Decentralized finance has gotten rather a lot safer over the previous six years, and a brand new evaluate of protocol losses from 2020 via 2025 places a pretty big quantity behind that declare.
Trade-wide DeFi losses peaked at $2.62 billion in 2022 and fell roughly 80% to $534 million by 2024. Bridge hacks that when produced billion-dollar headlines now account for a tiny slice of annual totals, and the everyday exploit at the moment does a couple of quarter as a lot harm because it did on the peak.
Whereas that is definitely nice information for the crypto trade, there’s nonetheless fairly a little bit of threat left; it simply exhibits up in a special place. Main protocols now usually deploy the identical code throughout Ethereum, Base, Arbitrum, Polygon, OP Mainnet, and Sonic, so a single flaw can now drain funds on each community working it on the identical time, and that is the shape crypto’s subsequent systemic downside is more likely to take.
We have seen this in November final yr, when Balancer’s V2 Composable Steady Swimming pools have been drained of roughly $128 million in underneath half an hour throughout six blockchains concurrently.
In response to Examine Level Analysis, the attacker exploited an arithmetic precision flaw within the swimming pools’ invariant math, nudging token balances onto a rounding boundary after which chaining batched swaps till these tiny errors compounded right into a full drain.
The contracts with the identical vulnerability had been deployed on Ethereum, Arbitrum, Base, Polygon, Sonic, and OP Mainnet, so the exploit reached all of them without delay as a result of the flaw was embedded within the code itself, and that code had been copied all over the place.
As CryptoSlate reported on the time, eleven separate audits had did not catch it, which tells you simply how refined this class of bug has turn into and why it is a lot tougher to anticipate than the assaults that got here earlier than.
The hacks obtained smaller because the chains multiplied
The encouraging a part of the info is that a budget, repeatable assaults that outlined crypto’s early years have principally been engineered out of existence, and complete losses dropped 80% in two years, at the same time as DeFi’s TVL saved climbing. An enormous drop was additionally seen within the median loss per incident, which fell from $6 million in 2022 to $1.5 million in 2025, a 75% decline.
The depend of distinctive incidents truly rose to 83 in 2025, so extra hacks are taking place whereas each does far much less harm, which is roughly what a maturing safety discipline is meant to appear like.
Bridges have been the defining vulnerability in 2021 and 2022, and in that second yr alone, 9 bridge exploits resulted in $1.9 billion in losses. These hacks have been really a few of crypto’s worst moments, with the Ronin Bridge accounting for a $624 million loss by itself.
CryptoSlate tracked it on-chain because the funds moved via Twister Money, adopted by Binance Bridge at $570 million, Wormhole at $326 million, Nomad at $190 million, Concord at $100 million, and Qubit at $80 million.
It accounted for 73% of all DeFi losses that yr, and by 2025, the bridge’s share had collapsed to three%, due to improved verification mechanisms, decentralized validator units, and a broader shift towards native cross-chain messaging.
Flash-loan assaults adopted the identical path down. They represented 54% of all losses in 2020 once they have been the signature DeFi method, and by 2025, they accounted for underneath 1%, as a result of protocols adopted defenses tailor-made particularly to that assault: time-weighted common costs, Chainlink oracle integrations, reentrancy guards, and designs that assume an attacker can manipulate costs inside a single atomic transaction.
Personal-key compromises noticed an analogous decline, falling from 28.7% of losses in 2022 to eight.1% in 2025. Every of those classes shrank for a similar underlying purpose, which is that the trade acknowledged a repeatable sample and constructed a standardized reply to it, and as CryptoSlate’s year-end evaluate of 2025 discovered, these solutions have largely held.
What’s left is tougher to defend in opposition to
Closing off the generic assaults left behind a much more tough class: in 2025, 89.1% of DeFi losses got here from protocol logic exploits, that means code-level flaws particular to how one software was designed. A bridge hack entails recognizable belief assumptions, and a flash-loan assault is a part of a recognized household of methods, so each could be defended with reusable patterns.
Nevertheless, a protocol logic bug is bespoke by nature. It emerges from the actual math, entry controls, or composability selections of a single codebase, making it laborious to defend in opposition to systematically, as a result of every occasion is its personal puzzle and shares little with the final.
Multi-chain deployment is what turns one in all these bespoke bugs right into a full-blown disaster. ImmuneFi’s report attracts a direct line from the defining multi-chain incident of 2021, the roughly $611 million Poly Community exploit, to Balancer in 2025.
Poly Community was a failure on the connection level between techniques, the type of choke level that bridges create, whereas Balancer was the identical logic failing identically throughout networks that share code, signer paths, and verification assumptions. As soon as a series turns into a part of the default deployment map for main protocols, it absorbs the danger floor of every thing it hosts, nonetheless sound its personal infrastructure occurs to be.
That adjustments the way you measure an ecosystem’s security, and the report’s methodology exhibits this by attributing the complete loss from a multi-chain exploit to every affected chain, on the logic that contributors throughout all six networks have been uncovered to the complete affect.
The trade-off is that the 2025 hack figures for Polygon, OP Mainnet, Base, and Sonic are closely influenced by the Balancer cascade. The report additionally strips out centralized trade failures fully, which is why the yr’s largest single theft, the $1.5 billion Bybit hack that the FBI attributed to North Korea, is taken into account a custody failure moderately than a protocol one.
On a loss-to-TVL foundation, the most secure tier amongst main ecosystems was Ethereum at round 0.42%, Solana at 0.42%, and BNB Chain at 0.33%, the three largest DeFi ecosystems by worth locked, which suggests scale and safety have been enhancing collectively moderately than at one another’s expense.
Whereas these adjustments fare a lot better for the typical protocol, they don’t seem to be so good for the typical consumer. A loss can now happen in an app that carries a flaw imported from elsewhere, and the comfort that makes multi-chain apps interesting is what makes this error escalate from an area to a shared one.
Crypto spun up all these separate chains partly to keep away from relying on any single system, and the irony is that working the identical handful of common protocols throughout all of them has rebuilt the focus these chains have been meant to flee.
The following massive incident might look small on the day it lands (a single logic bug in a broadly deployed protocol), however reveal its true dimension solely as soon as individuals understand the identical weak code was sitting on half a dozen networks the whole time.
