DeFi’s old hack vectors are fading – But the new risk can hit six chains at once

Decentralized finance has gotten so much safer over the previous six years, and a new evaluate of protocol losses from 2020 by means of 2025 places a fairly large quantity behind that declare.

Industry-wide DeFi losses peaked at $2.62 billion in 2022 and fell roughly 80% to $534 million by 2024. Bridge hacks that once produced billion-dollar headlines now account for a tiny slice of annual totals, and the typical exploit in the present day does a couple of quarter as a lot injury because it did at the peak.

While that is definitely nice information for the crypto trade, there’s nonetheless fairly a little bit of risk left; it simply reveals up in a unique place. Major protocols now typically deploy the similar code throughout Ethereum, Base, Arbitrum, Polygon, OP Mainnet, and Sonic, so a single flaw can now drain funds on each community working it at the similar time, and that is the kind crypto’s subsequent systemic drawback is prone to take.

We’ve seen this in November final yr, when Balancer’s V2 Composable Stable Pools had been drained of roughly $128 million in underneath half an hour throughout six blockchains concurrently.

According to Check Point Research, the attacker exploited an arithmetic precision flaw in the swimming pools’ invariant math, nudging token balances onto a rounding boundary after which chaining batched swaps till these tiny errors compounded right into a full drain.

The contracts with the similar vulnerability had been deployed on Ethereum, Arbitrum, Base, Polygon, Sonic, and OP Mainnet, so the exploit reached all of them at once as a result of the flaw was embedded in the code itself, and that code had been copied in all places.

As CryptoSlate reported at the time, eleven separate audits had failed to catch it, which tells you simply how refined this class of bug has develop into and why it is a lot more durable to anticipate than the assaults that got here earlier than.

The hacks bought smaller as the chains multiplied

The encouraging a part of the knowledge is that the low cost, repeatable assaults that outlined crypto’s early years have largely been engineered out of existence, and whole losses dropped 80% in two years, at the same time as DeFi’s TVL stored climbing. An enormous drop was additionally seen in the median loss per incident, which fell from $6 million in 2022 to $1.5 million in 2025, a 75% decline.

The rely of distinctive incidents truly rose to 83 in 2025, so extra hacks are occurring whereas each does far much less injury, which is roughly what a maturing safety subject is meant to appear to be.

Bridges had been the defining vulnerability in 2021 and 2022, and in that second yr alone, 9 bridge exploits resulted in $1.9 billion in losses. These hacks had been actually a few of crypto’s worst moments, with the Ronin Bridge accounting for a $624 million loss by itself.

CryptoSlate tracked it on-chain as the funds moved by means of Tornado Cash, adopted by Binance Bridge at $570 million, Wormhole at $326 million, Nomad at $190 million, Harmony at $100 million, and Qubit at $80 million.

It accounted for 73% of all DeFi losses that yr, and by 2025, the bridge’s share had collapsed to three%, due to improved verification mechanisms, decentralized validator units, and a broader shift towards native cross-chain messaging.

Flash-loan assaults adopted the similar path down. They represented 54% of all losses in 2020 after they had been the signature DeFi approach, and by 2025, they accounted for underneath 1%, as a result of protocols adopted defenses tailor-made particularly to that assault: time-weighted common costs, Chainlink oracle integrations, reentrancy guards, and designs that assume an attacker can manipulate costs inside a single atomic transaction.

Private-key compromises noticed an analogous decline, falling from 28.7% of losses in 2022 to eight.1% in 2025. Each of those classes shrank for the similar underlying purpose, which is that the trade acknowledged a repeatable sample and constructed a standardized reply to it, and as CryptoSlate’s year-end review of 2025 found, these solutions have largely held.

What’s left is more durable to defend towards

Closing off the generic assaults left behind a much more troublesome class: in 2025, 89.1% of DeFi losses got here from protocol logic exploits, that means code-level flaws particular to how one utility was designed. A bridge hack entails recognizable belief assumptions, and a flash-loan assault is a part of a recognized household of strategies, so each can be defended with reusable patterns.

However, a protocol logic bug is bespoke by nature. It emerges from the specific math, entry controls, or composability decisions of a single codebase, making it laborious to defend towards systematically, as a result of every occasion is its personal puzzle and shares little with the final.

Multi-chain deployment is what turns considered one of these bespoke bugs right into a full-blown disaster. ImmuneFi’s report attracts a direct line from the defining multi-chain incident of 2021, the roughly $611 million Poly Network exploit, to Balancer in 2025.

Poly Network was a failure at the connection level between programs, the sort of choke level that bridges create, whereas Balancer was the similar logic failing identically throughout networks that share code, signer paths, and verification assumptions. Once a sequence turns into a part of the default deployment map for main protocols, it absorbs the risk floor of the whole lot it hosts, nevertheless sound its personal infrastructure occurs to be.

That adjustments the way you measure an ecosystem’s security, and the report’s methodology reveals this by attributing the full loss from a multi-chain exploit to every affected chain, on the logic that members throughout all six networks had been uncovered to the full affect.

The trade-off is that the 2025 hack figures for Polygon, OP Mainnet, Base, and Sonic are closely influenced by the Balancer cascade. The report additionally strips out centralized trade failures solely, which is why the yr’s largest single theft, the $1.5 billion Bybit hack that the FBI attributed to North Korea, is taken into account a custody failure slightly than a protocol one.

On a loss-to-TVL foundation, the most secure tier amongst main ecosystems was Ethereum at round 0.42%, Solana at 0.42%, and BNB Chain at 0.33%, the three largest DeFi ecosystems by worth locked, which suggests scale and safety have been enhancing collectively slightly than at one another’s expense.

While these adjustments fare a lot better for the common protocol, they don’t seem to be so good for the common consumer. A loss can now happen in an app that carries a flaw imported from elsewhere, and the comfort that makes multi-chain apps interesting is what makes this error escalate from an area to a shared one.

Crypto spun up all these separate chains partly to keep away from relying on any single system, and the irony is that working the similar handful of well-liked protocols throughout all of them has rebuilt the focus these chains had been meant to flee.

The subsequent large incident could look small on the day it lands (a single logic bug in a broadly deployed protocol), however reveal its true dimension solely once individuals understand the similar susceptible code was sitting on half a dozen networks the whole time.

The put up DeFi’s old hack vectors are fading – But the new risk can hit six chains at once appeared first on CryptoSlate.