Let’s address the risks of decentralization Let’s address the risks of decentralization Let’s address the risks of decentralization

Let’s address the risks of decentralization

Mads Eberhardt 400x400
Mads Eberhardt

Cryptocurrency Analyst

Summary:  Decentralization is the key value proposition of crypto. It enables trust and services without intermediaries. However, there is no such thing as a free lunch, as decentralization comes with severe risks, stressed last week by the $320mn Wormhole exploit. This may reduce trust in decentralized applications and give incentive to further regulation.

In August, Certus One owned by leading market maker Jump Crypto, a subsidiary of Jump Trading, launched Wormhole, an interoperability protocol allowing users to transfer tokens and use applications across various cryptocurrencies such as Ethereum, Solana, and Terra. Such an application is also known as a bridge. The most used Wormhole bridge is from Ethereum to Solana. This particular bride was targeted last week in what evolved into one of the largest decentralized finance protocol exploits in crypto.

Wormhole exploited for 120,000 Ether

On Wednesday, a hacker managed to exploit the Wormhole bridge between Ethereum and Solana for 120,000 Ether, worth around $320mn at the time. In brief, the hacker was able to mislead the protocol into assuming that the person in question deposited Ether into the contract to issue an equal amount in wETH, which is tokenized Ether on Solana collateralized with actual Ether through Wormhole. With the wETH at hand on Solana, the hacker returned to Wormhole to redeem the majority to actual Ether on Ethereum. The problem, though, as the hackers wETH was not collateralized, it was Ether collateralizing others wETH. The hacker traded the remaining wETH into other assets on decentralized exchanges on Solana to quickly get rid of the undercollateralized wETH.

Wormhole quickly offered the hacker a $10mn bug bounty if returning the funds. However, the hacker did not seem interested since Jump Crypto promptly funded Wormhole with an equivalent 120,000 Ether from their own book, saying on Twitter: “Jump Crypto believes in a multichain future and that Wormhole is essential infrastructure. That’s why we replaced 120k ETH to make community members whole and support Wormhole now as it continues to develop.” The hacker has not moved the stolen Ether yet, and to cash out such an amount will be severely challenging, as the few exchanges, brokers, and OTC desks able to liquidate such an amount will freeze it instantly if it suddenly hits their Ethereum wallet, as they know the source of the funds.

The Wormhole exploit stresses the risk of decentralization

In 2021, $1.3bn was lost in decentralized application exploits, which was more than double the amount of 2020 upon an increasing value locked in decentralized applications. Hence, the Wormhole exploit is surely not the first and most critically, it is presumably not the last exploit. The latter stresses that decentralized applications are fragile and that they will likely continue to be that for years to come. This is further enhanced upon the fact that Wormhole was not developed by a teenager living in his or her parents’ basement. It was virtually developed by Jump Trading, one of the largest market makers within equities, options, futures, and cryptocurrencies. If a protocol developed by a corporation of that size can be exploited, imagine how challenging it is for a minor start-up to develop safeguarded decentralized applications. Moreover, imagine if an exploit in fact happens for a minor start-up, it is immediately game over as they cannot in this case fund the protocol with over $300mn worth in Ether in under 24 hours. This ultimately limits innovation within crypto as fewer want to risk their start-up and reputation in the space.
Source: Defi Llama

Here, decentralization enters the equation. While decentralization is the key value proposition of crypto because it empowers services normally facilitated by various intermediaries such as international transfers and decentralized trading of non-fungible tokens (NFTs), it is also a notable shortcoming of crypto. This is the case with decentralized exploits, as developers and users cannot recover funds when exploits occur, compared to a centralized system where the company behind can often reverse the transaction. This means that exploits and cyberattacks can have proportionally much worse consequences when dealing decentralized.

Does crypto learn from it?

Whenever an exploit takes place, the community often makes a u-turn and presents it as somewhat positive with the main argument being that the protocol in question alongside other protocols learn from the particular exploit to develop future-proof protocols. The learning view is likely true, however, imagine in how many ways various decentralized applications can be exploited, so to potentially develop safeguarded decentralized applications through a learning phase will not be a quick fix.

One might argue that decentralized applications will experience the same learning phase and development as e.g., crypto wallets. In the early days of Bitcoin, there were no great wallets, which meant that many Bitcoins were lost forever in the first years of its lifetime. At the time, it was likely hard to imagine that institutions would ever trust crypto companies to custody billions worth of value. This is not unimaginable anymore. Quite the contrary, it is the case today. As Søren Kierkegaard said: “Life can only be understood backwards, but it must be lived forwards”.

It is important to remember that the first decentralized applications launched in 2018, so it is somewhat of a new phenomenon. This means the industry is still quite early in its learning phase. Furthermore, over the past years, several consultancies have launched making audits in the code of decentralized applications, such as OpenZeppelin, which further enhances security. Besides doing audits, OpenZeppelin has released a framework of battle-tested smart contracts intended to be used by new decentralized applications. This effectively means that as the industry matures there will perchance be various frameworks and infrastructure to be leveraged in making applications more secure.

On the other hand, even if the industry can present a near-zero exploit risk in the future, the question is whether everyday people will trust decentralized applications with their history of exploits. Not to mention that the potential consequences of exploits are rapidly intensified upon increasing usage and value locked in decentralized applications. This may enforce tough regulation by regulators before the industry proves that it is safe to interact with.


The Saxo Bank Group entities each provide execution-only service and access to Analysis permitting a person to view and/or use content available on or via the website. This content is not intended to and does not change or expand on the execution-only service. Such access and use are at all times subject to (i) The Terms of Use; (ii) Full Disclaimer; (iii) The Risk Warning; (iv) the Rules of Engagement and (v) Notices applying to Saxo News & Research and/or its content in addition (where relevant) to the terms governing the use of hyperlinks on the website of a member of the Saxo Bank Group by which access to Saxo News & Research is gained. Such content is therefore provided as no more than information. In particular no advice is intended to be provided or to be relied on as provided nor endorsed by any Saxo Bank Group entity; nor is it to be construed as solicitation or an incentive provided to subscribe for or sell or purchase any financial instrument. All trading or investments you make must be pursuant to your own unprompted and informed self-directed decision. As such no Saxo Bank Group entity will have or be liable for any losses that you may sustain as a result of any investment decision made in reliance on information which is available on Saxo News & Research or as a result of the use of the Saxo News & Research. Orders given and trades effected are deemed intended to be given or effected for the account of the customer with the Saxo Bank Group entity operating in the jurisdiction in which the customer resides and/or with whom the customer opened and maintains his/her trading account. Saxo News & Research does not contain (and should not be construed as containing) financial, investment, tax or trading advice or advice of any sort offered, recommended or endorsed by Saxo Bank Group and should not be construed as a record of our trading prices, or as an offer, incentive or solicitation for the subscription, sale or purchase in any financial instrument. To the extent that any content is construed as investment research, you must note and accept that the content was not intended to and has not been prepared in accordance with legal requirements designed to promote the independence of investment research and as such, would be considered as a marketing communication under relevant laws.

Please read our disclaimers:
Notification on Non-Independent Investment Research (https://www.home.saxo/legal/niird/notification)
Full disclaimer (https://www.home.saxo/legal/disclaimer/saxo-disclaimer)
Full disclaimer (https://www.home.saxo/legal/saxoselect-disclaimer/disclaimer)

Saxo Bank A/S (Headquarters)
Philip Heymans Alle 15

Contact Saxo

Select region


Trade responsibly
All trading carries risk. Read more. To help you understand the risks involved we have put together a series of Key Information Documents (KIDs) highlighting the risks and rewards related to each product. Read more

This website can be accessed worldwide however the information on the website is related to Saxo Bank A/S and is not specific to any entity of Saxo Bank Group. All clients will directly engage with Saxo Bank A/S and all client agreements will be entered into with Saxo Bank A/S and thus governed by Danish Law.

Apple and the Apple logo are trademarks of Apple Inc, registered in the US and other countries and regions. App Store is a service mark of Apple Inc. Google Play and the Google Play logo are trademarks of Google LLC.