// 2025 UPDATE

Breaking Down the Top 100 DeFi Hacks

2014-2024 COMPREHENSIVE REPORT

scroll down to find out the surprising trends and data we uncovered

// STATS & FINDINGS

5 KEY FINDINGS

TOTAL LOSSES FROM TOP 100

$10.77 billion

total
losses
total losses

$10.77 billion

most attacked
chains
most attacked chains

Ethereum, BSC, Bitcoin, Polygon, and Arbitrum

common
exploits
common exploits

Off-chain: 44% of total attacks
Compromised accounts: 47% of total losses

audited vs
unaudited
audited vs unaudited

Only 20% of hacked protocols were audited
Audited protocols accounted for 10.8% of the total value lost

Multi-sig and
Cold Wallets
Multi-sig and Cold Wallets

19% of protocols used multi-sig wallets
2.4% relied on cold wallets
This underutilization highlights critical gaps in private key security

// DeFi Hacks

RISE OF OFF-CHAIN ATTACKS

Off-chain incidents now account for 56.5% of attacks and 80.5% of funds lost in 2024, with compromised accounts being the most frequent and costly. Robust user credential protection is essential to curb these growing threats.

Number of Attacks Per Year

AMOUNT OF MONEY LOST PER YEAR

// Ethereum and Binance Smart Chain

THE MOST TARGETED CHAINS

Distribution of Attacks Per Chain

ORDER BY TVL AND NUMBER OF ATTACKS IN 2024

The chains are ranked from largest to smallest based on Total Value Locked (TVL) and the number of hacks experienced in 2024.
If a chain's marker is located below the blue line, it indicates that the chain is ranked higher (i.e., it has experienced more attacks) compared to its rank based on TVL.
Chains with higher numbers of attacks than expected, relative to their TVL, might be perceived as more attractive targets due to factors beyond just the amount of value they secure.

Download the full report to learn more about the top 100 DeFi hacks and how to protect yourself from future attacks.

// AUDITING IN DEFI

A CRITICAL COMPONENT OF SECURITY AND RISK MITIGATION

The most common vulnerability leading to direct contract exploitation is a lack of or faulty input verification/validation, which accounts for 34.6% of the cases

ROOT CAUSES OF DIRECT CONTRACT EXPLOITATION

"While the overall number of hacks has seen a slight rise from last year, the total financial damage continues to decline over time—yet these incidents remain a critical concern for the Web3 ecosystem. Our latest findings underscore the importance of safeguarding both on-chain and off-chain components, as off-chain vulnerabilities account for growing share losses each year.

We also observed that attackers are expanding their focus to emerging targets like gaming protocols and Layer 2 chains. By identifying the most likely attack vectors for each protocol type and blockchain platform, developers and auditors can proactively strengthen their defenses and reduce risk. In today's evolving threat landscape, a robust approach to security is critical for any organization looking to thrive in the Web3 space."

Mar Gimenez-Aguilar

Lead Security Architect and Researcher,
Author of the Top 100 DeFi Hacks Report

Download the full report to learn more about the top 100 DeFi hacks and how to protect yourself from future attacks.

// THE ACHILLES HEEL OF DEFI

SMART CONTRACT VULNERABILITIES

These findings emphasize the need for improving smart contract security, implementing robust key management practices, and mitigating risks in the DeFi ecosystem

TYPES OF ATTACKS

In the last two years, compromised accounts have accounted for more than 50% of all attacks.
Market manipulation was the leading cause of hacks in 2021, accounting for 32.1% of incidents.
Governance attacks in 2022 and 2024, make up 5% and 5.6%

A BREAKDOWN OF SMART CONTRACT VULNERABILITY TYPES

Reentrancy: Peaked initially, decreased in 2022, surged in 2023, and seems less prevalent in 2024.
Faulty Input Verification/Validation: Primary cause of hacks in 2021, 2022, and 2024, and shares the first spot by occurrence in 2020.

// STAY AHEAD OF HACKERS

5 BEST PRACTICES FOR PREVENTING DEFI BREACHES

01

Go beyond Smart Contract

Audits – Secure the Full

Ecosystem:

Traditional audits aren't enough. Assess interactions with oracles, APIs, and market conditions to catch vulnerabilities in governance, price feeds, and external dependencies before attackers exploit them.

02

Strengthen Account

Security Against

Off-Chain Threats:

Off-chain attacks accounted for 80.5% of stolen funds in 2024, and compromised accounts made up 55.6% of all incidents for that year. Robust authentication measures—such as hardware security modules (HSMs), multi-factor authentication (MFA), and privileged access controls—are essential to protecting user credentials.

03

Adopt Multi-Sig/MPC

Wallets and Cold

Storage for Key

Assets:

Only 19% of hacked protocols used multi-sig wallets, and just 2.4% employed cold storage. Secure private keys with multi-party computation (MPC) solutions and cold wallets to prevent single points of failure.

04

Mitigate Flash Loan

Exploits with Adaptive

Safeguards:

Flash loan attacks surged in 2024, making up 83.3% of eligible exploits. Implement borrowing caps, require time delays on governance actions, and introduce circuit breakers to limit manipulation risks.

05

Enhance Transparency and

Real-Time Monitoring:

Over 54% of off-chain attacks lack clear origins. Increasing transparency in security disclosures, maintaining real-time monitoring for anomalies, and deploying AI-driven threat detection can help detect and mitigate breaches before they escalate.