Decentralized finance has gotten lots safer over the previous six years, and a brand new overview of protocol losses from 2020 by 2025 places a pretty big quantity behind that declare.
Trade-wide DeFi losses peaked at $2.62 billion in 2022 and fell roughly 80% to $534 million by 2024. Bridge hacks that after produced billion-dollar headlines now account for a tiny slice of annual totals, and the everyday exploit at present does a couple of quarter as a lot injury because it did on the peak.
Whereas that is actually nice information for the crypto trade, there’s nonetheless fairly a little bit of danger left; it simply exhibits up in a special place. Main protocols now typically deploy the identical code throughout Ethereum, Base, Arbitrum, Polygon, OP Mainnet, and Sonic, so a single flaw can now drain funds on each community working it on the identical time, and that is the shape crypto’s subsequent systemic downside is more likely to take.
We have seen this in November final 12 months, when Balancer’s V2 Composable Secure Swimming pools had been drained of roughly $128 million in below half an hour throughout six blockchains concurrently.
In line with Verify Level Analysis, the attacker exploited an arithmetic precision flaw within the swimming pools’ invariant math, nudging token balances onto a rounding boundary after which chaining batched swaps till these tiny errors compounded right into a full drain.
The contracts with the identical vulnerability had been deployed on Ethereum, Arbitrum, Base, Polygon, Sonic, and OP Mainnet, so the exploit reached all of them without delay as a result of the flaw was embedded within the code itself, and that code had been copied in all places.
As CryptoSlate reported on the time, eleven separate audits had did not catch it, which tells you simply how refined this class of bug has turn out to be and why it is a lot tougher to anticipate than the assaults that got here earlier than.
The hacks received smaller because the chains multiplied
The encouraging a part of the info is that a budget, repeatable assaults that outlined crypto’s early years have largely been engineered out of existence, and complete losses dropped 80% in two years, at the same time as DeFi’s TVL stored climbing. An enormous drop was additionally seen within the median loss per incident, which fell from $6 million in 2022 to $1.5 million in 2025, a 75% decline.
The rely of distinctive incidents truly rose to 83 in 2025, so extra hacks are taking place whereas each does far much less injury, which is roughly what a maturing safety subject is meant to appear like.
Bridges had been the defining vulnerability in 2021 and 2022, and in that second 12 months alone, 9 bridge exploits resulted in $1.9 billion in losses. These hacks had been actually a few of crypto’s worst moments, with the Ronin Bridge accounting for a $624 million loss by itself.
CryptoSlate tracked it on-chain because the funds moved by Twister Money, adopted by Binance Bridge at $570 million, Wormhole at $326 million, Nomad at $190 million, Concord at $100 million, and Qubit at $80 million.
It accounted for 73% of all DeFi losses that 12 months, and by 2025, the bridge’s share had collapsed to three%, because of improved verification mechanisms, decentralized validator units, and a broader shift towards native cross-chain messaging.
Flash-loan assaults adopted the identical path down. They represented 54% of all losses in 2020 after they had been the signature DeFi approach, and by 2025, they accounted for below 1%, as a result of protocols adopted defenses tailor-made particularly to that assault: time-weighted common costs, Chainlink oracle integrations, reentrancy guards, and designs that assume an attacker can manipulate costs inside a single atomic transaction.
Personal-key compromises noticed an identical decline, falling from 28.7% of losses in 2022 to eight.1% in 2025. Every of those classes shrank for a similar underlying cause, which is that the trade acknowledged a repeatable sample and constructed a standardized reply to it, and as CryptoSlate’s year-end overview of 2025 discovered, these solutions have largely held.
What’s left is tougher to defend towards
Closing off the generic assaults left behind a much more troublesome class: in 2025, 89.1% of DeFi losses got here from protocol logic exploits, that means code-level flaws particular to how one software was designed. A bridge hack includes recognizable belief assumptions, and a flash-loan assault is a part of a recognized household of strategies, so each might be defended with reusable patterns.
Nevertheless, a protocol logic bug is bespoke by nature. It emerges from the actual math, entry controls, or composability decisions of a single codebase, making it arduous to defend towards systematically, as a result of every occasion is its personal puzzle and shares little with the final.
Multi-chain deployment is what turns one among these bespoke bugs right into a full-blown disaster. ImmuneFi’s report attracts a direct line from the defining multi-chain incident of 2021, the roughly $611 million Poly Community exploit, to Balancer in 2025.
Poly Community was a failure on the connection level between programs, the type of choke level that bridges create, whereas Balancer was the identical logic failing identically throughout networks that share code, signer paths, and verification assumptions. As soon as a series turns into a part of the default deployment map for main protocols, it absorbs the chance floor of all the things it hosts, nevertheless sound its personal infrastructure occurs to be.
That modifications the way you measure an ecosystem’s security, and the report’s technique exhibits this by attributing the total loss from a multi-chain exploit to every affected chain, on the logic that contributors throughout all six networks had been uncovered to the total affect.
The trade-off is that the 2025 hack figures for Polygon, OP Mainnet, Base, and Sonic are closely influenced by the Balancer cascade. The report additionally strips out centralized trade failures fully, which is why the 12 months’s largest single theft, the $1.5 billion Bybit hack that the FBI attributed to North Korea, is taken into account a custody failure fairly than a protocol one.
On a loss-to-TVL foundation, the most secure tier amongst main ecosystems was Ethereum at round 0.42%, Solana at 0.42%, and BNB Chain at 0.33%, the three largest DeFi ecosystems by worth locked, which suggests scale and safety have been enhancing collectively fairly than at one another’s expense.
Whereas these modifications fare significantly better for the common protocol, they are not so good for the common person. A loss can now happen in an app that carries a flaw imported from elsewhere, and the comfort that makes multi-chain apps interesting is what makes this error escalate from a neighborhood to a shared one.
Crypto spun up all these separate chains partly to keep away from relying on any single system, and the irony is that working the identical handful of well-liked protocols throughout all of them has rebuilt the focus these chains had been meant to flee.
The subsequent large incident might look small on the day it lands (a single logic bug in a extensively deployed protocol), however reveal its true dimension solely as soon as individuals notice the identical susceptible code was sitting on half a dozen networks your entire time.