DeFi hacks drop 80% but multi-chain flaws emerge as new risk

Decentralized finance has gotten a lot safer over the past six years. A new review of protocol losses from 2020 through 2025 puts a large number behind that claim.

Industry-wide DeFi losses peaked at $2.62 billion in 2022 and fell roughly 80% to $534 million by 2024. Bridge hacks that once produced billion-dollar headlines now account for a tiny slice of annual totals. The typical exploit today does about a quarter as much damage as it did at the peak.

Losses fell despite more chains and users

The encouraging part of the data is that cheap, repeatable attacks have mostly been engineered out of existence. Total losses dropped 80% in two years, even as DeFi’s TVL kept climbing. The median loss per incident fell from $6 million in 2022 to $1.5 million in 2025, a 75% decline.

The count of unique incidents rose to 83 in 2025. More hacks are happening while each one does far less damage. That is roughly what a maturing security field is supposed to look like.

Bridges were the defining vulnerability in 2021 and 2022. In that second year alone, nine bridge exploits resulted in $1.9 billion in losses. The Ronin Bridge accounted for a $624 million loss on its own. Bridge hacks represented 73% of all DeFi losses that year. By 2025, the bridge’s share had collapsed to 3%. Improved verification mechanisms, decentralized validator sets, and a shift toward native cross-chain messaging helped shrink that category.

Flash-loan attacks followed the same path down. They represented 54% of all losses in 2020. By 2025, they accounted for under 1%. Protocols adopted defenses tailored to that attack: time-weighted average prices, Chainlink oracle integrations, reentrancy guards, and designs that assume an attacker can manipulate prices within a single atomic transaction.

Private-key compromises saw a similar decline. They fell from 28.7% of losses in 2022 to 8.1% in 2025. Each of these categories shrank because the industry recognized a repeatable pattern and built standardized answers.

What’s left is harder to defend against

Closing off generic attacks left behind a far more difficult category. In 2025, 89.1% of DeFi losses came from protocol logic exploits. These are code-level flaws specific to how one application was designed. A bridge hack involves recognizable trust assumptions. A flash-loan attack is part of a known family of techniques. Both can be defended with reusable patterns.

A protocol logic bug is bespoke by nature. It emerges from the particular math, access controls, or composability choices of a single codebase. It is hard to defend against systematically because each instance is its own puzzle.

Multi-chain deployment turns bugs into crises

Multi-chain deployment turns one of these bespoke bugs into a full-blown crisis. Major protocols often deploy the same code across Ethereum, Base, Arbitrum, Polygon, OP Mainnet, and Sonic. A single flaw can drain funds on every network running it at the same time.

We saw this in November 2024 when Balancer’s V2 Composable Stable Pools were drained of roughly $128 million in under half an hour across six blockchains simultaneously. According to Check Point Research, the attacker exploited an arithmetic precision flaw in the pools’ invariant math. They nudged token balances onto a rounding boundary and then chained batched swaps until those tiny errors compounded into a full drain.

The contracts with the same vulnerability had been deployed on Ethereum, Arbitrum, Base, Polygon, Sonic, and OP Mainnet. The exploit reached all of them at once because the flaw was embedded in the code itself, and that code had been copied everywhere. Eleven separate audits had failed to catch it.

ImmuneFi’s report draws a direct line from the roughly $611 million Poly Network exploit in 2021 to Balancer in 2025. Poly Network was a failure at the connection point between systems. Balancer was the same logic failing identically across networks that share code, signer paths, and verification assumptions.

Measuring safety has changed

Once a chain becomes part of the default deployment map for major protocols, it absorbs the risk surface of everything it hosts. The report attributes the full loss from a multi-chain exploit to each affected chain. Participants across all six networks were exposed to the full impact.

The 2025 hack figures for Polygon, OP Mainnet, Base, and Sonic are heavily influenced by the Balancer cascade. The report strips out centralized exchange failures entirely. The year’s largest single theft, the $1.5 billion Bybit hack that the FBI attributed to North Korea, is considered a custody failure rather than a protocol one.

On a loss-to-TVL basis, the safest tier among major ecosystems was Ethereum at around 0.42%, Solana at 0.42%, and BNB Chain at 0.33%. These three largest DeFi ecosystems suggest scale and security have been improving together.

A loss can now occur in an app that carries a flaw imported from elsewhere. The convenience that makes multi-chain apps appealing is what makes this mistake escalate from a local to a shared one. Crypto spun up separate chains partly to avoid depending on any single system. Running the same handful of popular protocols across all of them has rebuilt the concentration those chains were meant to escape.

The next big incident may look small on the day it lands, a single logic bug in a widely deployed protocol. Its true size will reveal itself only once people realize the same vulnerable code was sitting on half a dozen networks the entire time.

The post DeFi hacks drop 80% but multi-chain flaws emerge as new risk appeared first on TheCryptoUpdates.