessarily an improvement on Web two. Can you talk a little bit more about that. Yeah, And I actually really want to reiterate the point that Olga made about the complexity of the code underpinning a

lot of these services. And this is what I've also heard from entrepreneurs who work on Web three services, which is, for example, that the pro one of the very popular programming languages used to make these apps UM called what is called solidity. It's a very very complex form of programming. It's very rigid and brittle, so UM coders, for instance, you know, when you're building a Web two app, you and write your code and then you can try it.

You've got lots of different opportunities to let it go wrong and see where you went wrong, and then go back and do it again. You can't really do that as much with Web three services. You don't get multiple tries to get something right. You have to plot your steps out really carefully. UM and you know, something so simple as a typo UH could potentially lead to a security vulnerability, not just a glitch, but an actual vulnerability.

UM and I think what again, what makes this different to Web two is that these aren't just UM services for social networking or games or anything like that, but UM people are actually storing large sums of money and so if it if there's a security breach, it has massive financial repercussions. And one thing, one other point that was made to me by an entrepreneur recently, was there's a really prevailing move fast and break things culture within

Web three. Well, yeah, us in Web two by Facebook exactly, but more so now in Web three than with then with Web two, which has become much more corporate and very standardized and very very regulated or not as regulated perhaps as it should be, but certainly much more than UM blockchain services. UM and that just really um it does not reconcile with the fact that there's so much at stake financially when these services are breached. Back in a moment with more from Olga Karif and Parmi Olson.

So this web two Web three conflation, before we go too far, I want to just talk a little bit more about how those things are different, because I also think it's related to you know, Olga's point about defy and and the point you are also making about complexity. When we think about Web two, we're talking about companies like you know, Facebook and social networking, or Spotify and music, or Amazon and purchases, or Evay and purchases. When we're

talking about Web three, what are we actually saying. So with Web three, we're talking about services that often use coins for incentives. For example, we're talking about services that typically run on blockchains, which are digital ledgers that support those coins, and very often we are talking about just

a very different organizational structure. So a lot of these apps are created by communities of users or supported by their communities of users, and so uh, you know, in many ways, the idea behind Web three is sort of giving power to the people, taking power away from corporations and giving it giving more of it to the people.

But in practice the power is still largely concentrated and people who had power before, right, if if I'm understanding it correctly, a lot of the folks who are making money in Web three are the people who made a ton of money in Web two, and as a result,

are you know, very well positioned to be informing those decisions. Absolutely, and basically the people who are emerging as powerhouses and Web three are venture capitalists who were also big investors in Web two's and very heavily influenced a lot of the decisions as well as coin prices Party August talking about coin prices, right, I mean, there's a there's sort of a phrase that is used both ironically and non ironically in crypto about the idea of magic Internet money

and that none of these valuations really mean anything. Can you just give me a little bit of a sense of when people say, like this hack is seven hundred million dollars or this company is valued at x y z, what are they basing these things on? Well, as I understand it, they're basing it on the value of a particular cryptocurrency in that moment so something like a hundred twenty thousand ether or wrapped ether as it was when it was being transferred through a bridge, was worth three

d and twenty million dollars in US dollars um. But of course that number can change all the time. And somebody who's been covering this for longer than most people, let's just say, um, and you you know so many of the people in the space, and you've watched the rise and fall and rise and fall of various things. Is there anything about this year and the hacks that we've seen, or the sizes that we've seen, the complexity that you've both described, that has surprised you in any way?

You know? Um, I don't think it's surprising that we are seeing more of this hacks. Uh. It just uh more people are realizing that crypto, you know, is big, and it's going to be probably bigger at some point. Uh. And so there are more users and more money moving into this space, and of course the hackers are following the money, and so that's why we are seeing so much, so much activity. It seems like almost every week some

hack happens. But but I think the bottom line here in some ways is that a lot of money, A lot of smart people are going into this space, and uh, there are a lot of issues, but also with you know, so much money and so much bring power going in, things will get worked out. That's a lot of the people I talked to feel this way. And part me just going back to your point about how Web two

and Web three are the same. One of the big ways in which they're different, or at least perceived as difference, is that in general and Web two, you knew who the people on the other side of a transaction were, or you kind of knew who the company was, and

you you may know who their exacts were. In Web three, you might be borrowing or lending on a protocol that's written by, you know, surely very smart, but fifty and mostly anonymous people who uploaded some stuff to get help and and had some get and had some code review. And everybody's like that seems great, but you have no idea who they are. Does this pervasive anonymity affect any of your analyses? Yeah, I think it's really um disconcerting.

I mean I would be disturbed by that if I was an investor or someone who was putting my money in these services. And I even just as a journalist, like when you are looking at these companies websites or their blog posts, and I remember reading one blog post from a company that was describing what happened after they had a hack and they had this kind of war room conference call within an hour, which was pretty impressive after the breach had happened, UM, and they were describing

the different UM types of people. There was like an auditor and UM there were these different the validators but no names, you know, And it's just kind of weird to me that it's kind of these beast faceless organizations are handling so much money, and I know that there are names put to UM behind the man of some

of them, particularly the well known ones. UM. But I think the anonymity, particularly as this industry matures, is really going to have to change and UM, especially when money is being lost, people need to be accountable, right, And you know that that idea of people being accountable always strikes me as so fascinating, which is that when everything is going well, anonymity seems to be fine. Right, people

are like this is great. We don't need to know who these people are that would be disrespectful of their talents or whatever, and then as soon as anything falls over there, like somebody called the police and have someone arrested, but like you can't arrest a faceless entity and you can't arrest a computer program. So you know, there's definitely a disconnect between those competing desires. Yeah, and I mean even like I'm still kind of trying to wrap my

head around how some of these systems work. But for example, when you're doing transactions on certain networks, you have these validator nodes and the validators or like these computers with a human behind them, and UM, after one one big hack, one of the companies UM behind it said, oh, we're going to increase the number of validators from five to twenty one. But again, like we don't know who these validators are UM, and so it's very hard again to

hold people to account. So that's that's probably going to be a culture shift that defied companies are going to have to go through. Well, word to the wise, do your research. Thank you Parmy, and thank you Olga. It has been a real pleasure to have you here with us today. Thanks for having me. Thank you. You can find more of Olga's and parties reporting on the Bloomberg terminal on Bloomberg dot com and follow them on Twitter at Olga Karif and at Parmi. On the next episode

of Bloomberg Crypto. In January, the United Kingdom officially withdrew from the European Union. The fallout from Brexit, as we all came to know it, is still being measured across all industries. Some analysts predict it will take years to understand the full impact of this event on the UK economy. Brexit even affected the crypto market, especially as far as

regulations are concerned. Bloomberg reporter to Emily Nicole sees cautious optimism among investors about the UK's approach to crypto regulation. She joins me tomorrow, I'm Stacy Marie Ishmael and this is Bloomberg Crypto, a daily podcast from Bloomberg and I Heart Radio. For more shows from I Heeart Radio, visit the iHeart Radio app, Apple Podcasts, or wherever you get your podcasts. Email your comments, questions or suggestions to Crypto at Bloomberg dot net. Follow us on Twitter at Crypto.

The supervising producer and editor of this episode is Vicky ver Galina. Our producer is Mohammed faruk Zan Absdiki is our associate producer. Des To wonder At is our engineer. Original music by Leo Sidron. Bloomberg's head of podcasts is Francesca Levy n T. The Stablish It and Its Bad in the sid