Decentralized finance has become a lot more secure over the past six years, and a new assessment of protocol losses from 2020 through 2025 puts a pretty big number behind that claim.
DeFi losses across the industry peaked at $2.62 billion in 2022 and fell roughly 80% to $534 million in 2024. Bridge hacks that once generated billions of dollars in headlines now account for a tiny fraction of annual totals, and the typical exploit is doing about a quarter as much damage today as it did at its peak.
While this is certainly great news for the crypto industry, there is still quite a bit of risk; it just appears in a different place. Major protocols now often use the same code across Ethereum, Base, Arbitrum, Polygon, OP Mainnet, and Sonic, so a single mistake can now drain money from every network running on it at the same time, and that’s the form crypto’s next systemic problem will likely take.
We saw this last November, when Balancer’s V2 Composable Stable Pools emptied approximately $128 million across six blockchains simultaneously in less than half an hour.
According to Check Point Research, the attacker exploited an arithmetic precision flaw in the pools’ invariant math by pushing token balances to a rounded limit and then chaining batch swaps together until these small flaws compounded into a full drain.
The contracts with the same vulnerability were deployed on Ethereum, Arbitrum, Base, Polygon, Sonic, and OP Mainnet, so the exploit hit them all at once because the flaw was embedded in the code itself and that code was copied everywhere.
If Crypto At the time, it was reported that eleven separate audits had failed to detect this, which highlights just how subtle this class of bugs has become and why it is so much harder to anticipate than the attacks that preceded it.
The hacks became smaller as the chains multiplied
The encouraging part of the data is that the cheap, repeatable attacks that defined crypto’s early years have largely disappeared, and overall losses have fallen by 80% in two years, even as DeFi’s TVL continued to rise. There was also a huge drop in the average loss per incident, which fell from $6 million in 2022 to $1.5 million in 2025, a drop of 75%.
In fact, the number of unique incidents has increased to 83 by 2025, so more hacks are happening while causing much less damage, which is roughly what a mature security field should look like.
Bridges were the defining vulnerability in 2021 and 2022, and in that second year alone, nine bridge exploits resulted in losses of $1.9 billion. These hacks were truly some of crypto’s worst moments, with the Ronin Bridge itself responsible for a $624 million loss.
Crypto followed it up the chain as the money flowed through Tornado Cash, followed by Binance Bridge at $570 million, Wormhole at $326 million, Nomad at $190 million, Harmony at $100 million and Qubit at $80 million.
It was responsible for 73% of all DeFi losses that year, and by 2025 the bridge’s share had fallen to 3%, thanks to improved verification mechanisms, decentralized validator sets, and a broader shift to native cross-chain messaging.
Flash loan attacks followed the same path. They accounted for 54% of all losses in 2020 when they were the signature DeFi technique, and by 2025 they accounted for less than 1% as protocols adopted defenses specifically tailored to that attack: time-weighted average prices, Chainlink oracle integrations, re-entrance guards, and designs that assume an attacker can manipulate prices within a single atomic transaction.
Private key compromises saw a similar decline, from 28.7% of losses in 2022 to 8.1% in 2025. Each of these categories shrank for the same underlying reason, namely that the industry recognized a repeatable pattern and built a standardized response around it, and because Crypto Slates The 2025 final evaluation showed that these responses largely held up.
What remains is more difficult to defend
Cutting off the generic attacks left behind a much tougher category: by 2025, 89.1% of DeFi losses came from protocol logic exploits, meaning code-level errors specific to the way an application is designed. A bridge hack involves recognizable trust assumptions, and a flash loan attack is part of a well-known family of techniques, so both can be defended with reusable patterns.
However, a protocol logic bug is custom in nature. It arises from the specific math, access controls, or composability choices of a single codebase, making it difficult to defend against systematically because each instance is its own puzzle and has little in common with the previous one.
Multi-chain deployment is what turns one of these custom bugs into a full-blown crisis. ImmuneFi’s report draws a direct line from the defining multi-chain incident of 2021, the approximately $611 million Poly Network exploit, to Balancer in 2025.
Poly Network was a failure at the connection point between systems, the kind of bottleneck that bridges create, while Balancer was the same logic that failed identically in networks that share code, signer paths, and authentication assumptions. Once a chain becomes part of the standard deployment map for major protocols, it absorbs the risk surface of whatever is hosted there, no matter how good its own infrastructure is.
That changes the way you measure the security of an ecosystem, and the report’s methodology shows this by attributing the full loss of a multi-chain exploit to each affected chain, based on the logic that participants in all six networks were exposed to the full impact.
The trade-off is that the 2025 hack rates for Polygon, OP Mainnet, Base, and Sonic are heavily influenced by the Balancer cascade. The report also completely rules out centralized exchange errors. That’s why the biggest theft of the year, the $1.5 billion Bybit hack that the FBI attributed to North Korea, is considered a custody failure rather than a protocol error.
On a loss-to-TVL basis, the most secure tier of the major ecosystems was Ethereum at around 0.42%, Solana at 0.42% and BNB Chain at 0.33%, the three largest DeFi ecosystems locked by value, suggesting that scale and security have improved together rather than at the expense of each other.
While these changes are much better for the average protocol, they are not so good for the average user. Loss can now occur in an app that contains an error imported from elsewhere, and the convenience that makes multi-chain apps attractive allows this error to escalate from a local to a shared error.
Crypto set up all these separate chains in part to avoid being dependent on a single system, and the irony is that running the same handful of popular protocols across all these chains has rebuilt the concentration that these chains needed to escape.
The next big incident may seem small on the day it occurs (a single logical bug in a widespread protocol), but it won’t reveal its true scale until people realize that the same vulnerable code was present on half a dozen networks all along.