• DeFi exploit losses fell 80% from a peak of $2.62 billion in 2022 to $534 million in 2024.
• Bridge exploits plunged from 73% of total DeFi losses in 2022 to just 3% in 2025
• Protocol logic vulnerabilities now account for 89.1% of DeFi losses, as multi-chain deployments emerge as a growing source of systemic risk.

Losses from decentralized finance (DeFi) exploits have fallen by 80% since reaching a record high in 2022, according to a report released by Immunefi.

The report, which analyzed exploit-driven losses across major blockchain ecosystems between 2020 and 2025, found that DeFi protocol losses declined from $2.62 billion in 2022 to $534 million in 2024. Although losses rose to $680.3 million in 2025, Immunefi noted that the increase was driven by a small number of large incidents rather than a broad deterioration in security conditions.

"The 2025 figure of $680 million represents a partial rebound, but that increase is driven almost entirely by a small number of large incidents rather than a broad deterioration," the report stated.

The median loss per exploit dropped from $6 million in 2022 to $1.5 million in 2025, suggesting attackers are finding it increasingly difficult to scale attacks into catastrophic losses.

Bridge and flash-loan exploits lose dominance

Among the most notable shifts identified by the report is the decline of bridge exploits, which were responsible for some of the largest hacks in crypto history. 

Bridge-related attacks accounted for approximately $1.9 billion in losses and 73% of all DeFi losses in 2022, driven by incidents involving Ronin Bridge, Wormhole, Nomad, Harmony Bridge, Binance Bridge and Qubit. By contrast, bridge exploits represented just 3% of total losses in 2025.

Immunefi shared that stronger verification systems, decentralized validator designs and improvements in cross-chain infrastructure have significantly reduced risks associated with blockchain bridges.

The report also highlighted the near-disappearance of flash-loan attacks, which accounted for 54% of losses in 2020 but less than 1% by 2025. The decline is attributed to improvements in oracle architecture, reentrancy protections and broader advances in smart-contract security.

"Flash-loan attacks are now marginal," the report said, noting that common exploit patterns that once plagued the industry have largely been mitigated.

DeFi's primary threat shifts to protocol-specific vulnerabilities

While traditional attack vectors have become less effective, Immunefi found that protocol-specific vulnerabilities now dominate the threat landscape. Protocol logic exploits accounted for 89.1% of all DeFi losses in 2025, making them by far the industry's largest remaining security challenge.

The report describes this as evidence of a maturing threat environment where common exploit patterns have been mitigated.

The audit also warned that multi-chain deployments are creating a new category of systemic risk. Researchers pointed to the $128 million Balancer V2 exploit, which affected deployments on Ethereum, Arbitrum, Base, Polygon, Sonic and OP Mainnet simultaneously because the same vulnerable code was deployed across multiple ecosystems.

"The remaining challenge is defending against novel protocol-specific vulnerabilities and managing risks associated with multi-chain deployments," the report stated.

Using loss-to-total-value-locked ratios as a measure of ecosystem security, Immunefi identified Ethereum and Solana as the lowest-risk major ecosystems at approximately 0.42%, while BNB Chain recorded the lowest ratio among major chains at roughly 0.33%.