Abstract

Decentralised finance (DeFi) has not only transformed global finance but has also made it more accessible. By allowing blockchain technology in which people and businesses are allowed to have transactions with one another, third-party interference is not needed. Due to its increasing popularity, DeFi has faced extreme growth, reaching about USD $616.1 billion in demand in 2023 and is projected to reach USD $2.36 trillion by 2037. However, its openness creates vulnerabilities to DeFi platforms, posing threats to its reliability, trustworthiness and long-term viability. To explore these challenges and address them while maintaining decentralisation, this paper integrates a literature review, case studies of significant exploits and technical evaluations of prominent DeFi platforms. Especially evident in the cybersecurity realm, DeFi’s utilisation of smart contracts exposes its platforms as they are often unable to update these contracts after they have been deployed. Due to a lack of central authority, its security patches and urgent decisions require community votes, which take time, leaving its systems exposed to threats. To prevent these threats altogether, DeFi platforms have integrated formal verification systems, in which mathematical proofs and systematic codes are used to reduce errors in smart contracts. DeFi platforms like Aave implement systems such as community voting and risk committees to respond to threats. This paper concludes that a strong balance of technology, governance and user education is vital for establishing secure and genuine decentralised financial systems. These elements are essential for the growth and stability of DeFi platforms.

1. Introduction

Decentralised finance (DeFi) is a new approach to financial systems that is designed to remove dependence upon third-party banks. Through the use of blockchain technology and cryptocurrencies, consumers and businesses can engage in direct transactions with one another. As such, these platforms aim to introduce open financial banking systems that anyone can access online. From its launch, DeFi has experienced remarkable growth, with its demand in 2023 reaching approximately USD $616.1 billion, and is expected to keep growing to USD $2.36 trillion by 2037 globally (Market.us Scoop). Additionally, DeFi has an estimated compound growth rate (CAGR) ranging between 40% and 81%, illustrating its rapid growth. Compared to traditional banks, DeFi platforms provide lower fees, higher interest rates and accessibility. This makes DeFi attractive to both investors and people who have little to no access to banks or financial services.

However, despite these advantages, DeFi platforms are also more vulnerable to exploitation. While central to its vision, the openness of DeFi has created cybersecurity challenges and threatens its long-term success. Cybersecurity plays a crucial role in protecting users and maintaining platforms. Without strong cybersecurity, DeFi creates numerous opportunities for malicious actors. As its design is open source and permissionless, anyone can access its code. Through these vulnerabilities, DeFi platforms have suffered significant financial and reputational loss: in 2024, losses of $1 billion occurred from hacks that revolved around DMM Bitcoin and WazirX. Additionally, The Internet Crime Complaint Center reported that cybercriminals stole $1.3 billion in 2022. Throughout the years, reports suggest that DeFi has lost an accumulated amount of $12 billion from fraud and cyberattacks, shedding light on the dangers of its vulnerabilities. Unlike traditional banks that are able to make use of insurance or government support, DeFi platforms struggle to recover, worsening their credibility and reputability, leading to loss of users and difficulty attracting new ones, impacting their value in the market. 

This paper will answer the question, ‘What are the key cybersecurity vulnerabilities in DeFi, and how can they be mitigated without compromising decentralisation?’ This paper aims to explore the topic of cybersecurity vulnerabilities in greater depth, focusing on three areas: (1) technical risks in smart contracts and their design; (2) governance from decentralised decision-making structures like DAOs; and (3) structural risks from the system of DeFi platforms.

2. Literature Review 

SMART CONTRACT VULNERABILITIES

Smart contracts are central to DeFi platforms and, due to their immutable nature and potential for coding errors, they are particularly vulnerable to exploitation (OSL, 2025). Many studies have been carried out to better understand the vulnerabilities regarding smart contracts. Luu et al. were the first to identify risks such as reentrancy attacks, integer overflows and access control flaws (Luu et al., 2016). Similarly, Chen et al. conducted a survey on Ethereum systems’ security, where they identified over 40 vulnerability types, including reentrancy and access control bugs, where once the code was deployed, it was be impossible to patch (Chen et al. 2020).

The severity of these vulnerabilities can be further highlighted by the DAO (Decentralised Autonomous Organisation) hack of 2016, where $60 million of Ethereum was stolen due to vulnerabilities in its code base (Cryptopedia, 2025). Bhargavan et al. propose a mitigation strategy known as formal verification, which is a method to ensure that hardware design behaves appropriately through the use of mathematical analysis to check its correctness. Yet this design faces limited adoption due to the high costs, technical barriers and time consumption involved. Therefore, DeFi platforms may rely on other mitigation strategies such as code audits or bug bounties, which aren’t particularly effective at eliminating all risks. 

GOVERNANCE AND DAOS

DeFi platforms often rely on DAOs for governance, where token holders vote on key decisions like protocol upgrades. Entities or collective groups can achieve decentralisation by implementing this form of management; however, several limitations accompany its adoption, including security vulnerabilities. It is essential that security is prioritised, or exploits may leave a DAO drained of a large amount of its treasury savings. For example, The Compound Finance (COMP) treasury was drained of $25 million due to governance exploits (Hartney, 2024).

Additionally, if certain token holders manage to accumulate voting rights tokens, it may lead to a concentration of power, potentially undermining the idea of decentralisation as this could lead to a plutocratic structure (Coinbase, 2025). This is a structure involving power being concentrated into the hands of the wealthiest individuals. A study conducted by Atzori argues that while decentralised governance increases transparency, it can also alienate trust and make coordination harder (Atzori, 2015). In the context of DAOs, it raises questions on whether collective decision making can remain transparent when there are many members involved. However, Feichtinger et al. propose that the problems that decentralised governance face, such as DAOs, is not due to any flaws with decentralisation itself but rather due to poor design implementations (Feichtinger et al., 2023).

STRUCTURAL AND SYSTEMIC RISKS

Beyond smart contracts and governance, DeFi faces numerous other systemic risks, many of which arise due to its open architecture, for example oracle manipulation. Protocols rely on oracles to access data such as token prices, yet can be manipulated through flash loans. These loans are uncollateralised and must be borrowed and repaid within a single transaction. As these loans are completed in one go and do not require any collateral, attackers can take advantage of this to interfere with how prices or contracts work, allowing them to make profit while not risking any of their own funds.

Behnke states that malicious use of flash loans has been on the rise, accounting for 62.5% of attacks in 2023 (Behnke, 2024). Qin et al. observe that most of these big DeFi attacks don’t stem from one weakness, but rather attackers linking multiple small flaws together, which is possible due to composibility (Qin et al., 2021). Therefore, if there arises a small issue in one app, and another in a separate app, an attacker might combine the two to cause a larger problem. Werner et al. add that there’s little enforcement in DeFi as it does not have traditional financial regulators (Werner et al., 2021). This means that if there’s a structural or systemic error, there’s no one to hold accountability, making the system riskier and more fragile.

CRITICAL REFLECTION

DeFi is seen as a strong contender to act as an alternative to traditional finance, however its decentralised nature creates problems, including lack of control, difficulty coordinating decisions and vulnerability to attacks, all of which are difficult to fix. Smart contract vulnerabilities, weak governance structures in DAOs and systemic threats raise questions about the reliability and safety of DeFi overtime. However, when DeFi systems are designed carefully, they’re able to avoid a loss of functionality while maintaining decentralisation – in essence maintaining transparency and efficiency (Feichtinger et al., 2023). 

3. Architecture and Technical Foundations of DeFi

As previously explained, DeFi is a new way of delivering financial services using blockchain technology. Unlike traditional finance, DeFi operates without intermediaries like banks. Instead, it uses a combination of smart contracts, data sources, governance systems and infrastructure to offer financial services that anyone with internet access can use. It is therefore crucial to understand these components, as they will help explain how DeFi works and why it can sometimes be risky.

SMART CONTRACTS AS THE CORE OF DEFI

Smart contracts are computer programs that live on a blockchain and carry out actions automatically once certain conditions are met. For example, a lending platform can be set up so that a borrower receives funds after providing agreed-upon collateral. Since these are automated, smart contracts cut costs and speed up transactions by removing intermediaries. However, because the code cannot be changed once deployed, mistakes or bugs can result in major losses for users. Protecting smart contract code through clear audits and testing is thus of utmost importance in DeFi platforms (Investopedia, 2025).

COMPOSABILITY: MONEY LEGOS

A unique feature of DeFi is composability, meaning many projects and protocols can be connected and stacked together, like building blocks or “money legos.” This allows developers to combine several DeFi products into a new service, which leads to rapid progress in the industry. For example, a user could move money from a lending system to a trading platform and then to an automated investment app, all without leaving the blockchain. The downside is that if one piece has a flaw, it may create risks for everything that depends on it (Ambolis, 2024).

ROLE OF ORACLES

Blockchains on their own do not have access to information about the outside world. Oracles are services that provide smart contracts with important data, like cryptocurrency prices or the results of real-world events. For example, a smart contract that manages price-based trades needs up-to-date market prices, which oracles supply. The reliability of oracles is crucial; if an oracle gives incorrect data, users could lose money or the system could fail (Chainlink, 2025).

GOVERNANCE SYSTEMS

As mentioned above, to make key decisions, many DeFi projects use decentralised autonomous organisations (DAOs). In these systems, users who hold the project’s special tokens can propose changes or vote on important updates. Common votes might include adjusting fees or choosing new features to add. This approach gives users more control over the direction of the project, but it also raises challenges. If a small group holds most of the tokens, they may have more power than others, possibly hurting fairness and broad participation (Raza, 2025).

IMPORTANCE OF UNDERSTANDING INFRASTRUCTURE IN RELATION TO VULNERABILITIES

It is important to know how DeFi’s infrastructure works to understand its risks. Issues such as poor code quality, platform errors or unreliable oracles can lead to hacks or major failures. Since DeFi is still new, and often experimental, some platforms may not have strong security or reliable backup systems. Learning about these systems, checking for audits and being cautious with new or untested projects can help protect users from loss.

4. Primary Cybersecurity Vulnerabilities in DeFi

SMART CONTRACT VULNERABILITIES

Due to the immutable nature of smart contracts, there are many prominent vulnerability types. One example is reentrancy, where an exploiter takes advantage of the fact that smart contracts execute step-by-step. This type of attack involves the sending of tokens or calls from a smart contract to another contract before it finishes updating its own record. Take for example, Contract A, which holds funds and allows users to withdraw. If Contract A first sends the funds and only updates the balance after this, an attacker can take advantage. A malicious Contract B can be created that asks to withdraw. When Contract A sends the funds, it temporarily gives control to Contract B. Istead of just accepting the money, Contract B immediately calls the withdrawal function again before Contract A updates (QuickNode, 2023). This is what happened in the infamous DAO hack of 2016. The DAO held over $150 million in ETH, however due to a reentrancy bug in the withdrawal system, an attacker managed to repeatedly withdraw around $60 million in funds, all before the DAO could stop it (Cryptopedia, 2025). 

Logic bugs are another type of vulnerability of smart contracts. Poorly constructed logic, such as missing input validation, flawed conditional statements or improper access controls, can undermine the intended behaviour of contracts (Cybernod, 2025). These bugs are difficult to detect without formal reviews or a thorough gap analysis in cybersecurity. A common example is access control failures, in which the developer forgetts to limit who can execute administrative actions, including pausing the contract or transferring ownership, allowing users to exploit these functions. 

Another example is integer overflows and underflows, once common in Solidity (the main programming language used to write smart contracts on the Ethereum blockchain) as it did not provide built-in safeguards against arithmetic overflow or underflow. For instance, subtracting one from zero would wrap the value around to a massive number, resulting in attackers exploiting this to bypass conditions, manipulate balances or gain unfair advantages in token systems (Cybernod, 2025).

ORACLE MANIPULATION ATTACKS

Oracle manipulation attacks are typically carried out using large amounts of cryptocurrency to quickly increase the trading volume of low-liquidity tokens on the targeted DeFi protocol, leading to fast and significant market price increases that are not reflective of the wider market. If the attacker lacks the initial funds on-hand to carry out the manipulation, they may source it through a flash loan. Once the asset’s price has been driven up, the attacker is able to exchange their artificially inflated holdings for other tokens, those of which may have a more consistent value and greater liquidity. The attacker may also use them as worthless collateral to borrow assets, never to be repaid. This is a severe problem, with it being estimated that in 2022 DeFi protocols lost $403.2 million in 41 separate oracle manipulation attacks (Team, 2023). During October 2022, one of the biggest oracle manipulation attacks took place, known as the attack of Mango Markets. Mango Markets are a decentralised exchange on the Solana blockchain, which saw $117 million in crypto assets drained from the protocol. Avraham Eisenberg was the man behind this, managing to spike the value of MNGO, Mango’s governance token, by using $10 million in USDC across two wallets and coordinating long/short trading. Eisenberg was able to borrow $116M in assets due to his artificially high portfolio value, before withdrawing these funds before prices corrected (Team, 2023).

CROSS-CHAIN BRIDGE EXPLOITS

Cross-chain bridges are designed to allow exchange between different blockchains, allowing users to port digital assets. Since blockchains are unable to interact with each other, cross-chain bridges act as middlemen, locking tokens on one chain and issuing equivalent tokens on another. However, these bridges are often seen as an attractive target to attackers as they hold a large amount of crypto in one central storage point, backing the “bridged” assets on the receiving blockchain. No matter how those funds are stored, whether locked up in a smart contract or with a centralised custodian, that storage point is bound to become a target. This is an issue as there remains no 100% effective bridge models – an unresolved, technical challenge, despite numerous models being tested and developed. It makes it easier for attackers to discover flaws, emphasising the vulnerability of bridge infrastructure. North Korean linked hackers have considered these bridges as a top target, having stolen approximately $1 billion worth of cryptocurrency during 2022, almost entirely from bridges and other DeFi protocols (Team, 2022). Additionally, in the same year, an attacker was able to exploit a bug in how the wormhole bridge verified messages, allowing them to mint 120,000 Wrapped Ethereum (WeETH) on Solana without putting up the necessary equivalent Ethereum collateral. Roughly 93,750 WeETH (around $275 million) was transferred back to Ethereum, while the rest was swapped on Solana for other tokens (Chainalysis, 2022).

GOVERNANCE EXPLOITS

In many DeFi protocols, users are able to vote on proposals that control how the system works, with the power of their votes being determined by the amount of governance tokens that they hold. Users that hold more tokens therefore have more influence. However this can be exploited through manipulating this voting system. Often, this is achieved through using a flash loan in order to acquire large amounts of a governance token, then using that temporary voting power in order to pass proposals that benefit them, such as transferring funds to their own wallet. Afterwards, the borrowed tokens are returned, immediately losing voting power, and the loan is repaid, all in the same transaction. An example of this is the Beanstalk Farms hack of 2022, where a hacker took out a flash loan on Aave and was able to acquire two thirds of the governance power. They used their voting power from holding a large amount of the Stalk native governance token to pass a malicious proposal, draining $182 million from the protocol. Due to the protocol allowing proposals to be executed immediately once passed, the exploit worked within seconds (Toulas, 2022).

PHISHING, RUG PULLS AND SOCIAL ENGINEERING

While many DeFi attacks target in code or protocol design, many others exploit human trust, with these tactics falling under social engineering, such as phishing scams and rug pulls, where unsuspecting users are tricked into investing in fraudulent projects or giving up sensitive information like private keys or wallet credentials (Aayush, n.d.).

Phishing attacks involve fraudsters impersonating legitimate platforms, usually sending fake links or emails to victims which may lead them to connect their wallet to malicious sites. This is prevalent on sites such as Discord, Twitter, Telegram etc., where impersonation is common. Rug pulls involve developers creating a seemingly legitimate DeFi project, attracting investors, and then abruptly abandoning the project, taking users’ funds with them (Aayush, n.d.). There have been numerous rug pulls involving DeFi scam tokens, resulting in losses exceeding $240 million USD (Lie et al., 2024). A major example of a rug pull was the Squid Game Token (SQUID) in 2021. It was promoted as a “play-to-earn” token that could be used in online games where investors could earn tokens which could be exchanged for other cryptocurrencies or traditional national currencies. Its value skyrocketed, trading at only $0.01 to a peak value of $2,861 in under a week’s time (Brogden & Bailey, 2022), only for the creators to remove liquidity and disappear, stealing $3.3 million from investors (Wikipedia Contributors, 2024).

5. Challenges in Applying Traditional Cybersecurity Models to DeFi

NO CENTRALISED AUTHORITY FOR RAPID PATCHING

Traditional financial systems highly depend on centralised entities to quickly deploy security patches when vulnerabilities occur (Arner, Barberis & Buckley, 2017). In contrast, DeFi platforms operate on decentralised governance models, where modifications must undergo community consensus before implementation (Directors’ Institute, 2025). While this guarantees transparency and reduces several minor failures, it also slows down significant security responses. For example, if a vulnerability is found in a DeFi protocol’s smart contract, emergency fixes cannot be applied independently by a core team, but instead, they require stakeholder voting, which may span days or weeks (Directors’ Institute, 2025). This gruelling delay exposes protocols to prolonged exploitation risks.

IMMUTABILITY OF SMART CONTRACTS

Smart contracts cannot be altered once deployed on the blockchain, making them both a strength and a weakness of DeFi (Flipster, 2024; Swan, 2015). Immutability guarantees trustworthiness by preventing independent changes, but it also means that flawed code stays active until a new contract is approved and transitioned (Iuliano & Nucci, 2024). Unlike traditional software, where patches are able to silently fix bugs, DeFi protocols must publicly reveal vulnerabilities and coordinate user transitions to upgraded contracts, which is a process full of risks (Directors’ Institute, 2025). For instance, the infamous DAO hack demonstrated how irreversible smart contract flaws could lead to catastrophic losses, forcing Ethereum to implement a contentious hard fork to recover stolen funds (Morrison et al, 2020; Castillo, 2016).

ANONYMOUS PARTICIPANTS AND LEGAL JURISDICTION ISSUES

DeFi’s unrestricted nature enables pseudonymous users to engage with protocols without identity verification, complicating accountability in cyber incidents (Directors’ Institute, 2025). While this openness fosters financial inclusion, it also permits malicious actors to exploit systems with little fear of legal repercussions (Arner, Barberis & Buckley, 2017). Traditional cybersecurity frameworks depend on Know Your Customer (KYC) regulations and centralised monitoring to trace and penalise malicious behavior. In DeFi, however, anonymous wallets and cross-border nature make it challenging to determine cybersecurity attacks or enforce jurisdiction specific laws.

LACK OF COORDINATED RESPONSE INFRASTRUCTURE

In traditional banking, financial institutions can mitigate threats through shared intelligence and quick countermeasures with cybersecurity corporations and regulators (Arner, Barberis & Buckley, 2017). DeFi lacks such codified incident management frameworks, leaving protocols to protect themselves independently (Directors’ Institute, 2025). While some decentralised autonomous organisations have established security committees, their effectiveness depends on voluntary participation and fragmented resources. Flash loan attacks, for example, exploit this disorganisation by targeting multiple protocols simultaneously before the community can create a unified defence. Without industry-wide incident response standards, DeFi remains vulnerable to cascading breaches.

TRADE OFF BETWEEN OPENNESS AND ATTACK SURFACE VISIBILITY

DeFi’s transparency, where all transactions and contract codes are publicly auditable, is a double-edged sword. Although it permits security reviews driven by the community, it also allows exploiters full visibility into potential attack vectors (Iuliano & Nucci, 2024). Adversaries can study contract logic, simulate cybersecurity attacks and identify weaknesses before launching sophisticated exploits. Traditional systems, in contrast, frequently hide backend processes to minimise visibility (Arner, Barberis & Buckley, 2017). Balancing transparency with security remains an unresolved challenge, as excessive obscurity would degrade DeFi’s trustless ethos (Directors’ Institute, 2025).

6. Mitigation Strategies That Preserve Decentralisation

FORMAL VERIFICATION AND AUDITING

Formal verification and auditing use mathematical proofs to ensure smart contracts function as intended. This helps catch errors that could let hackers exploit the system. Additionally, human auditing provides valuable context and can find issues that automated tools might miss. The strength of formal verification lies in its ability to offer a high degree of assurance that certain bugs won’t occur, but it can be costly, time-consuming and is harder to apply to very complex contracts. Moreover, formal verification depends on the accuracy of the logic being checked; if the underlying assumptions are wrong, the verification loses value. Combining formal verification with thorough audits is now a common practice to improve security while balancing costs and complexity (Okhaifo, 2025).

DECENTRALISED ORACLES

Decentralised oracles are essential because they feed reliable real-world data into blockchain systems. A single oracle controlled by one entity risks misleading the protocol. Chainlink addresses this by using a network of independent nodes that fetch and verify data. Multiple nodes provide redundant data and reach consensus to reduce reliance on any one party. Operators must stake tokens, risking loss if they act dishonestly, while reputation scores help prioritise trusted nodes and quickly identify misbehaviour. This combination preserves decentralisation while maintaining data accuracy, which is vital for DeFi protocols like lending and trading (OKX, 2025; Trust Wallet, 2023).

FLASH LOAN MITIGATIONS

Flash loan mitigations target one of DeFi’s riskier tools. They allow instant, uncollateralised loans that are repaid within one transaction. Despite their usefulness, flash loans have been exploited for attacks. To reduce this risk, some protocols implement rate-limiting, which caps how often flash loans can be used to prevent rapid repeated attacks. Others use transaction delay mechanisms to add confirmation periods, giving systems time to detect and stop exploit attempts. FlashGuard, for example, disrupts attacks in real time by sending counter-transactions. Additionally, decentralised governance allows communities to react quickly to threats by voting on changes such as raising borrowing fees or tightening collateral rules. These measures strike a balance between keeping flash loans available for innovation and protecting protocols from manipulation (Alhaidari et al., 2025; ECOS, n.d.).

GOVERNANCE SAFEGUARDS

Government safeguards help make decentralised decision-making more fair and resistant to concentration of power. Reputation-based voting gives more influence to members who have proven themselves responsible or active contributors, rather than those who simply hold the most tokens. Quadratic voting makes casting multiple votes increasingly expensive, discouraging “whales” from dominating decisions. Both methods have downsides: reputation systems can become popularity games and quadratic voting can be tricked by token splitting. Yet, these governance safeguards remain important for spreading power and encouraging more balanced participation by the community (Weidener et al., 2025).

BUG BOUNTIES AND COMMUNITY AUDITS

These are programmes inviting external researchers and ethical hackers to find and report security weaknesses in exchange for rewards. HackerOne is a prominent platform offering such incentives. These programmes widen the pool of security reviewers beyond small in-house teams, making it likelier that bugs will be spotted before they cause harm. Rewards motivate transparency and cooperation. Since new code can introduce new vulnerabilities, ongoing bounties and community-led audits are vital to maintaining security over time.

BRIDGE SECURITY INNOVATIONS

Bridge security innovations focus on preventing attacks on blockchain bridges that connect different blockchains. Relying on a single party to validate cross-chain transactions creates significant risks. Instead, many bridges use groups of independent validators who must agree before moving data or assets, thus distributing trust. Some advanced bridges employ zero-knowledge proof systems, like the ZkBridge, to mathematically prove transfers without revealing private details. This approach lowers reliance on intermediaries and strengthens security while keeping control in the hands of users (Bagheriesfandabadi, 2023).

RISK POOLING AND INSURANCE

Risk pooling and insurance provide financial protection for DeFi users by letting them share the risk of bugs, hacks or losses. Protocols like Nexus Mutual create pools funded by members that pay out on valid claims. Assessors stake tokens to back their judgements of claims, with penalties for incorrect assessments. Decisions are decentralised, often made collectively by members rather than a central authority. This system builds trust and offers a safety net without sacrificing decentralisation (Genesis Block, 2022).

7. Case Studies of Resilient Protocols

AAVE

Aave provides a strong case study for the inclusion of governance safeguards and flash loan mitigations discussed in the previous section. Aave stands out due to its methods for handling risks: community governance is used to address threats like flash loan exploits. Aave allows its token holders to decide on changes through voting, rather than having a central team controlling everything. This way, the power is spread out, and the community can quickly react when problems appear (Aave, 2024).

As a way to mitigate aforementioned risks associated with flash loans, Aave’s governance system proposed and approved improvements like adjusting borrowing limits and stricter collateral rules to make flash loans safer. Due to Aave’s unique governance nature, token holders are able to publicly discuss, contributing to more trustworthy and balanced changes. The combination of transparency and community governance effectively enables Aave to adapt to the rapidly evolving DeFi landscape (Directors’ Institute, 2025).

CHAINLINK

Chainlink’s system is a practical implementation of the decentralised oracles mitigation strategy. It is designed to solve the critical problem of securely delivering external data into smart contracts (Chainlink Docs). However, the system also has a critical disadvantage, and the tricky part of the service is providing valid and accurate data, since bad data can break contracts and possibly cause losses. Chainlink employs a wide range of independent nodes that provide the same data to address this issue. It combines data from multiple sources and relies on consensus to establish the accurate figures rather than selecting information from just one place (Breidenbach et al., 2024). With this method, the entire system remains stable regardless of some nodes’ attempt to cheat or create errors.

Chainlink also ensures that those operating these nodes have a motive to act honestly. They must provide collateral, and if they deceive or make a mistake, they forfeit money. Recently, Chainlink enhanced its system by processing data off-chain before uploading it to the blockchain, making it quicker and more secure against attacks. They are quite transparent about the operation of their network, providing information and security reports (Breidenbach et al., 2024). This transparency fosters user confidence in Chainlink’s ability to deliver reliable, tamper-proof data.

COMPOUND

Compound is another DeFi platform that allows people to borrow and lend cryptocurrency (Compound Official Website, 2025). Its strength lies in its focus on community control and incentives. The COMP tokens it creates provides holders with the power to suggest and vote on updates, so no single person or team has all the control. Besides voting, users can also earn COMP tokens for participating, including through lending and borrowing, rewarding people for contributing to the growth of the platform and encouraging involvement. As so many users care about how the protocol runs, they tend to act quickly when there are problems, proposing fixes and sometimes pausing markets to keep things safe (Compound Official Website, 2025).

This way of operating demonstrates how giving power and rewards to the community makes a protocol more resilient and reliable. By keeping upgrades open and transparent, and by linking incentives to responsible use, Compound creates a system where all users want the platform to succeed and remain secure (Directors’ Institute, 2025).

8. Future Directions and Policy Considerations

EMERGING SOLUTIONS

Looking ahead, some of the most promising developments in blockchain technology stem from zero-knowledge proofs (ZK-proofs) and multi-party computation (MPC). In simple terms, ZK-proofs let individuals prove what they know about a fact without revealing the actual fact (Ben-Sasson et al., 2016; Shashidhara et al., 2024). This method safeguards user privacy while preserving trust and security.Conversely, MPC enables various parties to jointly conduct computations  while preserving their sensitive information, facilitating the development of more secure and decentralised applications (Evans et al, 2018). Collectively, these advancements have the potential to tackle several of blockchain’s most significant obstacles concerning privacy and scalability.

ON-CHAIN REGULATORY FRAMEWORKS

Regulation is always a challenge when dealing with new technology, and blockchain is no exception. Traditional rules like Know Your Customer (KYC) and Anti-Money Laundering (AML) often conflict with decentralised systems (Arner, Barberis & Buckley, 2017). However, on-chain regulatory frameworks offer a potential way to bridge that gap. By using tools like zero-knowledge proofs (ZK-proofs), users can prove compliance with regulations without exposing all their personal details, striking a balance between privacy and transparency (Shashidhara et al., 2024). That said, it remains complicated to determine who is responsible for enforcement in systems without a central authority (Zohar & Sompolinsky, 2016). Therefore, having clear governance structures and contingency plans is essential to ensure these frameworks function as intended.

ROLE OF EDUCATION AND DECENTRALISED CERTIFICATION

However, none of this matters if people have limited knowledge of how it operates. Education is vital, not just for developers, but also for users and regulators. Therefore, practical and accessible training is needed to close the knowledge gap since concepts like ZK-proofs and MPC can be complex. Users can obtain certain skills and certified qualifications on the blockchain through decentralised certification programmes. This can help build competence and professionalism across the community. The better informed people are, the more confident they will be in using and building on these technologies, which benefits everyone.

THE BALANCE BETWEEN INNOVATION AND RISK MITIGATION

Innovation drives improvements, but it often comes with risks. New technologies such as zero-knowledge proofs deliver numerous benefits, but they also bring technical complexity that can increase the chance of getting more errors or bugs (Ben-Sasson et al., 2016). There are also legal uncertainties and difficulties in governance that need tackling (Arner, Barberis & Buckley, 2017). The key is to keep experimenting and pushing technology forward, but do it with moderation. This means testing things prudently, conducting changes step-by-step and developing industry-wide standards that ensure everything works smoothly together (Zohar & Sompolinsky, 2016; Shashidhara et al., 2024). Ultimately, success depends on balancing innovation with solid safeguards – and making sure technology, regulation and education grow hand in hand to create a safer, more reliable blockchain ecosystem.

9. Conclusion

DeFi platforms have revolutionised the financial industry by allowing permissionless transactions directly. However, this openness has also brought many cybersecurity vulnerabilities. Some of the issues include: the immutability of smart contracts, which leaves protocols exposed to attacks; the design of DeFi platforms, in which one compromised protocol can impact other protocols; community control and voting, which has caused extreme setbacks in security; and transparency, which heavily increases the attack surface for hackers. 

However, despite these vulnerabilities, DeFi has developed solutions to prevent and reduce these hacks. Formal verification and thorough audits allow platforms to catch bugs before any launches occur. Education and decentralised credentials help reduce user errors and improve security awareness for users. Decentralised networks like Chainlink collect data from multiple sources and use it to ensure accurate reporting occurs. 

The future of DeFi truly depends on how it balances stability with innovation. To do so, it should merge detailed code reviews, useful decentralised management and cryptographic solutions like zero-knowledge proofs and multi-party analysis. As explored in this paper, understanding these vulnerabilities and how to manage them without negatively impacting decentralised finance is critical to DeFi’s persistent growth. Overall, DeFi’s path forward relies upon decentralised platforms improving their systems to continue to provide open and permissionless technology, while also having enough security to prevent future security outbreaks.

Aave (2024). Aave Protocol Overview. Aave Docs. Available online: aave.com/docs.

Aayush (n.d.). Defi Wallet Scams: How to Protect Your Digital Assets. Material Bitcoin. Available online: https://materialbitcoin.com/in/blog/defi-wallet-scams/ [Accessed 25 July 2025].

Alhaidari, A., Palanisamy, B. & Krishnamurthy, P. (2025). Protecting DeFi Platforms against Non-Price Flash Loan Attacks. ACM Digital Library. Available online: https://dl.acm.org/doi/10.1145/3714393.3726503.

Ali, A. & Abdul-Sobur Dembo, S. (2024). Decentralized Finance (DEFI) and Its Impact on Traditional Banking Systems: Opportunities, Challenges, and Future Directions. Preprints. Available online: https://www.preprints.org/manuscript/202409.0344/v1.

Ambolis, D. (2024). Composability in DeFi: How the Amazing Ethereum’s Modular Ecosystem Is Changing Finance in 2024. Blockchain Magazine. Available online: https://blockchainmagazine.net/composability-in-defi/.

Arner, D.W., Barberis, J. & Buckley, R.P. (2017). FinTech and RegTech in a Nutshell, and the Future in a Sandbox. CFA Institute Research Foundation.

Atzori, M. (2015). Blockchain Technology and Decentralized Governance: Is the State Still Necessary? SSRN Electronic Journal. Available online: https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2709713.

Bagheriesfandabadi, F. (2025). Constant-Time Zero-Knowledge Based Blockchain Bridge. UBC Library. Available online: https://open.library.ubc.ca/soa/cIRcle/collections/ubctheses/24/items/1.0437554 [Accessed 25 July 2025].

Behnke, R. (2024). Halborn’s All-Time Top 100 DeFi Hacks Report Summary. Halborn. Available online: www.halborn.com/blog/post/halborn-all-time-top-100-defi-hacks-report-summary [Accessed 25 July 2025].

Ben-Sasson, E., Chiesa, A., Tromer, E. & Virza, M. (2016). Scalable Zero Knowledge via Cycles of Elliptic Curves. Algorithmica, 79(4), pp. 1102-1160. Available online: https://doi.org/10.1007/s00453-016-0221-0.

Bhargavan, K., Delignat-Lavaud, A. & Fournet, C. et al. (2016). Formal Verification of Smart Contracts. Proceedings of the 2016 ACM Workshop on Programming Languages and Analysis for Security. Available online: https://doi.org/10.1145/2993600.2993611.

Breidenbach, L., Cachin, C. & Coventry, A. et al. (2025). Chainlink Offchain Reporting Protocol 3.0. Available online: https://research.chain.link/ocr3.pdf.

Brogden, J. & Bailey, M. (2021). SQUIDs In! Scammers Pull the Rug on Netflix Inspired Token. DAC Beachcroft. Available online: https://www.dacbeachcroft.com/fr-FR/what-we-think/squids-in-scammers-pull-the-rug-on-netflix-inspired-token [Accessede 25 July 2025]. 

Certik (2023). What is Formal Verification in Smart Contract Auditing? Certik. Available online: https://www.certik.com/resources/blog/what-is-formal-verification.

Chainalysis (2023). Oracle Manipulation Attacks Are Rising, Creating a Unique Concern for DeFi. Chainalysis. Available online: https://www.chainalysis.com/blog/oracle-manipulation-attacks-rising/.

Chainalysis (2023). Lessons from the Wormhole Exploit: Smart Contract Vulnerabilities Introduce Risk; Blockchains’ Transparency Makes It Hard for Bad Actors to Cash Out. Chainalysis. Available online: https://www.chainalysis.com/blog/wormhole-hack-february-2022/ [Accessed 25 July 2025].

Chainalysis (2022). Vulnerabilities in Cross-Chain Bridge Protocols Emerge as Top Security Risk. Chainalysis. Available online: https://www.chainalysis.com/blog/cross-chain-bridge-hacks-2022/.

Chainlink (n.d.). Offchain Reporting. Chainlink Docs. Available online: https://docs.chain.link/architecture-overview/off-chain-reporting.

Chainlink (2025). What Is a Blockchain Oracle? Chainlink. Available online: https://chain.link/education/blockchain-oracles.

Chen, H., Pendleton, M., Njilla, L. & Xu, S. (2020). A Survey on Ethereum Systems Security: Vulnerabilities, Attacks, and Defenses. ACM Computing Surveys, 53(3), pp. 1-43. Available online: https://dl.acm.org/doi/10.1145/3391195.

Coinbase (n.d.). What Are Decentralized Autonomous Organizations (DAO)? Coinbase. Available online: https://www.coinbase.com/en-gb/learn/crypto-basics/what-are-decentralized-autonomous-organizations.

Compound (2025). COMP Distribution. Compound Finance. Available online: https://compound.finance/governance/comp.

Cryptopedia (2025). What Was the DAO? Cryptopedia. Available online: https://www.gemini.com/cryptopedia/the-dao-hack-makerdao.

Cybernod (2025). How to Secure Smart Contracts and Security: Preventing Exploits in the Blockchain Era. Cybernod. Available at: https://blog.cybernod.com/2025/04/smart-contracts-and-security-preventing-exploits-in-the-blockchain-era/ [Accessed 25 July 2025]. 

del Castillo, M. (2016). Ethereum Executes Blockchain Hard Fork to Return DAO Funds. CoinDesk. Available online: https://www.coindesk.com/tech/2016/07/20/ethereum-executes-blockchain-hard-fork-to-return-dao-funds.

Directors’ Institute (2025). Governance in Decentralized Finance (DeFi): Challenges and Best Practices. Directors’ Institute. Available online: https://www.directors-institute.com/post/governance-in-decentralized-finance-defi-challenges-and-best-practices.

ECOS (n.d.). Flash Loans in DeFi: Understanding Instant Loans, No Collateral, and Security Attacks. ECOS. Available online: https://ecos.am/en/blog/flash-loans-in-defi-understanding-instant-loans-no-collateral-and-security-attacks/ [Accessed 25 July 2025].

Evans, D., Kolesnikov, V. & Rosulek, M. (2018). A Pragmatic Introduction to Secure Multi-Party Computation. Foundations and Trends in Privacy and Security, 2(2-3), pp. 70-246. Available online: https://www.nowpublishers.com/article/Details/SEC-019.

Fáwolé, J. (2025). A Broad Overview of Reentrancy Attacks in Solidity Contracts. QuickNode. Available online: https://www.quicknode.com/guides/ethereum-development/smart-contracts/a-broad-overview-of-reentrancy-attacks-in-solidity-contracts.

Feichtinger, R., Fritsch, R., Vonlanthen, Y. & Wattenhofer, R. (2023). The Hidden Shortcomings of (D)AOs – An Empirical Study of On-Chain Governance. arXiv.org. Available online: https://arxiv.org/abs/2302.12125 [Accessed 25 July 2025].

Flipster (2022). I Read Ethereum’s Whitepaper So That You Don’t Have To. Flipster. Available online: https://flipster.io/vi/blog/ethereum-whitepaper-explained [Accessed 25 July 2025].

Genesis Block (2022). Analysing Nexus Mutual, a Decentralised Insurance Protocol. Youtube . Available online: https://www.youtube.com/watch?v=fmX19a70kn4 [Accessed 25 July 2025].

Hartney, J. (2024). $25 Million Drained from Compound (COMP) Treasury in Latest Governance Exploit Incident. XBT.Market. Available online: https://xbt.market/2024/07/30/25-million-drained-from-compound-comp-treasury-in-latest-governance-exploit-incident/ [Accessed 25 July 2025].

Investopedia (2025). Smart Contracts on Blockchain: Definition, Functionality, and Applications. Investopedia. Available online: https://www.investopedia.com/terms/s/smart-contracts.asp.

Iuliano, G. & Nucci, D. (2024). Smart Contract Vulnerabilities, Tools, and Benchmarks: An Updated Systematic Literature Review. arXiv.org. Available only: https://arxiv.org/abs/2412.01719.

Liu, M., Han, H. & Ahn, J. et al. (2024). I Experienced More than 10 DeFi Scams: On DeFi Users’ Perception of Security Breaches and Countermeasures. arXiv.org. Available online: https://arxiv.org/html/2406.15709v1 [Accessed 25 July 2025].

Luu, L., Chu, D.-H., Olickel, H., Saxena, P. & Hobor, A. (2016). Making Smart Contracts Smarter. Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. Available online: https://dl.acm.org/doi/10.1145/2976749.2978309.

Morrison, R. Mazey, N.C.H.L. & Wingereen, S.C. (2020). The DAO Controversy: The Case for a New Species of Corporate Governance? Frontiers in Blockchain, 3. Available online: https://doi.org/10.3389/fbloc.2020.00025.

Okhaifo, G. (2025). What Is Formal Verification In Smart Contract Auditing? Hashlock. Available online: https://hashlock.com/blog/what-is-formal-verification-in-smart-contract-auditing [Accessed 25 July 2025].

OKX (2025). Chainlink’s Decentralized Oracle Network: Revolutionizing Blockchain Connectivity and DeFi. OKX. Available online: https://www.okx.com/en-gb/learn/chainlink-decentralized-oracle-network [Accessed 25 July 2025].

OSL (2025). Smart Contract Vulnerabilites: How Hackers Exploit Flaws in DeFi. OSL. Available online: www.osl.com/hk-en/academy/article/smart-contract-vulnerabilities-how-hackers-exploit-flaws-in-defi.

Qin, K., Zhou, L., Livshits, B. & Gervais, A. (2020). Attacking the DeFi Ecosystem with Flash Loans for Fun and Profit. arXiv.org. Available online: https://arxiv.org/abs/2003.03810.

Raza, M. (2025). DeFi Governance Explained. BlockApex. Available online: https://blockapex.io/defi-governance/ [Accessed 24 July 2025].

Shashidhara, R., Nair, R.C. & Panakalapati, P.K. (2024). Promise of Zero‐Knowledge Proofs (ZKPs) for Blockchain Privacy and Security: Opportunities, Challenges, and Future Directions. Security and Privacy, 8(1). Available online: https://onlinelibrary.wiley.com/doi/10.1002/spy2.461.

Sharma, R. (2024). Understanding Decentralized Finance (DeFi): Basics and Functionality. Investopedia. Available online: https://www.investopedia.com/decentralized-finance-defi-5113835.

Sompolinksy, Y. & Zohar, A. (2016). Bitcoin’s Security Model Revisited. arXiv.org. Available online: https://arxiv.org/abs/1605.09193 [Accessed 25 July 2025].

Startup Defense (n.d.). DeFi Protocol Hacks: Understanding Security Risks and Solutions. Startup Defense. Available online: https://www.startupdefense.io/cyberattacks/defi-protocol-hack [Accessed 19 July 2025].

Swan, M. (2015). Blockchain: Blueprint for a New Economy. (Sebastopol, Calif: O’Reilly).

Toulas, B. (2022). Beanstalk DeFi Platform Loses $182 Million in Flash-Loan Attack. Bleeping Computer. Available online: https://www.bleepingcomputer.com/news/security/beanstalk-defi-platform-loses-182-million-in-flash-loan-attack/ [Accessed 25 July 2025].

Trust Wallet (2023). Understanding Chainlink: A Beginner’s Guide. Trust Wallet. Available online: https://trustwallet.com/blog/guides/understanding-chainlink-a-beginners-guide [Accessed 25 July 2025].

Weidener, L., Laredo, F., Kumar, K. & Compton, K. (2025). Delegated Voting in Decentralized Autonomous Organizations: A Scoping Review. Frontiers in Blockchain, 8. Available online: https://doi.org/10.3389/fbloc.2025.1598283.

Werner, S.M., Perez, D. & Gudgeon, L. et al. (2021). SoK: Decentralized Finance (DeFi). arXiv.org. Available online: https://arxiv.org/abs/2101.08778.

Wikipedia Contributors. (2024). 2021 Squid Game Cryptocurrency Scam. Wikipedia. Available online: https://en.wikipedia.org/wiki/2021_Squid_Game_cryptocurrency_scam.