DeFi hacks dip but one bug drained $128M on six chains

A sector review covering 2020 through 2025 found that total DeFi losses peaked at $2.62 billion in 2022 and fell about 80% to $534 million by 2024. The review reports a November incident in which an arithmetic-precision bug in Balancer V2 Composable Stable Pools allowed an attacker to drain roughly $128 million across six blockchains in under 30 minutes.

The Balancer exploit targeted an error in the pools’ invariant math. Researchers traced the attack to a rounding boundary the attacker pushed token balances onto, then executed chained batched swaps that amplified small rounding discrepancies until funds were emptied. The vulnerable contracts were deployed on Ethereum, Arbitrum, Base, Polygon, Sonic and OP Mainnet. Multiple independent audits did not identify the flaw before the drains occurred.

The data shows a change in the pattern of losses. The number of unique incidents rose to 83 in 2025, while median loss per incident fell from $6 million in 2022 to $1.5 million in 2025. Bridge hacks, which produced nine incidents and about $1.9 billion in losses in 2022, accounted for roughly 3% of DeFi losses by 2025 after changes to verification procedures and validator decentralization. Flash-loan attacks, which contributed 54% of losses in 2020, represented under 1% by 2025 following adoption of time-weighted average prices, external oracle feeds, reentrancy guards and designs that assume atomic price manipulation.

Private-key compromises declined from 28.7% of losses in 2022 to 8.1% in 2025. The review records that protocol logic exploits-errors in application math, access control or composability assumptions-made up 89.1% of DeFi losses in 2025. Those exploits arise from differences in individual codebases and do not have a single standard fix.

The report attributes the full value of a multi-chain exploit to each chain affected, on the basis that users and liquidity on every chain faced the full impact. That accounting increases reported totals for chains hit by the Balancer drains. The review excludes centralized exchange thefts from protocol loss totals; a separate $1.5 billion exchange theft in 2025 is classified as a custody failure.

Measured against total value locked, the report lists loss-to-TVL ratios of about 0.42% for both Ethereum and Solana and about 0.33% for BNB Chain. The review notes that standardized defenses have reduced repeatable, high-value attack classes while identical deployments across multiple chains can let a single code flaw cause simultaneous drains on several networks.