Decentralized finance (DeFi) has seen explosive growth this year. DeFi protocols — which run the gamut of financial services from asset management, borrowing and lending, decentralized exchanges, derivatives, and stablecoins — have flourished, rising from US$22 billion at the start of 2021 to over US$260 billion now locked across DeFi protocols, according to DeFi Llama data

DeFi, where users engage in financial transactions directly with one another using smart contracts, without the need for financial intermediaries like banks, has the potential to redefine existing financial systems by bringing about greater financial inclusion to the unbanked and lowering the cost of transactions. 

But the nascent DeFi industry also has risks and is “a tempting honeypot for hackers and a deep pool of liquidity that can be taken advantage of by money launderers,” according to blockchain data analytics firm Elliptic in a new report “DeFi: Regulation, Compliance and the Growth of DeCrime.”

Alongside DeFi’s growing popularity, exploitation and illicit use of decentralized technologies like decentralized applications (dApps) are also on the rise — or what Elliptic refers to as “DeCrime.”

Losses due to theft and crime across DeFi platforms amounted to over US$10.5 billion year-to-date (as of Nov. 9), an increase of 600% from US$1.5 billion in 2020, according to Elliptic. DApps on Ethereum bore the brunt of the losses at US$8.6 billion, reflecting its current status as the blockchain of choice for DeFi. The Binance Smart Chain (BSC) was next, with US$2.5 billion of losses.

See related article: Ethereum’s Web 3.0 ecosystem expands, 3.4 million now into DeFi

“The DeFi ecosystem is an incredibly exciting and fast-moving space, with financial services innovation happening at light speed,” said Tom Robinson, chief scientist at Elliptic, in a statement. “This is attracting large amounts of capital to projects that are not always robust or well-tested. Criminal actors have seen the opportunity to exploit this.”

According to Elliptic, the losses are magnified by the relatively untested and immature nature of decentralized technologies. The majority of DeFi losses were attributed to bug and code exploits, where hackers exploit errors in the smart contract code, and economic exploits, where the attacker exploits loopholes in how the DeFi service operates. An example of an economic exploit is where an attacker manipulates asset prices in order to take advantage of arbitrage opportunities on DeFi services that would otherwise not exist such as through a flash loan.

“Decentralized apps are designed to be trustless in that they eliminate any third-party control of users’ funds,” Robinson said. “But you must still trust that the creators of the protocol have not made a coding or design mistake that could lead to a loss of funds.”

“Admin key” exploits, where the access to manage a smart contract is used to steal funds from the dApp, and exit scams or rug pulls, where the creator or operator of the dApp disappears with users’ funds, are other ways funds have been stolen.

DApps like decentralized exchanges (DEXs), decentralized mixers and cross-chain bridges can also be used by criminals to hide their blockchain money trail and launder ill-gotten gains, without using centralized services that could alert law enforcement.

“DeFi has become an important tool for money launderers, including those looking to cash-out proceeds of thefts from exchanges based in Asia,” Robinson told Forkast.News in a follow-up email. “The recent hacks suffered by KuCoin and Liquid resulted in stolen funds being funneled through various dApps, which is a potent reminder of the international need for regulators to pay due attention to DeFi.”

See related article: What are the challenges to regulating DeFi?

With the rise of cryptocurrencies including stablecoins and DeFi, regulators around the world are grappling with how they support the innovation to flourish, while managing the associated risks.

The Financial Action Task Force — the global anti-money laundering and counter-terrorist financing (AML/CTF) standards-setter — has said in its updated guidance published in October that a DeFi application is not a virtual asset service provider (VASP), but creators, owners, operators or persons who hold control or sufficient influence over the DeFi arrangement will be considered a VASP and be subject to AML regulations.

Consumer protection is also foremost in the minds of many regulators. “Regulatory sentiment in Hong Kong indicates that, while large institutional investors may remain free to interact with DeFi platforms and the crypto ecosystem more generally, retail investors may face significant restrictions,” Chris DePow, senior adviser for financial institution regulation and compliance at Elliptic, told Forkast.News in an email. “The HKMA and other local regulatory authorities have made clear that consumer protection remains crucial and as a result the growing DeFi sector will need to be well regulated in order to thrive in the Hong Kong market.”

“Regulators in Hong Kong are acutely aware of the need for regulatory innovation to keep pace with technological innovation. Traditionally, the HKMA has long-standing principles of financial crime mitigation which will likely be reflected in any crypto regulation it has planned,” DePow added. “The HKMA could well look to develop a framework that promotes Hong Kong as a central DeFi hub in the region precisely by reassuring businesses and individuals that it is safe and secure to do business there.”

Singapore, another financial and fintech hub in Asia, is also paying close attention to developments in DeFi. “Regulations crafted to manage risks in a world of intermediaries are ill-suited where intermediaries are replaced by smart contracts,” said Ravi Menon, managing director of the Monetary Authority of Singapore, in a recent speech at the Singapore FinTech Festival 2021. “Enforcement is more challenging when control or governance is dispersed across the blockchain.”

DePow says Singapore has taken a firm approach, expecting crypto businesses to operate within the established regulatory and licensing framework.

“Regulators that take an active role in shaping regimes to accommodate new technologies will likely be a positive force in establishing their markets as hubs for secure DeFi activity, globally, and helping to reduce rates of crime,” DePow said. “Currently, Singapore is ahead of the curve in embracing its role as an enabler of the future of finance.”

See related article: How Singapore is looking at Web 3.0 and DeFi as it prepares for a digital Singapore dollar