Recent events like the Lendf.me hack and the MakerDAO zero-dollar auction have pushed DeFi into the public eye, sparking fresh debate about its current state and future hurdles. Since 2019, DeFi has enjoyed sustained popularity and broad acceptance within the industry. Yet, the crypto market crash in March exposed critical flaws in the institutional design and technical security of many DeFi projects, causing the total value locked (TVL) across the sector to plummet. What challenges does DeFi face today, and what lies ahead?
Today, OKEx partnered with Carbon Value to host an online dialogue titled “DeFi in the Post-Pandemic Era: Opportunities and Challenges” in the "Blockchain Media Group." We were joined by four industry experts who shared their insights on these questions: Cao Yin from the Digital Renaissance Foundation; Yang Xia, Founder & CEO of Chengdu ChainSafe; Pan Chao, Head of MakerDAO China; and William, Chief Researcher at OKEx.
Here is the full dialogue transcript:
Q: For many, DeFi is a familiar yet vague concept. Literally, it stands for "Decentralized Finance," but some traditional P2P lending models also have decentralized features without being considered DeFi. Could our panelists share their understanding of DeFi? Let's start with Mr. Cao Yin.
Cao Yin: The term "DeFi" can be misleading. Its goal isn't decentralization for its own sake; decentralization is a means to an end. I see DeFi not as a specific technology or product category, but as a social movement and ideology: one that uses open-source software and decentralized networks to transform financial products into transparent, trustless protocols that operate without central management.
DeFi's advantage lies not in decentralization itself, but in its permissionless nature, disintermediation, and automation—shifting from P2P to P2C (Peer-to-Contract)—which removes the counterparty risk inherent in traditional finance.
This does, however, introduce new risks related to smart contracts—like protocol vulnerabilities and price manipulation. The benefit is that risks stemming from smart contracts are publicly visible, can be modeled in advance, and can be quickly identified and addressed after an incident.
Yang Xia: My take on DeFi, or Decentralized Finance—also called Open Finance—is that it's one of the hottest areas in blockchain over the past two years. It aims to tackle the inherent flaws of traditional, centralized finance using blockchain technology, such as cumbersome approval processes, lack of transparency, systemic inequality, and hidden transaction risks.
The DeFi sector includes stablecoins, lending, payments, derivatives, decentralized exchanges (DEXs), and asset management. In these systems, users retain full control over their assets and data, while the platforms themselves are highly open—allowing anyone, anywhere to participate at any time. Compared to traditional finance, DeFi offers greater transparency and executes agreements automatically via smart contracts, significantly reducing risks like manual intervention costs and non-performing loans.
Pan Chao: I've spoken before about defining DeFi. To reiterate: like many blockchain terms, "DeFi" is a trendy, catchy marketing slogan—not a precise technical description. It frames financial decentralization as an accomplished outcome rather than an ongoing process, which unsurprisingly leads to misunderstanding, ambiguity, and polarized views.
When we talk about decentralized finance, we often put decentralization (i.e., blockchain) at the center and then design financial applications around it. But a more comprehensive view should place finance itself at the core—asking which financial areas can be decentralized and what benefits that brings.
Distributed architecture isn't unique to blockchain; traits like transparency, censorship resistance, and immutability are hard to reconcile with traditional finance. In my view, the core advantage of decentralized finance is "permissionlessness."
Permissionlessness operates on three levels: permissionless development, permissionless ledgering (consensus), and permissionless user access—corresponding to open-source code, public blockchains, and open accounts. Any financial project that allows permissionless user access qualifies as decentralized finance. Meanwhile, permissionless development and ledgering often involve trade-offs between efficiency, security, and decentralization.
William: The concept of DeFi was first introduced by Brendan Forster, founder of the Dharma project. In August 2018, Forster published an article on Medium titled "Announcing De.Fi, A Community for Decentralized Finance Platforms," formally coining the term "DeFi." Only projects meeting all four criteria he outlined can be considered true DeFi.
Q: Thank you all for those insightful introductions. Our second question: Currently, MakerDAO and Compound dominate market share, with MakerDAO alone accounting for 53.3% of DeFi's total value locked (TVL). How should we interpret this emerging "80/20 rule" in DeFi? Does it contradict DeFi's principle of decentralization? This falls to Mr. Pan Chao—let's start with him.
Pan Chao: Initially, Maker's market share was over 80%. The rise of dominant players isn't necessarily negative—it signals the formation of network effects and economies of scale.
Maker is a foundational protocol that any application can build on. In fact, about 90% of DeFi applications use Dai. For developers, building a DeFi app faces almost no operational barriers—they can iterate quickly using existing open-source tools and leverage built-in network effects.
From a user's perspective, all it takes is a dozen mnemonic words to create an account for transfers, trading, lending, and more—offering an openness no traditional financial system can match: unrestricted and unbiased. TVL distribution is just one way to measure decentralization.
Cao Yin: I also see no contradiction. A defining feature of DeFi is its permissionless, disintermediated nature, which allows assets to move almost frictionlessly across protocols. As a result, assets naturally flow toward leading protocols, creating network effects: the more assets a protocol holds, the better its liquidity, the more accurate its price signals, and the lower its funding costs.
In contrast, traditional intermediated finance faces numerous institutional barriers—even government capital controls—making cross-product, cross-platform, and cross-border fund flows extremely costly. Today's internet finance aggregates products on centralized platforms to reduce these costs. DeFi goes further: funds flow seamlessly across protocols, bounded only by public blockchains. In the future, with Polkadot's cross-chain technology fully deployed, even these boundaries will dissolve, enabling truly frictionless movement and amplifying the scale advantages of top protocols.
Moreover, leading protocols like Maker and Compound are foundational components of the DeFi ecosystem—what we call "DeFi Primitives." Their native assets, Dai and cTokens, serve as base assets for secondary-layer protocols; thus, the TVL locked in Maker and Compound effectively contributes to the TVL of other protocols as well.
Additionally, TVL is just one metric for assessing a DeFi protocol's importance—trading volume is equally critical. For example, DEX protocols like Uniswap and Loopring have relatively low TVLs but exceptionally high trading volumes. So, TVL alone doesn't fully capture a DeFi protocol's significance.
Q: Let's move on to some recent high-profile events in DeFi that have sparked widespread discussion. During the pandemic, two major incidents occurred: first, MakerDAO's "zero-price" auction event in March, triggered by a mechanism flaw during the global liquidity crisis; second, the Lendf.Me hack on April 19. Both resulted in significant losses. Professor Pan Chao, why did the "zero-price" auction happen at MakerDAO? Was it a failure of governance or protocol design? What has been done to fix it?
Pan Chao: A key factor was extreme congestion on the Ethereum network. Gas fees spiked nearly 200-fold, which prevented bidding bots from submitting valid bids during the auctions. After the incident, the Maker Protocol implemented several adjustments—such as extending auction durations and adding circuit-breaker mechanisms—to better handle such black-swan events. All collateral auctions have since resumed normally. The system also successfully completed a debt restructuring by automatically diluting MKR tokens, moving from a deficit to a profit. In a way, this episode served as a stress test for both the Maker Protocol and Ethereum's overall resilience.
Q: Regarding the Lendf.Me hack, Ms. Yang Xia, how was the attack carried out? What security measures could have prevented it?
Yang Xia: This is another recently disclosed security incident. The attacker exploited a reentrancy vulnerability in Lendf.Me to overwrite their own account balance, effectively doubling their withdrawable funds repeatedly until the platform's reserves were drained. Eventually, the hacker returned the stolen funds in stages. Here’s a breakdown of the attack:
The attacker’s address was: 0xA9BF70A420d364e923C74448D9D817d3F2A77822; the exploited contract was: 0x538359785a8D5AB1A741A0bA94f26a800759D91D. The attacker began with several test runs (shown below):
In transaction 0xe49304cd3ed—the third transaction after the contract was deployed—the attacker made their first exploitation attempt:
Initially, the attacker's script had a flaw: only the first transaction in a block would succeed; subsequent transactions in the same block would fail.
The attacker then modified the script to submit only one attack transaction per block. An analysis of the three successful transactions shows the attacker's funds growing almost exponentially—indicating the attack was already profitable:
Transaction hash: https://etherscan.io/tx/0xae7d664bdfcc54220df4f18d339005c6faf6e62c9ca79c56387bc0389274363b
Transaction hash: https://etherscan.io/tx/0xf8ed32d4a4aad0b5bb150f7a0d6e95b5d264d6da6c167029a20c098a90ff39b4
At this point, the attacker had confirmed the attack vector worked. The following series of transactions involved the attacker registering multiple token addresses to facilitate swaps:
Through this repeated doubling process, by transaction 0xced7ca81308, the attacker had nearly drained the total available supply of imBTC.
The attacker then used the acquired imBTC to borrow other tokens, as shown below:
Security Recommendations: The DeFi ecosystem is rapidly expanding and maturing. By 2020, assets locked in Ethereum-based DeFi applications had already surpassed $1 billion. While the appeal of DeFi largely stems from its high yields—with "Decentralized Finance" forming the backbone of open finance—annualized returns of 8%–10% inevitably come with significant risks.
DeFi development teams have considerable freedom when designing smart contracts, but the lack of a unified security framework or mandatory rigorous audits has led to a steady stream of vulnerabilities and security issues. In this case, the project team should have implemented reentrancy protection—using tools like OpenZeppelin’s ReentrancyGuard—and adhered to the best practice of updating internal state variables before making external calls.
Chengdu ChainSafe Recommendation: All DeFi project teams must prioritize smart contract security during development, preparing for edge cases and abnormal usage patterns to prevent losses. We also recommend comprehensive security audits by professional blockchain security firms to mitigate potential risks.
Q: Moving to our fourth topic: While DeFi promotes itself as "intermediary-free" and "trustless," it currently faces a trust crisis. From your professional perspective, what are the key challenges in DeFi today, and what should our trust in DeFi be based on?
Cao Yin: As an emerging field, DeFi naturally faces numerous challenges. Key issues include systemic risks from underlying public chain performance bottlenecks; risks due to asset homogenization; localized systemic risks from smart contract composability limits and inter-protocol complexity; compliance risks stemming from permissionless operation, anonymity, securitization, and capital controls in some jurisdictions; and "involution" risks from difficulties in tokenizing off-chain assets and the inability to offer credit lending.
Trust in DeFi should follow a concentric-circle model, propagating layer by layer. At the core is code-level trust in foundational protocols and functional modules. Surrounding that is code-level trust in secondary protocols built on those foundations. Further out is code-level and team-level trust in application-layer products that integrate various protocols to deliver user services. Developers, security auditors, media, and community white-hat researchers are critical conduits for trust propagation across these layers.
Protocol and product developers are responsible not only for their own code but also for the protocols and assets they integrate. They should maintain close communication with partners like oracles, asset issuers, and custodians—similar to aerospace design units establishing joint issue-tracking systems. All issue lists must be jointly verified and resolved ("zeroed out") by both sides, with mutual accountability—no assumptions like "I thought you assumed everything was fine." As Professor Yang noted, protocol standardization is crucial. Recently, Zerion proposed the concept of a DeFi SDK, which deserves further study.
Yang Xia: From the bZx attacks earlier this year to subsequent incidents involving Uniswap and dForce, it's clear that hackers have deeply understood systemic risk-control vulnerabilities in DeFi and are exploiting its composability to launch repeated, cascading attacks. If a project team doesn't prioritize smart contract security, serious security incidents are highly likely.
A failure in any single DeFi component could potentially collapse the entire ecosystem. This requires DeFi developers to continuously improve and update their code—not just pursuing maximum composability but also ensuring security compatibility across different DeFi products.
Overall, DeFi is still in its early stages, and many mechanisms need refinement. Chengdu ChainSafe’s Security Situation Awareness System (Beosin-Eagle Eye) is a visualization-based platform designed to address blockchain-specific transaction risks and security threats. It enables real-time security monitoring, early warnings, alerts, and automatic blocking of malicious transactions for DeFi projects, ensuring safe operations.
Hackers have largely mastered the systemic risk-control vulnerabilities in DeFi. If a project team doesn't prioritize smart contract security, incidents are highly probable. Teams operating DeFi protocols who wish to consult on these issues are welcome to contact Professor Yang Xia.
Q: As the China Head of the world’s largest DeFi project, how do you view this issue, Professor Pan Chao?
Pan Chao: DeFi’s biggest challenge remains on the asset side: beyond ETH, few highly liquid assets exist. To achieve mass adoption, the asset base must expand significantly—bringing "real-world" assets on-chain, such as stablecoins, gold, and synthetic traditional financial assets.
DeFi isn't about eliminating trust—it's about enhancing trust pathways. Open-source code, self-executing smart contracts, transparent and publicly verifiable balance sheets, and the capability and reputation of development and operations teams all serve as anchors of trust in DeFi, rather than relying solely on "Code is Law."
William: The previous speakers have provided excellent insights—I’ll briefly add my perspective. Currently, DeFi faces three primary challenges:
First, low public chain performance: During extreme market conditions, blockchain networks easily congest, causing DeFi transactions to fail. Second, systemic risk exposure: Most DeFi protocols are deployed on Ethereum and tightly coupled to ETH’s price; a sharp decline triggers systemic crises that directly impact DeFi. Third, poor user experience: Compared to traditional financial tools, DeFi requires users to understand wallets and manage private keys—basic blockchain knowledge that creates high entry barriers and cumbersome workflows, making it unfriendly to newcomers.
I believe trust in DeFi rests on three pillars: transparency, security, and reliability. While most DeFi protocols today achieve transparency, systemic security and sound mechanism design remain insufficient.
Q: Thank you to all four distinguished guests. Next, we proceed to today’s fifth topic: our outlook on DeFi’s future. As noted, most DeFi protocols are currently deployed on Ethereum—and developing the DeFi ecosystem is a core strategic priority for Ethereum. Will DeFi's growth alter ETH’s valuation logic? What changes will Ethereum 2.0 bring to DeFi? We invite Professor Pan Chao to answer.
Pan Chao: Today, Ethereum is virtually synonymous with DeFi. Even after transitioning to Ethereum 2.0, finance will remain its most suitable—and arguably only viable—application domain. I have long maintained that finance represents blockchain’s optimal, and perhaps sole, practical use case.
The Ethereum 2.0 transition is being implemented in stages. Phase 1 focuses primarily on testing Proof-of-Stake (PoS) consensus, while commercial logic remains fully operational on the existing Proof-of-Work (PoW) chain. The PoS chain runs in parallel as a testnet and won't impact current DeFi operations.
From an asset perspective, the testnet introduces a new interest-bearing ETH variant. Many PoS staking pools, acting as custodians, are expected to issue representative tokens for this asset on the PoW chain—each with distinct risk profiles and yield characteristics. These interest-bearing ETH tokens may then serve as collateral to mint entirely new assets.
William: Excellent—Professor Pan Chao has clearly explained Ethereum 2.0. I’ll focus on how DeFi reshapes Ethereum’s valuation logic. Historically, when valuing BTC and ETH, we emphasized network externalities—using user count as a proxy for overall cryptocurrency market capitalization. However, this approach is relatively crude. Instead, we can adopt a more refined framework: measuring the effective demand for a cryptocurrency.
In 2017, Ethereum's token sale model fueled market demand for ETH, pushing its price to an all-time high of $1,200. As that model faded, however, ETH's price gradually declined to its current level around $200.
I believe the DeFi ecosystem has delivered Ethereum's greatest benefit: generating new, tangible demand. Whether through capital locked in DeFi protocols or the gas fees required to execute smart contracts, both significantly boost the market's real demand for ETH. If the DeFi ecosystem grows sufficiently large, ETH's price will inevitably follow.
Q: Let's move to a question on everyone's mind—especially with crypto prices surging recently. Bitcoin's second halving in 2016 was followed by Ethereum's successful ICO model, which ignited the 2017 bull run. As we approach Bitcoin's third halving, many expect DeFi's growth to spark a new bull market next year. What's your take? Will DeFi truly trigger the next bull run, and why? Let's start with Mr. Cao Yin.
Cao Yin: I'll state my view clearly: DeFi will absolutely drive the next bull market. Professor William already outlined the core reasons earlier—I'll expand on them.
ETH's significant rally since the second half of last year was largely fueled by booming DeFi activity and the issuance of numerous fiat-pegged stablecoins on Ethereum. This dramatically increased the economic value transacted on the network, leading to massive ETH lock-ups in DeFi protocols and surging demand for gas. And we're still in the early stages of DeFi's development. Looking ahead, the DeFi ecosystem will expand exponentially across public blockchains like Ethereum, Polkadot, and Tezos. Cross-chain interoperability between protocols and assets—coupled with vast amounts of fiat flowing into DeFi as stablecoins—will further cement the intrinsic value of native public-chain tokens.
Moreover, leading DeFi project tokens can capture value generated across the broader DeFi network. Tokens like Kyber (KNC), Maker (MKR), Chainlink (LINK), and Aave (formerly LEND) have all outperformed ETH in price appreciation during the same period—conclusively demonstrating that DeFi ecosystem growth directly drives up token valuations.
Yang Xia: We're generally optimistic. Over the past two years, DeFi has captured significant mainstream attention and made notable progress. Just as we couldn't have imagined the internet's final form before it matured—social media seemed nearly impossible two decades ago, yet now it's part of daily life—DeFi's ultimate stage may bring similarly transformative, currently unimaginable impacts on finance and beyond. We should have high expectations for its future.
William: I have a slightly different perspective: I think it will be relatively difficult for DeFi alone to propel the next bull market. Since Bitcoin's inception, we've seen three major bull markets—in 2011, 2013, and 2017:
The chart above illustrates Bitcoin's three market cycles.
While many claim crypto bull markets correlate closely with Bitcoin halvings, each cycle clearly shows innovation as the primary catalyst—like the rise of Bitcoin exchanges in the first cycle, altcoin proliferation in the second, and the ICO funding model in the third. These innovations directly triggered sharp Bitcoin price surges in their respective years.
In my view, DeFi's current innovation doesn't yet match the breakthrough scale of the previous two bull markets. Therefore, I don't believe DeFi will be the primary driver of the next one.
Looking at industry trends, regulatory compliance is a major direction. Currently, most crypto capital comes from alternative investment funds. Only when the market achieves full compliance will massive institutional capital from traditional finance enter. Thus, I believe regulatory innovation will likely determine the timing of Bitcoin's fourth market cycle—and the start of its next bull run.
Q: Now for our final question: the integration of DeFi and CeFi—a topic of great interest to practitioners across both centralized and decentralized exchanges. Currently, DeFi and CeFi each have distinct strengths and weaknesses. How do you view their mutual integration? Let's start again with Mr. Cao.
Cao Yin: First, there's no clear-cut boundary between DeFi and CeFi. We can assess any DeFi protocol's decentralization by evaluating whether each functional "element" operates in a decentralized manner.
These "elements" include: 1) access; 2) custody; 3) price feeds; 4) DEX components—order book and settlement; 5) lending functions—including margin calls, liquidity for margin calls, and monetary policy; and 6) development and code maintenance.
Exchanges like OKX, Binance, and Huobi are unquestionably centralized. Yet, at the opposite extreme, no existing DeFi application fully decentralizes all these elements—at minimum, development and code maintenance remain under human control.
Among these elements, the community widely regards certain features as fundamental for any DeFi application: permissionless access and non-custodial asset management. In DeFi-based DEXs, settlement must occur on-chain.
Thus, from a user's perspective, "DeFi" essentially refers to financial applications offering open, permissionless access, non-custodial asset management, and on-chain settlement. Decentralization itself is merely a means—the true objectives are openness, freedom, and trustlessness.
Similarly, centralization in CeFi is also just a means—the ultimate goal remains delivering superior financial services to users. In this sense, DeFi and CeFi share the same objectives. Looking ahead, I foresee deep integration: DeFi protocols will serve as foundational infrastructure handling custody, clearing, and settlement, while CeFi platforms provide customer acquisition, risk management, credit rating, insurance, and regulatory compliance. Moreover, CeFi will become a critical liquidity source for DeFi protocol-level clearing and settlement—forming a hybrid CeFi–DeFi–CeFi architecture.
Yang Xia: Most exchange-affiliated blockchains now prioritize DeFi as a core strategic direction. Meanwhile, CeFi has long faced persistent trust issues—including opaque operations and lack of transparency—meaning DeFi continuously exerts competitive pressure on CeFi.
CeFi must therefore seek transformation—leveraging DeFi to build a more open and transparent financial ecosystem. Given CeFi's massive user base and asset scale, its integration with DeFi may well catalyze an entirely new financial ecosystem.
Pan Chao: I've previously described the relationship between DeFi and CeFi: pursuing so-called "pure DeFi" is like treating a single fruit as the entire plant.
Decentralization and centralization are two fundamentally different forces and philosophies, much like DeFi and CeFi sitting on opposite ends of a seesaw. While they may seem at odds, the liquidity flowing between them makes them both essential parts of the financial system. In practice, they aren't contradictory; both are indispensable, and this very interdependence is what creates financial equilibrium.
A prime example is the collaboration between OKEx and MakerDAO, which lets users earn deposit interest on Dai from DeFi directly on OKEx—without ever leaving a platform they trust. This synergy allows decentralized finance to offer more competitive yields, while traditional institutions provide the convenience and speed users expect.
William: Exactly—from a practical standpoint, DeFi and CeFi can integrate effectively in two key areas today: collateralized lending and international trade services like factoring and letters of credit. Take collateralized lending. Traditional setups often face risks like signing pledge agreements without actual asset delivery, or uncertainty in enforcing pledge rights. But banks, securities firms, trusts, and microfinance institutions can use smart contracts to automatically lock assets with a third party. This makes the whole process transparent and publicly verifiable, significantly reducing those risks.
Then there's international trade. In cross-border deals, buyers and sellers often don't fully trust each other: buyers worry about paying upfront only for the seller to default, while sellers fear shipping goods or submitting documents without getting paid.
So how does traditional finance solve this? Through banks—specifically with letters of credit, which replace commercial credit with bank credit to complete the transaction. Just how complex is the LC process? This diagram says it all:
Now imagine a blockchain-based trade settlement platform with a dedicated smart contract. An exporter could place the advance payment directly into the contract. Once the goods arrive and all documentation is verified, the smart contract would automatically release the funds. This would streamline the process dramatically and cut service fees substantially. That's how DeFi and CeFi can work hand in hand.
Moderator: Thank you to our four distinguished guests for your insightful presentations this afternoon. Compared to the long-established traditional financial system, DeFi is still in its early stages—yet it opens new doors for transparency and openness in finance. As it matures, DeFi will inevitably face challenges, whether technical, security-related, or user-experience focused—even black swan events like extreme ETH volatility or soaring gas fees. Still, we shouldn't write off its future prematurely. We hope today's discussion has offered everyone a fresh perspective on DeFi. That concludes our session—thank you all for joining us!