De-fi
Crypto DeFi hacks cost 8,500% more than TradFi breaches per dollar moved – Crypto News
I believe the hardest question for DeFi in 2026 is whether the original dream is still alive.
The collective bargain was simple. Users would hold their own keys. Code would execute the rules. Markets would stay open. Ledgers would be visible.
Intermediaries would lose power because financial services could run on public smart contracts rather than private balance sheets.
That framing explains why decentralized finance grew so quickly after 2020. It also explains why the current moment feels so deflating.
I’d like to preface this piece by saying that I believe decentralized finance is an essential part of the world I want to live in. However, I’m also not a zealot for a system that has failed to deliver on its promises.
I believe in “strong opinions, loosely held,” and my conviction on DeFi is pretty loose right now.
The sector has now lived through years of bridge exploits, price manipulation, smart contract failures, wallet compromises, governance fights, and public liquidity stress. At the same time, institutions are adopting tokenization, digital cash, and settlement rails while leaving much of the permissionless political project behind.
The most defensible take is now much narrower than the old promise. DeFi proved that public settlement, automated markets, composability, and transparent ledgers can operate at meaningful scale.
It has yet to prove that those properties, by themselves, create a safer, more decentralized, or more accessible finance than the system it set out to challenge.
The original bargain had a hidden dependency stack
The institutional case for DeFi describes its core appeal: open financial systems built on smart contracts and shared public infrastructure. That was the optimistic version of the pitch.
Anyone with a wallet could access markets, move collateral, borrow, lend, trade, and inspect the rules. The system would be transparent by default, with settlement happening on-chain rather than inside private institutional ledgers.
The complication is that decentralization was always a layered concept. Vitalik Buterin’s older framework separated decentralization into architectural, political, and logical dimensions.
A system can be architecturally decentralized because it runs across many machines, while remaining politically concentrated if decisions rest with a small group of tokenholders, teams, multisigs, foundations, front-end operators, or infrastructure providers.
That split is essential because much of DeFi looked decentralized at the transaction layer while remaining dependent on concentrated forms of control elsewhere.
The Bank for International Settlements made a sharp institutional critique in 2021 that many of us likely scoffed at at the time. It called DeFi’s decentralization a structural illusion because governance needs make some centralization inevitable, and because token and validator economics can concentrate power.
BIS was drawing a line between automated settlement and unavoidable decision-making. Protocols still needed decisions about upgrades, risk parameters, collateral listings, incentives, oracle choices, emergency controls, and treasury use.
Those decisions rarely emerged from a perfectly dispersed public. They usually passed through identifiable governance channels and actors. The paper version carries the same institutional critique for policy readers.
The Financial Stability Board added another constraint in 2023. DeFi, it said, had remained mainly self-referential, with products and services interacting with other DeFi products rather than the real economy.
It also inherited familiar vulnerabilities from traditional finance, including leverage, liquidity mismatch, operational fragility, and interconnectedness. The process was new. The risk family was older.
A later governance paper from the ECB reinforced the same direction of travel by focusing on identifiable actors within DeFi governance.
That lands us at this. DeFi reduced reliance on banks for certain transactions, but it increased reliance on code, bridges, governance, front ends, wallets, oracles, custodial touchpoints, and security teams.
It shifted trust rather than removing it. That shift created genuine transparency. It also created new failure modes.
The security record broke the cleanest version of the pitch
The strongest evidence against DeFi’s original security pitch is the record of thefts in 2021 and 2022. A Chainalysis review put DeFi hack losses at about $2.5 billion in 2021, $3.1 billion in 2022, and $1.1 billion in 2023.
Since 2023, almost $7 billion has been stolen as hacks continue, and now AI models are creating a new (perhaps even scarier) attack vector.
The 2022 figure was especially damaging. Hackers stole $3.8 billion from crypto businesses overall that year alone, and DeFi protocols accounted for 82.1% of the funds stolen.
Cross-chain bridges made up 64% of the DeFi total, according to a 2022 hacking analysis.
Those numbers changed the meaning of transparency. DeFi users could see what happened. They could follow stolen funds, inspect transactions, and watch governance respond.
Public ledgers made the failures immediate and brutally legible. A bank breach can take months to identify and disclose. A drained pool becomes visible in the block where it happens.
| Period | Reported crypto theft context | Operational meaning |
|---|---|---|
| 2021 | DeFi hacks around $2.5B in Chainalysis’ later review | DeFi became a primary attack surface during the first mass cycle of yield, leverage, and composability. |
| 2022 | $3.8B stolen from crypto businesses, with DeFi at $3.1B and 82.1% of stolen funds | The peak year turned bridges and smart contracts into the sector’s clearest systemic weakness. |
| 2023 | DeFi hack losses fell to $1.1B | Security improved, activity fell, or both. The decline did not erase the previous damage. |
| 2024 | $2.2B stolen across 303 hacks, up about 21% year over year | Attackers broadened from DeFi toward private-key infrastructure and centralized services. |
| 2025 | Chainalysis reported over $3.4B stolen through early December; TRM put hack losses at $2.87B | Large centralized-service and wallet compromises drove the newest wave more than a return to 2022-style DeFi losses. |
The recent rise in crypto theft has a different composition from the 2021-2022 DeFi exploit cycle. The 2024 hacking review showed losses rising again as attacker focus shifted toward private-key and centralized-service targets.
The 2025 crime trend summary highlighted private-key compromises as a major vector. The mid-year 2025 update showed the escalation after Bybit before the year-end picture was complete.
The 2026 report preview then described more than $3.4 billion stolen in 2025, with the Bybit compromise alone accounting for about $1.5 billion.
TRM’s 2025 Crypto Crime Report provides the prior-year baseline, while its 2026 Crypto Crime Report puts 2025 hack losses at $2.87 billion, with Bybit at $1.46 billion, or 51% of that total.
That nuance helps DeFi on one axis and hurts it on another. DeFi protocol exploit losses appeared to have improved since the 2022 peak.
At the same time, the broader crypto stack still looks brittle, seems to be surging again through new AI tooling, and DeFi’s original user-sovereignty pitch depends on that broader stack.
If the wallet, signing process, bridge, front end, governance channel, or collateral wrapper becomes the weak point, the user experiences a system failure. Dynamic incident databases, such as DeFiLlama’s hacks tracker, exist because the failure surface remains wide and constantly evolving.
Thinking back, one of the DeFi projects I was excited about in 2021 was PancakeBunny. It was a small project, but I liked the UI, the branding, the infrastructure, and I even bought some merch. I was wearing the hoodie this week when I took a moment to think back to all the other DeFi projects that had similar or greater potential and have simply died. It almost seems that the official product life cycle in DeFi includes a hack, an exploit, a pump-and-dump, or insolvency.
“On a long enough timeline, the survival rate for all [DeFi projects] drops to zero.” – Chuck Palahniuk, Fight Club
While a fairly niche project, I think PancakeBunny is a useful example because it condensed the emotional cycle into a single event. Rekt reported that a May 2021 flash-loan manipulation hit the protocol for about $45 million, pushed BUNNY from $146 to $6, and struck after the protocol had once held more than $10 billion in TVL.
The case looks like an early template: unknown protocol, rapid yield-driven growth, giant TVL, manipulation, collapse, then a token chart that never recovers the old story.
That pattern is why the security question carries more weight than any single hack. DeFi promised an alternative trust model. For many users, it became a new risk stack with fewer intermediaries to complain to when something broke.
Aave shows how mature DeFi stress now unfolds in public
Aave is a better current test than most smaller protocols because it remains one of DeFi’s core lending venues. If a marginal farm fails, the conclusion says little about the system.
If a leading lending protocol is forced into visible crisis management, the implication is wider.
The April 2026 rsETH incident is therefore important, but it needs careful language. The Aave incident report said the event originated outside Aave, from Kelp’s LayerZero V2 Unichain to Ethereum rsETH route, which had been configured as a 1-of-1 DVN path.
The report said a forged inbound packet released 116,500 rsETH from the Ethereum-side adapter, and that 89,567 rsETH were deposited on Aave. It also stated that Aave’s smart contracts were not compromised and that Aave’s protocol logic continued to function as designed.
The Aave governance report framed the issue as collateral, bridge, and external-asset risk rather than an exploit of Aave itself.
That caveat protects Aave from a false claim that its own contracts were hacked. It also reinforces the deeper DeFi problem.
In a composable system, a protocol can behave correctly and still inherit stress from the asset, bridge, oracle, market, or governance decision it accepted into its risk perimeter.
The report modeled hypothetical bad-debt scenarios ranging from about $123.7 million to $230.1 million, depending on how losses were allocated.
It also described defensive actions, including freezes of rsETH and wrsETH reserves across Aave V3 deployments, WETH freezes on several markets, and interest-rate adjustments.
That is a mature response system. It is also an admission that mature DeFi requires circuit breakers, guardians, risk stewards, emergency parameter changes, and coordinated governance.
The public forum made the human side visible. One Aave governance post argued that ETH price appreciation could worsen the bad-debt gap over time because some liabilities were effectively fixed in ETH terms while available backstops were denominated in stablecoins and dollars.
Other replies disputed parts of the framing, narrowed the issue to L2 exposure, or urged emergency coordination. The forum discussion should be treated as live stakeholder pressure with unresolved accounting.
CryptoSlate has tracked adjacent Aave pressure, including contributor departures testing Aave’s lending lead and governance conflict around protocol dominance.
Still, the public nature of the debate is the point. DeFi crises happen in view. Depositors, borrowers, tokenholders, analysts, and competitors can watch the governance process unfold.
That gives DeFi a transparency advantage over closed financial systems. It also exposes how much judgment remains inside a supposedly automated system.
The TradFi comparison is real, but the math is uneven
The claim that DeFi looks less secure than traditional finance needs more care and consideration of nuance than sentiment allows these days.
Traditional finance suffers serious cyber incidents, fraud, operational failures, and data breaches. The difference is that those failures move through legal, regulatory, insurance, and disclosure systems that are much slower and less visible than blockchains.
A bank’s customer database breach, an outage, a business-email compromise, and a direct theft from a crypto bridge are all security events. They sit in different categories.
The U.S. public-company disclosure regime illustrates the difference. The SEC requires domestic public companies to disclose material cybersecurity incidents on Form 8-K within four business days after determining materiality.
The deadline starts from the materiality determination rather than the first suspicious log entry. That gives companies time to assess scope, legal exposure, operational impact, and national-security considerations.
Bank regulators use another channel. The OCC’s computer-security incident notification rule requires a bank to notify its primary federal regulator as soon as possible and no later than 36 hours after determining that a notification incident occurred.
That is a regulatory notification channel rather than a public blockchain ledger.
Cost data shows the scale while preserving the comparison limit. IBM reported that financial industry enterprises averaged $6.08 million per data breach in 2024, above the global average, and that breaches involving 50 million or more records averaged $375 million.
It also put the average identification time for financial firms at 168 days and containment at 51 days. Those figures show that TradFi security failures can be expensive and slow to surface.
Of the 600 breaches analyzed in IBM’s 2025 report, an implied aggregate cost of about $2.66 billion, based on the reported global average breach cost of $4.44 million
So perhaps, DeFi is not dying because it’s less secure than TradFi, but its transparency and immediate public impact create an unsolvable marketing problem.
The amount lost to exploits across DeFi and TradFi appears comparable using the figures above. Around $2.6 billion was lost in TradFi in 2025 and $2.8 billion in DeFi.
However, DeFi moved roughly $10 to $13 trillion last year, while over $28 trillion passed through Mastercard and Visa payment rails alone. When you add in FX markets and Fed funds, you move into the quadrillions in TradFi volume.
Using some napkin math, we can estimate DeFi’s total volume ceiling at around $46 trillion and TradFi’s at around $3.5 quadrillion. Therefore, losses work out to roughly 0.006% of volume in DeFi, compared to 0.00007% in TradFi. This is an 86-fold higher loss rate in DeFi, or 8,500%.
So that’s part marketing and PR issue, but mostly a reliability red flag.
IC3 data adds another layer. The FBI said its 2025 Internet Crime Report showed nearly $21 billion in cyber-enabled crime losses reported by Americans, with more than $11 billion tied to cryptocurrency complaints.
For context, here’s a small sample of DeFi exploits we’ve covered over the years.
1. https://cryptoslate.com/defi-users-pull-out-10-billion-from-market-as-292-million-exploit-sparks-bank-run-optics/
2. https://cryptoslate.com/six-years-after-defi-summer-is-the-sun-already-setting-on-the-decentralized-finance-revolution/
3. https://cryptoslate.com/circle-usdc-drift-hack-freeze-controversy/
4. https://cryptoslate.com/drift-hack-stabble-crypto-insider-risk/
5. https://cryptoslate.com/new-ledger-breach-didnt-steal-your-crypto-but-it-exposed-the-one-thing-that-leads-criminals-to-your-door/
6. https://cryptoslate.com/how-11-audits-couldnt-stop-balancers-128-million-hack-redefining-defi-risks/
7. https://cryptoslate.com/billions-stolen-dozens-arrested-is-crypto-crime-peaking-or-adapting/
8. https://cryptoslate.com/hackers-steal-140m-from-brazilian-central-bank-reserve-accounts-via-partner-breach/
9. https://cryptoslate.com/beyond-hacks-understanding-and-managing-economic-risks-in-defi/
10. https://cryptoslate.com/pump-fun-halts-trading-after-suffering-flash-loan-exploit/
11. https://cryptoslate.com/aave-and-yearn-finance-exploited-for-over-10m-in-stablecoins/
12. https://cryptoslate.com/hackers-steal-record-3-8b-during-2022-chainalysis/
13. https://cryptoslate.com/gravity-of-not-your-keys-not-your-coins-hits-home-as-trust-wallet-spikes-113-to-new-ath/
14. https://cryptoslate.com/hacker-self-destructs-1m-loot-gained-from-defi-exploit/
15. https://cryptoslate.com/record-amounts-of-crypto-were-stolen-in-defi-hacks-last-quarter/
16. https://cryptoslate.com/over-8k-solana-wallets-drained-of-funds-10m-estimated-missing/
17. https://cryptoslate.com/the-biggest-defi-hit-ever-poly-network-sees-600-million-crypto-heist
18. https://cryptoslate.com/latest-ethereum-defi-exploit-sees-14-million-stolen-from-furucombo/
19. https://cryptoslate.com/flash-loan-attack-on-defi-platform-belt-finance-sees-6-2-million-gone/
20. https://cryptoslate.com/defi-risks-hackers-drain-500k-in-link-wrapped-eth-and-other-alts-from-balancer-pools/
-
Blockchain1 week agoBitcoin Treasury Co Strategy Announces $1.5B Convertible Note Buyback – Crypto News
-
others6 days agoSui Launches Gasless Stablecoin Transfers With Support From Fireblocks – Crypto News
-
others6 days ago
Sui Launches Gasless Stablecoin Transfers With Support From Fireblocks – Crypto News
-
De-fi3 days agoSEC Commissioner Hester Peirce Clarifies Distinction Between Tokenized Securities and Synthetic Instruments – Crypto News
-
Cryptocurrency3 days agoHYPE’s path to $100 runs through Hyperliquid becoming crypto’s on-chain Wall Street platform – Crypto News
-
Cryptocurrency3 days ago
HYPE’s path to $100 runs through Hyperliquid becoming crypto’s on-chain Wall Street platform – Crypto News
-
others1 week agoFinancial Firm Hit by Major Cybersecurity Incident, Data of 123,158 Americans Potentially Exposed – Crypto News
-
Cryptocurrency1 week agoBitcoin has one level left before macro pressure opens the path to $75k as Treasury yields extend two-day correction – Crypto News
-
Business1 week ago
Michael Saylor Teases ‘Big’ Bitcoin Buy For Strategy – Crypto News
-
De-fi1 week agoRWA tokenization boom exposes DeFi composability gap – Crypto News
-
others1 week ago
Why Is Hyperliquid Price Surging While Major Cryptos Bleed? – Crypto News
-
Business1 week ago
XRP Trading Volume Tops Bitcoin on Upbit as Hana Bank Acquires Stake in Dunamu – Crypto News
-
Business1 week ago
Strategy’s STRC Draws $2 Billion In Capital To Buy More Bitcoin – Crypto News
-
Cryptocurrency1 week agoBitcoin ETF flows reverse as funds shed $1B on inflation fears – Crypto News
-
Cryptocurrency1 week ago
Bitcoin ETF flows reverse as funds shed $1B on inflation fears – Crypto News
-
Technology1 week agoAI job takeover fears rise: 10 human skills that machines may still struggle to replace – Crypto News
-
Technology1 week ago
AI job takeover fears rise: 10 human skills that machines may still struggle to replace – Crypto News
-
Blockchain1 week agoDogecoin Could Be Setting Up For High-Beta Rally After Final Shakeout – Crypto News
-
Blockchain5 days agoCrypto Access To Banks In Focus After Trump’s New Executive Order – Crypto News
-
Technology5 days ago
Breaking: Crypto Exchange Blockchain.com Secretly Files For IPO After Elon Musk’s SpaceX – Crypto News
-
Technology5 days agoTrump postpones signing artificial intelligence order out of concern it would hurt the AI industry – Crypto News
-
Metaverse4 days agoGoogle I/O 2026 predicts 8 jobs AI advancements could dramatically change – Crypto News
-
Metaverse4 days agoAs OpenAI and Anthropic soar, where do India’s AI startups stand? – Crypto News
-
De-fi3 days ago
SEC Commissioner Hester Peirce Clarifies Distinction Between Tokenized Securities and Synthetic Instruments – Crypto News
-
others1 week ago
Crypto Weekly Recap: CLARITY Advances, US Inflation Soars, Wall Street Raises COIN Stock Target, Strategy Resumes Bitcoin Buys – Crypto News
-
Blockchain1 week agoOpenAI and Malta Partner to Give All Citizens Free ChatGPT Plus Access – Crypto News
-
Blockchain1 week agoSolana Eyes $117 Breakout — If Bulls Can Crush This Key Resistance – Crypto News
-
others1 week agoHackers Targeting 59 Banking, Fintech and Crypto Platforms, Stealing Credentials, PINs and More: Report – Crypto News
-
Metaverse1 week agoMicrosoft AI Chief Mustafa Suleyman has a grim warning for every office worker- Within 18 months… – Crypto News
-
Blockchain1 week agoUS CLARITY Act Will Be a ‘Boon For Domestic Innovation’: A16z – Crypto News
-
Cryptocurrency1 week agoSociete Generale pushes stablecoins into Canton repo and collateral rails – Crypto News
-
Technology1 week agoJury rules against Elon Musk in his feud with OpenAI, saying he filed his lawsuit too late – Crypto News
-
others1 week ago
Goldman Sachs Closes Solana & XRP ETF Stake, Dumps 70% ETH ETF Holdings – Crypto News
-
Cryptocurrency1 week agoSpaceX IPO bets push valuation above $2 trillion on Hyperliquid – Crypto News
-
Cryptocurrency7 days agoBitcoin price risks slide toward $70,000 as $76,000 support weakens – Crypto News
-
Technology6 days agoIndia needs dedicated AI law as current legal framework inadequate to tackle emerging risks: Cyber Expert Pavan Duggal – Crypto News
-
Technology6 days ago
India needs dedicated AI law as current legal framework inadequate to tackle emerging risks: Cyber Expert Pavan Duggal – Crypto News
-
De-fi5 days agoSteakhouse Fi Pulls $1 Billion Lead Over Competing Morpho Vault Curators – Crypto News
-
Cryptocurrency5 days agoBitcoin Firm Nakamoto Plots 1-for-40 Stock Split Following 99% Price Plunge – Crypto News
-
Technology5 days ago
CLARITY Act: Sen. Lummis Reveals Next Steps, Timeline For Senate Vote – Crypto News
-
Technology5 days agoApple adds two major health features in India: Know all about Sleep apnoea alerts and hearing tests – Crypto News
-
Technology4 days ago
Pi Network Price Forecast as OKX Enables Trading Access for US Users: Bullish Ahead? – Crypto News
-
Metaverse4 days agoOpenAI might be filing to go public soon. How we got here. – Crypto News
-
Technology1 week ago
Bhutan Official Speaks Up On Claims of Selling $1 Billion In Bitcoin – Crypto News
-
Blockchain1 week agoIf You’re Holding XRP, This Pundit Says You Should See This – Crypto News
-
Cryptocurrency1 week agoThe end state of software will be private, personal, verified, and AI agent-built – Crypto News
-
Technology1 week agoGoogle I/O 2026 kicks off next week: How to watch live-stream, full schedule and what to expect – Crypto News
-
Blockchain1 week agoCrypto Funds Post $1B in Outflows as Iran Tensions Weigh on Bitcoin, Ether – Crypto News
-
others1 week agoLock.com Enters Early Access With Isolated Signing and Post-Quantum Architecture – Crypto News
-
others1 week ago
Crypto Regulation: Minnesota Gov. Signs Bill To Allow Digital Asset Custody – Crypto News