Decentralized finance has gotten so much safer over the previous six years, and a brand new evaluation of protocol losses from 2020 by way of 2025 places a pretty big quantity behind that declare.
Trade-wide DeFi losses peaked at $2.62 billion in 2022 and fell roughly 80% to $534 million by 2024. Bridge hacks that when produced billion-dollar headlines now account for a tiny slice of annual totals, and the standard exploit at the moment does a couple of quarter as a lot harm because it did on the peak.
Whereas that is definitely nice information for the crypto trade, there’s nonetheless fairly a little bit of danger left; it simply exhibits up in a unique place. Main protocols now typically deploy the identical code throughout Ethereum, Base, Arbitrum, Polygon, OP Mainnet, and Sonic, so a single flaw can now drain funds on each community operating it on the similar time, and that is the shape crypto’s subsequent systemic drawback is prone to take.
We have seen this in November final yr, when Balancer’s V2 Composable Secure Swimming pools had been drained of roughly $128 million in beneath half an hour throughout six blockchains concurrently.
Based on Test Level Analysis, the attacker exploited an arithmetic precision flaw within the swimming pools’ invariant math, nudging token balances onto a rounding boundary after which chaining batched swaps till these tiny errors compounded right into a full drain.
The contracts with the identical vulnerability had been deployed on Ethereum, Arbitrum, Base, Polygon, Sonic, and OP Mainnet, so the exploit reached all of them directly as a result of the flaw was embedded within the code itself, and that code had been copied in all places.
As CryptoSlate reported on the time, eleven separate audits had did not catch it, which tells you simply how delicate this class of bug has change into and why it is a lot tougher to anticipate than the assaults that got here earlier than.
The hacks obtained smaller because the chains multiplied
The encouraging a part of the info is that a budget, repeatable assaults that outlined crypto’s early years have principally been engineered out of existence, and complete losses dropped 80% in two years, whilst DeFi’s TVL stored climbing. An enormous drop was additionally seen within the median loss per incident, which fell from $6 million in 2022 to $1.5 million in 2025, a 75% decline.
The depend of distinctive incidents really rose to 83 in 2025, so extra hacks are occurring whereas every one does far much less harm, which is roughly what a maturing safety area is meant to seem like.
Bridges had been the defining vulnerability in 2021 and 2022, and in that second yr alone, 9 bridge exploits resulted in $1.9 billion in losses. These hacks had been really a few of crypto’s worst moments, with the Ronin Bridge accounting for a $624 million loss by itself.
CryptoSlate tracked it on-chain because the funds moved by way of Twister Money, adopted by Binance Bridge at $570 million, Wormhole at $326 million, Nomad at $190 million, Concord at $100 million, and Qubit at $80 million.
It accounted for 73% of all DeFi losses that yr, and by 2025, the bridge’s share had collapsed to three%, due to improved verification mechanisms, decentralized validator units, and a broader shift towards native cross-chain messaging.
Flash-loan assaults adopted the identical path down. They represented 54% of all losses in 2020 once they had been the signature DeFi approach, and by 2025, they accounted for beneath 1%, as a result of protocols adopted defenses tailor-made particularly to that assault: time-weighted common costs, Chainlink oracle integrations, reentrancy guards, and designs that assume an attacker can manipulate costs inside a single atomic transaction.
Personal-key compromises noticed an analogous decline, falling from 28.7% of losses in 2022 to eight.1% in 2025. Every of those classes shrank for a similar underlying cause, which is that the trade acknowledged a repeatable sample and constructed a standardized reply to it, and as CryptoSlate’s year-end evaluation of 2025 discovered, these solutions have largely held.
What’s left is tougher to defend towards
Closing off the generic assaults left behind a much more troublesome class: in 2025, 89.1% of DeFi losses got here from protocol logic exploits, that means code-level flaws particular to how one utility was designed. A bridge hack entails recognizable belief assumptions, and a flash-loan assault is a part of a recognized household of strategies, so each could be defended with reusable patterns.
Nonetheless, a protocol logic bug is bespoke by nature. It emerges from the actual math, entry controls, or composability selections of a single codebase, making it laborious to defend towards systematically, as a result of every occasion is its personal puzzle and shares little with the final.
Multi-chain deployment is what turns one among these bespoke bugs right into a full-blown disaster. ImmuneFi’s report attracts a direct line from the defining multi-chain incident of 2021, the roughly $611 million Poly Community exploit, to Balancer in 2025.
Poly Community was a failure on the connection level between programs, the type of choke level that bridges create, whereas Balancer was the identical logic failing identically throughout networks that share code, signer paths, and verification assumptions. As soon as a series turns into a part of the default deployment map for main protocols, it absorbs the danger floor of all the things it hosts, nonetheless sound its personal infrastructure occurs to be.
That modifications the way you measure an ecosystem’s security, and the report’s technique exhibits this by attributing the total loss from a multi-chain exploit to every affected chain, on the logic that individuals throughout all six networks had been uncovered to the total affect.
The trade-off is that the 2025 hack figures for Polygon, OP Mainnet, Base, and Sonic are closely influenced by the Balancer cascade. The report additionally strips out centralized change failures completely, which is why the yr’s largest single theft, the $1.5 billion Bybit hack that the FBI attributed to North Korea, is taken into account a custody failure fairly than a protocol one.
On a loss-to-TVL foundation, the most secure tier amongst main ecosystems was Ethereum at round 0.42%, Solana at 0.42%, and BNB Chain at 0.33%, the three largest DeFi ecosystems by worth locked, which suggests scale and safety have been enhancing collectively fairly than at one another’s expense.
Whereas these modifications fare a lot better for the common protocol, they don’t seem to be so good for the common person. A loss can now happen in an app that carries a flaw imported from elsewhere, and the comfort that makes multi-chain apps interesting is what makes this error escalate from an area to a shared one.
Crypto spun up all these separate chains partly to keep away from relying on any single system, and the irony is that operating the identical handful of well-liked protocols throughout all of them has rebuilt the focus these chains had been meant to flee.
The following large incident could look small on the day it lands (a single logic bug in a broadly deployed protocol), however reveal its true measurement solely as soon as folks notice the identical weak code was sitting on half a dozen networks your entire time.
