Since 2020, over $4 billion has been stolen from DeFi protocols. That's not counting the indirect costs — lost TVL, token crashes, and reputation damage that multiply the impact 3-10x. Here's what the data tells us about where the money goes and how to stop the bleeding.
Losses by Attack Type
| Attack Type | Total Losses | % of Total | Avg. Loss |
|---|---|---|---|
| Bridge Exploits | $2.1B | 48% | $175M |
| Access Control | $800M | 18% | $40M |
| Flash Loan + Oracle | $600M | 14% | $15M |
| Protocol Logic Bugs | $450M | 10% | $20M |
| Reentrancy | $350M | 8% | $12M |
| Other | $100M | 2% | Varies |
Losses by Chain
| Chain | Total Losses | Incidents |
|---|---|---|
| Ethereum | $2.5B | 400+ |
| BNB Chain | $900M | 200+ |
| Solana | $400M | 50+ |
| Polygon | $100M | 30+ |
| Other L1/L2 | $500M | 100+ |
Key Statistics
- 60%+ of exploited protocols had at least one audit
- 90%+ of losses came from protocols with <2 audits
- 48 hours — average time between exploit and attempted fund recovery
- 28% of stolen funds have been recovered (partial or full)
- 5-10% — what most protocols spend on security (should be higher)
Trends
- Average exploit size is growing as more TVL concentrates in fewer protocols
- Bridge exploits dominate but are declining as security improves
- Logic bugs are rising as automated tools catch basic patterns
- Solana exploits increasing as more value flows to the ecosystem
- Time-to-exploit decreasing — attackers move faster with AI assistance
The Investment Case for Security
A $100K audit is 0.01% of a $1B TVL protocol. The expected loss from not auditing (probability-weighted) far exceeds any reasonable security budget.
The numbers are clear: underinvestment in security is the most expensive mistake in DeFi. Start with Vultbase — because the cost of an audit is always less than the cost of an exploit.