In this newsletter, Protos examines the inner-workings of the decentralized finance sector, bringing readers a glimpse of what’s really going on, on-chain.

Expect coverage of security scares, scam campaigns, crypto crime, governance drama, on-chain antics, and more.

Inside DeFi examines the nuts and bolts of a hundred-billion-dollar industry which, all too often, flies under the radar.

Security incidents

Three hacks (so far) this week show that the recent uptick in DeFi exploits hasn’t slowed.

Tuesday saw Makina, on Ethereum, and SynapLogic, on Base, hacked for $5 million and $186,000, respectively.

Makina later published an update to X, explaining how an “MEV searcher” bot discovered the attacker’s contract before it could be used. The bot then “frontrun” the hack, with proceeds split between the bot and a RocketPool validator.

Makina’s Deployer address reached out to both the bot and the validator via on-chain message, requesting the return of stolen funds, which total around 1,300 ether (ETH).

Luckily, the majority of funds have since been recovered. Makina announced that the bot’s operator returned “920 ETH of the 1,023 ETH received by the MEV builder,” keeping a 10% bounty.

They hope the validator will follow suit and ask for help in establishing contact.

The third hack came the following day. Saga announced it had paused its Saga EVM “chainlet” in response to a $7 million hack. The attack resulted in a 25% depeg of Saga-based stablecoin D.

An update confirmed the network remained paused. It also refers to a “coordinated sequence of contract deployments, cross-chain activity, and subsequent liquidity withdrawals,” but the exact cause of the loss has not been disclosed.

On-chain activity

On-chain data shows Ethereum transactions at an all-time high. One might think this is good news for the ecosystem, but the reality isn’t quite that simple.

Research from Andrey Sergeenkov details how cheaper transactions ushered in by the protocol’s Fusaka upgrade in December have led to a rise in weekly new addresses, up to 170% of the 2025 average.

Of the addresses identified by Sergeenkov, he notes “$740,000 has been stolen this way from 116 victims.”

While the attack vector may be somewhat rudimentary, significant losses are not uncommon.

In December one unlucky user lost $50 million to a similar scheme, though this loss isn’t included in Sergeenkov’s data.

As transaction volume balloons, one can expect plenty more victims to come.

On the opposite end of the spectrum, late-2023’s much-hyped Blast (“backed by Paradigm”) is struggling to retain usership.

One eagle-eyed “ct observer” noted its 24-hour fee revenue was listed as -$7 on data dashboard DeFiLlama.

At the time of writing, the figure was -$8. DeFiLlama’s pseudonymous founder 0xnmgi explained that this results from Blast paying more for settlement on Ethereum than it receives in users’ gas fees.

The layer 2 peaked at a staggering $2.5 billion of total value locked despite concerns over centralization and its pyramidal points program.

Governance games

The Trump-family-linked World Liberty Financial has raised eyebrows once again.

Popular DeFi trader DefiSquared highlighted a recent “alarming governance vote” to use unlocked WLFI tokens to grow the stablecoin USD1.

The vote took place over the new year. It was, DefiSquared says, allegedly dominated by insider wallets and amounts to “sell[ing] WLFI tokens at the expense of locked holders, in order to fund protocol revenue that goes only to themselves.”

Earlier this month, World Liberty announced the launch of lending platform World Liberty Markets. The protocol will be “powered by Dolomite,” despite the DAO voting to launch an Aave instance, just over a year ago.

Perps “DEX” Paradex announced a roll back of its layer-two chain, leaving the platform “offline for approximately six hours.”

The move was in response to an error which reportedly caused the price of bitcoin to crash to $0, liquidating traders on the exchange. Paradex refunded around $650,000 in all to the users liquidated in the incident, according to a further update.

L2Beat, which categorizes layer two networks on the basis of their decentralization, lists Paradex under “Other,” as there are ”less than five external actors that can attest data availability.”

— A Newsletter by Jake Harrison