One such site, Poly Network, was at the centre of a $610 million crypto theft last week, one of the biggest ever. Within days of the heist, the decentralised finance (DeFi) platform said the “white hat” hacker or hackers had returned nearly all the loot.

The unusual ending to the Poly Network saga belies fast-emerging risks in this growing corner of crypto, where an estimated $80 billion or more is held, interviews with industry executives, lawyers and analysts show.

DeFi sites allow users to lend, borrow and save – usually in cryptocurrencies – while bypassing the traditional gatekeepers of finance such as banks and exchanges. Backers say the technology offers cheaper and more efficient access to financial services.

But the heist at Poly Network – previously a little-known site – has underscored the vulnerability of DeFi sites to crime.

Would-be robbers are often able to exploit bugs in the open-source code used by sites. And with regulation still patchy, there is usually little or no recourse for victims.

Centralised exchanges, which act as middlemen between buyers and sellers of crypto, had previously been the main targets of crypto cyberheists.

Tokyo-based exchange Mt.Gox for instance collapsed in 2014 after it lost half a billion dollars in hacks. Coincheck, also based in Tokyo, was hit by a $530 million heist in 2018.

Many major exchanges, under the regulatory spotlight and striving to attract mainstream investors, have since bolstered security and heists on such scale are now relatively rare.

Less secure

An onus on security at major platforms such as Coinbase Global Inc (COIN.O) has pushed less-secure venues to the sidelines, said Ross Middleton, chief financial officer at DeFi platform DeversiFi.

“What’s happened is the big exchanges have got really good (on security) and the smaller exchanges aren’t around anymore,” he said. “The frontier is definitely DeFi now.”

Losses from crime at DeFi platforms are at an all-time high, crypto intelligence firm CipherTrace said last week, with thieves, hackers and fraudsters making off with $474 million from January through July.

The spike came as funds poured into DeFi, mirroring flows into crypto as a whole. According to DeFi Pulse the total value held at such sites is now more than $80 billion, compared with just $6 billion a year earlier.

DeFi specialists say security risks tend to lie at newer sites which may run on less secure code.

“There is a widening security and risk gap between old, battle-tested DeFi protocols, and new, untested DeFi protocols,” said Rune Christensen, former head of the body behind high-profile DeFi application Maker.