Like any piece of software, smart contracts with poorly written code have significant vulnerabilities. In the DeFi space, these weaknesses generally manifest in two ways:

1. Hacks – an illegal practice where someone breaks into a smart contract to steal funds

2. Exploits – a legal, but arguably unethical, practice where users figure out a weakness in a contract’s economic model and exploit that for economic gain (imagine a DeFi version of George Soros’s infamous attack on the Bank of England)

While estimates on the scope of these losses vary wildly (Chainalysis pegs them at almost $8 billion), research firm The Block has been able to confirm over 70 exploits in the DeFi space as of November, stealing over $1.4 billion. Of these, 34 were “flash loan attacks”, where assailants used flash loans to raise millions of dollars to exploit economic weaknesses.

In an ironic twist, $611 million was returned by Poly Network’s hacker, who said that he or she only did it to expose a vulnerability in the network.

Perhaps more nefarious that hacks or exploits though are scams known as “rug pulls” – when an anonymous founder raises funds through a token issuance and then simply disappears with the money.

In late October a group of scammers leveraged the hype of the popular Netflix series to create a Squid Game token, listed the token on decentralized exchanges, raised millions from retail investors and then vanished.

These rug pulls can be devastating to the ecosystem, and research firm Chainalysis reports that they caused losses of nearly $3 billion in 2021 alone.