// 2025 UPDATE
Breaking Down the Top 100 DeFi Hacks
2014-2024 COMPREHENSIVE REPORT
scroll down to find out the surprising trends and data we uncovered
// STATS & FINDINGS
5 KEY FINDINGS
TOTAL LOSSES FROM TOP 100
$10.77 billion
total
lossestotal losses
losses
$10.77 billion
most attacked
chainsmost attacked chains
chains
Ethereum, BSC, Bitcoin, Polygon, and Arbitrum
common
exploitscommon exploits
exploits
Off-chain: 44% of total attacks
Compromised accounts: 47% of total losses
audited vs
unauditedaudited vs unaudited
unaudited
Only 20% of hacked protocols were audited
Audited protocols accounted for 10.8% of the total value lost
Multi-sig and
Cold WalletsMulti-sig and Cold Wallets
Cold Wallets
19% of protocols used multi-sig wallets
2.4% relied on cold wallets
This underutilization highlights critical gaps in private key security
// DeFi Hacks
RISE OF OFF-CHAIN ATTACKS
Off-chain incidents now account for 56.5% of attacks and 80.5% of funds lost in 2024, with compromised accounts being the most frequent and costly. Robust user credential protection is essential to curb these growing threats.
Number of Attacks Per Year
AMOUNT OF MONEY LOST PER YEAR
// Ethereum and Binance Smart Chain
THE MOST TARGETED CHAINS
Distribution of Attacks Per Chain
ORDER BY TVL AND NUMBER OF ATTACKS IN 2024
- The chains are ranked from largest to smallest based on Total Value Locked (TVL) and the number of hacks experienced in 2024.
- If a chain's marker is located below the blue line, it indicates that the chain is ranked higher (i.e., it has experienced more attacks) compared to its rank based on TVL.
- Chains with higher numbers of attacks than expected, relative to their TVL, might be perceived as more attractive targets due to factors beyond just the amount of value they secure.
Download the full report to learn more about the top 100 DeFi hacks and how to protect yourself from future attacks.
// AUDITING IN DEFI
A CRITICAL COMPONENT OF SECURITY AND RISK MITIGATION
The most common vulnerability leading to direct contract exploitation is a lack of or faulty input verification/validation, which accounts for 34.6% of the cases
ROOT CAUSES OF DIRECT CONTRACT EXPLOITATION
"While the overall number of hacks has seen a slight rise from last year, the total financial damage continues to decline over time—yet these incidents remain a critical concern for the blockchain ecosystem. Our latest findings underscore the importance of safeguarding both on-chain and off-chain components, as off-chain vulnerabilities account for growing share losses each year.
We also observed that attackers are expanding their focus to emerging targets like gaming protocols and Layer 2 chains. By identifying the most likely attack vectors for each protocol type and blockchain platform, developers and auditors can proactively strengthen their defenses and reduce risk. In today's evolving threat landscape, a robust approach to security is critical for any organization looking to thrive in the blockchain space."
Mar Gimenez-Aguilar
Lead Security Architect and Researcher,
Author of the Top 100 DeFi Hacks Report
Download the full report to learn more about the top 100 DeFi hacks and how to protect yourself from future attacks.
// THE ACHILLES HEEL OF DEFI
SMART CONTRACT VULNERABILITIES
These findings emphasize the need for improving smart contract security, implementing robust key management practices, and mitigating risks in the DeFi ecosystem
TYPES OF ATTACKS
- In the last two years, compromised accounts have accounted for more than 50% of all attacks.
- Market manipulation was the leading cause of hacks in 2021, accounting for 32.1% of incidents.
- Governance attacks in 2022 and 2024, make up 5% and 5.6%
A BREAKDOWN OF SMART CONTRACT VULNERABILITY TYPES
- Reentrancy: Peaked initially, decreased in 2022, surged in 2023, and seems less prevalent in 2024.
- Faulty Input Verification/Validation: Primary cause of hacks in 2021, 2022, and 2024, and shares the first spot by occurrence in 2020.
// STAY AHEAD OF HACKERS
5 BEST PRACTICES FOR PREVENTING DEFI BREACHES
01
Go beyond Smart Contract
Audits – Secure the Full
Ecosystem:
Traditional audits aren't enough. Assess interactions with oracles, APIs, and market conditions to catch vulnerabilities in governance, price feeds, and external dependencies before attackers exploit them.
02
Strengthen Account
Security Against
Off-Chain Threats:
Off-chain attacks accounted for 80.5% of stolen funds in 2024, and compromised accounts made up 55.6% of all incidents for that year. Robust authentication measures—such as hardware security modules (HSMs), multi-factor authentication (MFA), and privileged access controls—are essential to protecting user credentials.
03
Adopt Multi-Sig/MPC
Wallets and Cold
Storage for Key
Assets:
Only 19% of hacked protocols used multi-sig wallets, and just 2.4% employed cold storage. Secure private keys with multi-party computation (MPC) solutions and cold wallets to prevent single points of failure.
04
Mitigate Flash Loan
Exploits with Adaptive
Safeguards:
Flash loan attacks surged in 2024, making up 83.3% of eligible exploits. Implement borrowing caps, require time delays on governance actions, and introduce circuit breakers to limit manipulation risks.
05
Enhance Transparency and
Real-Time Monitoring:
Over 54% of off-chain attacks lack clear origins. Increasing transparency in security disclosures, maintaining real-time monitoring for anomalies, and deploying AI-driven threat detection can help detect and mitigate breaches before they escalate.