DeFi’s old hack vectors are fading – But the new risk can hit six chains at once

Decentralized finance has gotten a lot safer over the past six years, and a new review of protocol losses from 2020 through 2025 puts a pretty large number behind that claim.

Industry-wide DeFi losses peaked at $2.62 billion in 2022 and fell roughly 80% to $534 million by 2024. Bridge hacks that once produced billion-dollar headlines now account for a tiny slice of annual totals, and the typical exploit today does about a quarter as much damage as it did at the peak.

While this is certainly great news for the crypto industry, there’s still quite a bit of risk left; it just shows up in a different place. Major protocols now often deploy the same code across Ethereum, Base, Arbitrum, Polygon, OP Mainnet, and Sonic, so a single flaw can now drain funds on every network running it at the same time, and that’s the form crypto’s next systemic problem is likely to take.

We’ve seen this in November last year, when Balancer’s V2 Composable Stable Pools were drained of roughly $128 million in under half an hour across six blockchains simultaneously.

According to Check Point Research, the attacker exploited an arithmetic precision flaw in the pools’ invariant math, nudging token balances onto a rounding boundary and then chaining batched swaps until those tiny errors compounded into a full drain.

The contracts with the same vulnerability had been deployed on Ethereum, Arbitrum, Base, Polygon, Sonic, and OP Mainnet, so the exploit reached all of them at once because the flaw was embedded in the code itself, and that code had been copied everywhere.

As CryptoSlate reported at the time, eleven separate audits had failed to catch it, which tells you just how subtle this class of bug has become and why it’s so much harder to anticipate than the attacks that came before.

The hacks got smaller as the chains multiplied

The encouraging part of the data is that the cheap, repeatable attacks that defined crypto’s early years have mostly been engineered out of existence, and total losses dropped 80% in two years, even as DeFi’s TVL kept climbing. A huge drop was also seen in the median loss per incident, which fell from $6 million in 2022 to $1.5 million in 2025, a 75% decline.

The count of unique incidents actually rose to 83 in 2025, so more hacks are happening while each one does far less damage, which is roughly what a maturing security field is supposed to look like.

Bridges were the defining vulnerability in 2021 and 2022, and in that second year alone, nine bridge exploits resulted in $1.9 billion in losses. These hacks were truly some of crypto’s worst moments, with the Ronin Bridge accounting for a $624 million loss on its own.

CryptoSlate tracked it on-chain as the funds moved through Tornado Cash, followed by Binance Bridge at $570 million, Wormhole at $326 million, Nomad at $190 million, Harmony at $100 million, and Qubit at $80 million.

It accounted for 73% of all DeFi losses that year, and by 2025, the bridge’s share had collapsed to 3%, thanks to improved verification mechanisms, decentralized validator sets, and a broader shift toward native cross-chain messaging.

Flash-loan attacks followed the same path down. They represented 54% of all losses in 2020 when they were the signature DeFi technique, and by 2025, they accounted for under 1%, because protocols adopted defenses tailored specifically to that attack: time-weighted average prices, Chainlink oracle integrations, reentrancy guards, and designs that assume an attacker can manipulate prices within a single atomic transaction.

Private-key compromises saw a similar decline, falling from 28.7% of losses in 2022 to 8.1% in 2025. Each of these categories shrank for the same underlying reason, which is that the industry recognized a repeatable pattern and built a standardized answer to it, and as CryptoSlate’s year-end review of 2025 found, those answers have largely held.

What’s left is harder to defend against

Closing off the generic attacks left behind a far more difficult category: in 2025, 89.1% of DeFi losses came from protocol logic exploits, meaning code-level flaws specific to how one application was designed. A bridge hack involves recognizable trust assumptions, and a flash-loan attack is part of a known family of techniques, so both can be defended with reusable patterns.

However, a protocol logic bug is bespoke by nature. It emerges from the particular math, access controls, or composability choices of a single codebase, making it hard to defend against systematically, because each instance is its own puzzle and shares little with the last.

Multi-chain deployment is what turns one of these bespoke bugs into a full-blown crisis. ImmuneFi’s report draws a direct line from the defining multi-chain incident of 2021, the roughly $611 million Poly Network exploit, to Balancer in 2025.

Poly Network was a failure at the connection point between systems, the kind of choke point that bridges create, whereas Balancer was the same logic failing identically across networks that share code, signer paths, and verification assumptions. Once a chain becomes part of the default deployment map for major protocols, it absorbs the risk surface of everything it hosts, however sound its own infrastructure happens to be.

That changes how you measure an ecosystem’s safety, and the report’s method shows this by attributing the full loss from a multi-chain exploit to each affected chain, on the logic that participants across all six networks were exposed to the full impact.

The trade-off is that the 2025 hack figures for Polygon, OP Mainnet, Base, and Sonic are heavily influenced by the Balancer cascade. The report also strips out centralized exchange failures entirely, which is why the year’s largest single theft, the $1.5 billion Bybit hack that the FBI attributed to North Korea, is considered a custody failure rather than a protocol one.

On a loss-to-TVL basis, the safest tier among major ecosystems was Ethereum at around 0.42%, Solana at 0.42%, and BNB Chain at 0.33%, the three largest DeFi ecosystems by value locked, which suggests scale and security have been improving together rather than at each other’s expense.

While these changes fare much better for the average protocol, they’re not so good for the average user. A loss can now occur in an app that carries a flaw imported from elsewhere, and the convenience that makes multi-chain apps appealing is what makes this mistake escalate from a local to a shared one.

Crypto spun up all these separate chains partly to avoid depending on any single system, and the irony is that running the same handful of popular protocols across all of them has rebuilt the concentration those chains were meant to escape.

The next big incident may look small on the day it lands (a single logic bug in a widely deployed protocol), but reveal its true size only once people realize the same vulnerable code was sitting on half a dozen networks the entire time.