Compared to previous months, October 2025 was extremely slow in terms of major DeFi hacks and total losses. Only three DeFi hacks crossed the $1 million threshold. In total, about $16 million was lost across these three hacks.
Biggest DeFi Hacks of October 2025
Three hacks in October 2025 involved losses of at least $1 million:
Abracadabra: Abracadabra, a decentralized lending protocol and the maker of the Magic Internet Money (MIM) stablecoin, suffered a $1.8 million hack. The attacker exploited a flaw in how the contract managed state for multiple actions within the same transaction, allowing them to borrow far more than their collateral should have permitted.
Typus Finance: In October 2025, Typus Finance suffered a $3.4 million hack. The attacker took advantage of access control issues within the project’s custom price oracle to drain funds from the project.
Garden Finance: The October 2025 hack of Garden Finance included an estimated $11 million in losses. The attacker targeted a single solver within the protocol’s network, draining funds across multiple chains.
The PYUSD Incident
While caused by a flawed internal transfer rather than an attack, no roundup of the biggest DeFi security events of October 2025 would be complete without a mention of the Paxos/PYUSD incident. PYUSD is PayPal’s stablecoin, created by Paxos and an example of a “regulated stablecoin”.
In October 2025, a botched internal transfer resulted in the accidental mint of about $300 trillion PYUSD. While the accidentally minted tokens were swiftly destroyed by sending them to a burn address, this mistake underscores the limitations of stablecoin regulation without effective technical enforcement. In this case, a single private key controlled an account with unlimited minting privileges for the stablecoin, allowing a single typo to cast the strength and security of the “regulated” stablecoin into doubt.
Lessons Learned from the Attacks
Unusually for 2025, two of the major DeFi hacks performed this month involved smart contract vulnerabilities, while the third (Garden) targeted off-chain infrastructure. While many of the biggest attacks of this year have involved off-chain attacks targeting private keys or multi-sig signers, DeFi hackers still search for vulnerable smart contracts and exploit them when they are found.
These incidents demonstrate the importance of performing comprehensive smart contract security audits on all code before it is deployed on-chain. Often, major attacks target elements of a codebase that fall outside of the scope of past audits and slip through the cracks. For help with ensuring that your project’s code is secure and that processes avoid security flaws like the ones that made the PYUSD incident possible, get in touch.