The majority of DeFi projects are open-source, meaning that code is easily accessible via GitHub for inspection both by well-intentioned and malicious users. If wrongdoers find bugs first, they can steal other users’ funds.
Besides bugs in code, DeFi applications are vulnerable to external exploits as well. DeFi’s efficiency mostly depends on composability, meaning that the more projects that are interconnected, the more value they can provide. Hence, exploiters can game the system and cause protocols to behave in ways not intended by developers.
The irreversibility of blockchain transactions exacerbates the situation. If hacks occur, funds are likely lost for good, though some projects will reimburse users from their pockets.