Lending protocols are some of the most active DeFi apps. Due to the heavy usage of smart contracts, they are also the most at risk for hacks and exploits.
Lending protocols logged the biggest number of exploits among DeFi attacks. Historically, lending protocols suffered 67 attacks in total, out of 267 DeFi incidents reported by Sentora.
Lending protocols are attractive for exploiters for several reasons. They contain well-funded vaults with stablecoins or valuable collateral, often in the form of ETH or BTC. Additionally, most of the on-chain lending is permissionless and relies on smart contracts.
The other main reason is the possibility of flash loans, which are in themselves an exploit, causing market losses. Protocols also faced risks from oracles and pricing, as well as the triggering of liquidations.
Lending protocols also sometimes use new tokens to pay interest, leading to minting exploits.
Technical error is the main reason for losses from lending protocols
Overall, most large protocols aim to increase their security and audit their smart contracts. The chief source of losses for the past 12 months ended January 2026 shows a dominance of technical issues.
Smart contract bugs were the root cause of the majority of incidents. The second most notable cause was compromised private keys or multisig wallets. In total, smart contracts led to $526M losses across 48 incidents in the past year.
Lending protocols hold $53B in reported value locked, and may remain a target for exploits. The attacks target smaller protocols and sometimes, specific vaults. As Cryptopolitan reported, projects like Moonwell were exploited through flaws in oracles and pricing data.
Price manipulation incidents were also a key type of exploit, with a total of 13 incidents in the past year and $65M in losses.
Even audited protocols were at risk, losing a total of $515M. Out-of-scope exploits lost $193M, while unaudited contracts leaked another $77M in 24 incidents. Historically, among the top 30 hacks, unaudited code is the main reason in 58.4% of cases. Most projects go through audits, but this does not protect them from all risks, as on-chain apps have multiple sources of input and interaction.
Most of the attacks against DeFi rely on careful tracking and deep knowledge of their smart contracts. The other vector of stealing funds is directed at end users. While DeFi is permissionless, new cloned DEXs are appearing. Some pretend to be decentralized, but hold user deposits and require additional fees to withdraw.