Immunefi: DeFi exploit losses fall 74% from 2022 peak to $680.3M in 2025

DeFi protocol losses tied to exploits are down 74% from a 2022 peak of $2.62 billion to $680.3 million in 2025, according to Web3 security firm Immunefi. The industry also recorded a 75% decline in median loss per exploit from $6 million in 2022 to $1.5 million in 2025, a figure the company described as the "more telling metric."

The findings come from Immunefi's 2026 Ecosystem Vulnerability Audit, a six-year analysis of exploit-driven losses across major blockchain ecosystems from 2020 through 2025. According to the report, ecosystem-class attacks, including flash-loan oracle manipulations and reentrancy exploits affecting composability layers, shrunk from nearly 19% of losses in 2022 to under 1% in 2025. At the same time, infrastructure failures, such as private-key compromises and database attacks, declined from 30.7% of losses in 2022 to 10.3% in 2025.

Immunefi said bridge exploit losses collapsed from 73% of DeFi losses in 2022 to 3% in 2025, while flash-loan attacks, which represented 54% of all losses in 2020, fell to less than 1% of losses by 2025. Private key compromises, the largest single technique category in 2022 at 28.7% of losses, dropped to 8.1% in 2025.

Industrywide DeFi protocol losses by year. Image: Immunefi. DeFi is "getting safer" Immunefi said DeFi is "getting safer," with the decline in losses reflecting changes in how protocols are designed and secured across ecosystems, including improvements in oracle design, reentrancy protections, and access-control standards. The slight 2025 rebound to $680.3 million in losses from $534 million in 2024 reflects the growing complexity of multi-chain deployments and a limited number of high-severity incidents rather than a broad deterioration, according to Immunefi. Major incidents such as Bybit's $1.5 billion loss in February 2025 and DMM Bitcoin's $305 million loss in 2024 are excluded from the report's ecosystem rankings, as those failures resulted from custody and key management issues at the centralized exchange level rather than vulnerabilities in the blockchain ecosystems themselves — a classification that keeps the biggest recent incidents out of the DeFi loss column, but not out of anyone's memory.

Despite the reduction in losses in U.S. dollar terms, the number of unique incidents is on the rise. Among the things the industry is learning,