Written after Drift was hacked and $280 million was stolen

Written by: @Cody_DeFi

I’m truly disappointed. I never expected that a well-established DeFi protocol with $500 million in TVL assets would be taken down in one go—just because of an admin permission. No time lock, a multisig that’s basically just for show, and a single point of failure that completely overturned a so-called decentralized self-custody exchange?

DeFi summer has been over for 6 years. I used to think the trend would keep getting better—fewer protocol vulnerabilities, fewer hackers. Now it looks more like wishful thinking.

Personally, I wasn’t stolen by this protocol, but up until the end of last year, I was still doing looped lending arbitrage on drift. At the time, with stablecoin incentives, the demand deposit APY could reach more than 15%. Later, the subsidies disappeared, the yield dropped, so I withdrew. I dodged a bullet, and now, looking back, I’m still shaken.

As an ambassador for Drift, I also recommended this exchange multiple times, because its capital efficiency really is high. I made some money on it. I even bought their token because I believed in it. Later, those tokens fell by 95%. I had already written the exposure down to zero. After this hack, the tokens are still at the same price—really ironic. Has the capital markets already accounted for the hack loss, isn’t that right?

Right now, my emotions are complicated. I’m someone who leans toward long-term investing, so in crypto, I’m more eager to engage with those long-standing protocols that have had time to build up, and with teams that are willing to endure through cycles and keep building long-term. But now it looks like you simply can’t tell who is truly long-term oriented. Most people are only talking about it.

On the surface, Drift being hacked looks like another incident of private key leakage. The cases involving collateral price manipulation aren’t new either. So why do hackers keep managing to pull it off again and again?

Because this DeFi ecosystem still feels too much like a niche gadget for nerds. Without regulation, project teams don’t have rights and responsibilities in balance. When something goes wrong, all they need to do is shut down the project—just like balancer. This also means that even if the contract code has been audited and is fine, you still can’t confirm whether the team controlling it is actually fine.

On the other hand, the DeFi ecosystem as a whole has been growing in a wild, uncoordinated way—everyone doing their own thing. In the Drift hack, $280 million was stolen; of that, the Usdc was transferred instantly without loss via circle’s CCTP protocol. Everyone is still hoping circle can freeze the hacker funds, but circle basically doesn’t want to engage. Even if they’re willing to cooperate, they can still shut down a dozen accounts in an instant for the U.S. government.

The only thing you can hope for is compliant on-chain regulatory trading. At that time, under regulatory pressure, these project teams would pay more attention to security, and ecosystem participants would also cooperate with freezing and tracking. But that’s something uncertain that may come in the future. To a certain extent, today’s DeFi is a product teetering on the edge of failure.

From the perspective of how retail investors make money in crypto, I once thought DeFi could be used as a tool to enhance cash returns. But in reality, playing DeFi is like playing Minesweeper. Even if you clear 99% of the mines, there’s still a 1% chance that you’ll hit one and everything goes to zero.

People who make money long-term in crypto—grabbing airdrops, high-leverage trading, and scientific-script arbitrage—at their core, they’re all doing periodic small-to-big gambles. And for everyone wondering why there are more bear-market hackers, it’s because people only play on-chain in bull markets. Fundamentally, when it’s a bull market, the odds are high enough—so they’re willing to dance with risk. Hackers have always been there.

So maybe it’s really helpless. You can only gradually give up the idea of practicing long-termism in crypto, and return to thinking in terms of cycle trading. Consider withdrawing half the funds into traditional finance, and putting the remaining funds even further into protocols where the returns may not be that high, but the safety might be higher.

For anyone in this circle who has a bit of idealism, it keeps slowly grinding down that passion. In the end, only pure, refined self-interest remains.