Blogdefi
DeFi Hacks
Robin Singh
By Robin SinghFounder
Updated May 22, 2026
This article has been fact checked and reviewed as per our editorial policy.

10 Biggest DeFi Hacks and Exploits

DeFi has unlocked open finance, but it’s also become a major target for hackers, with more than $10.77 billion lost to exploits to date.

What are the biggest DeFi exploits to date?

  1. Balancer ($128 million)

  2. Nomad ($190 million)

  3. Euler Finance ($196 million)

  4. Multichain ($231 million)

  5. Cetus ($260 million)

  6. Drift Protocol ($280 million)

  7. KelpDAO ($292 million)

  8. Wormhole ($326 million)

  9. BSC Token Hub ($586 million)

  10. Ronin ($625 million)

Balancer ($128 million)

Balancer suffered a major exploit in November 2025 after attackers abused a rounding error vulnerability within Balancer V2’s ComposableStablePool contracts.

The exploit specifically targeted arithmetic precision loss during invariant calculations, allowing attackers to manipulate Balancer Pool Token (BPT) pricing through repeated micro-swaps executed inside complex batchSwap transactions. By compounding tiny rounding discrepancies dozens of times within a single transaction, the attacker artificially suppressed pool pricing and extracted roughly $128 million across multiple chains in under 30 minutes.

The incident became one of the clearest examples of how seemingly minor mathematical flaws in DeFi protocols can scale into catastrophic exploits when combined with automated trading logic. 

Nomad ($190 million)

The Nomad bridge exploit in 2022 became one of the most chaotic hacks in DeFi history. A faulty smart contract update effectively allowed anyone to copy and paste exploit transactions and withdraw funds from the bridge.

More than $190 million was drained in a matter of hours as opportunistic users joined the exploit. Unlike more sophisticated attacks, the Nomad exploit largely stemmed from a critical access control and validation failure during a contract upgrade. Some funds were later returned by white hat participants.

Euler Finance ($196 million)

Euler Finance lost around $196 million in 2023 after attackers used a flash loan exploit targeting the protocol’s liquidation logic. The exploit manipulated debt positions and reserve accounting, allowing the attacker to drain funds across multiple assets.

The incident was particularly noteworthy because Euler was widely considered one of the more sophisticated lending protocols in DeFi at the time. In a rare outcome, the attacker eventually returned most of the stolen assets following negotiations with the Euler team.

Multichain ($231 million)

The Multichain exploit in 2023 was one of the largest bridge-related incidents in DeFi history. Roughly $231 million was drained from the protocol after private keys tied to the platform’s infrastructure were reportedly compromised.

The hack caused major disruption across multiple chains and sparked concerns about centralized bridge architecture. The situation became even more controversial after reports emerged involving the disappearance of Multichain’s leadership and operational issues behind the scenes.

Cetus ($260 million)

Cetus, a major decentralized exchange on Sui, suffered a massive exploit after attackers manipulated vulnerabilities tied to liquidity pools and smart contract logic in 2025.

Around $260 million was affected during the incident, making it one of the largest exploits within the newer generation of Layer-1 ecosystems. The attack reignited concerns around whether newer DeFi chains are moving too quickly without the same battle-tested infrastructure seen on Ethereum.

Drift Protocol ($280 million)

Drift Protocol suffered an exploit in April 2026 after attackers gained privileged administrative access to the protocol through social engineering and operational security failures rather than a traditional smart contract bug.

According to Drift’s post-mortem, attackers spent months building trust with team members before exploiting Solana’s durable nonce system to trick Security Council members into unknowingly pre-signing malicious transactions. Once admin access was obtained, the attackers whitelisted a fake collateral asset called CVT, artificially inflated its value, and used it to borrow approximately $280 million in legitimate assets, including SOL, ETH, and USDC.

The exploit highlighted how DeFi attacks are increasingly targeting governance infrastructure and human operational security rather than only smart contract vulnerabilities. 

KelpDAO ($292 million)

KelpDAO suffered the largest DeFi exploit of 2026 after attackers stole roughly $292 million through a combination of compromised infrastructure and cross-chain verification failures.

The attack targeted KelpDAO’s LayerZero integration, which relied on a dangerously centralized 1-of-1 verifier setup. Rather than exploiting a smart contract bug directly, attackers compromised RPC nodes, feeding data into the verifier system while simultaneously launching DDoS attacks against honest nodes.

This forced the protocol to rely entirely on attacker-controlled infrastructure, allowing fake cross-chain messages to be validated as legitimate. The attackers then minted and withdrew around 116,500 unbacked rsETH tokens, representing nearly 18% of the token’s circulating supply.

The exploit triggered panic across DeFi markets, with billions of dollars leaving lending protocols in the days that followed as platforms rushed to freeze rsETH markets and limit bad debt exposure. 

Wormhole ($326 million)

The Wormhole exploit in 2022 remains one of the most infamous bridge hacks in crypto. Attackers exploited a signature verification vulnerability on the Solana-Ethereum bridge, allowing them to mint wrapped ETH without proper collateral backing.

Roughly $326 million was stolen. Jump Crypto later stepped in to replenish the lost funds, preventing broader contagion across the Solana ecosystem. The exploit became a defining example of how dangerous bridge vulnerabilities can become when massive liquidity is concentrated in a single protocol.

BSC Token Hub ($586 million)

The BSC Token Hub exploit targeted Binance’s cross-chain bridge infrastructure in 2022. Attackers exploited weaknesses in proof verification systems to mint fraudulent BNB tokens, resulting in losses totaling around $586 million.

Validators quickly halted the chain, limiting the amount attackers could move off-chain. The exploit reignited debates around decentralization, as BNB Chain’s ability to pause the network helped contain losses but also demonstrated how centralized some blockchain ecosystems remain.

Ronin Bridge ($625 million)

The Ronin Bridge hack remains the largest DeFi exploit ever recorded. Attackers linked to North Korea’s Lazarus Group compromised validator nodes tied to the Ronin network, allowing them to drain approximately $625 million in ETH and USDC.

The exploit targeted the bridge supporting Axie Infinity’s ecosystem and exposed major weaknesses in validator centralization and key management. Sky Mavis later raised funding to reimburse affected users, though the hack permanently changed how the industry approaches bridge security.

What are the largest recent DeFi hacks?

2026 has already seen several major DeFi exploits despite growing awareness around protocol security.

Verus was targeted through a bridge-related exploit that impacted cross-chain asset transfers and liquidity pools. Thorchain suffered another major incident tied to validator infrastructure and suspicious transaction flows, renewing long-standing concerns around bridge security and cross-chain liquidity systems.

KelpDAO was hit in one of the year’s largest exploits involving liquid restaking infrastructure and complex smart contract integrations. Rhea Finance also suffered heavy losses after attackers manipulated pricing logic tied to low-liquidity pools.

Hyperliquid experienced a separate incident tied to leveraged trading infrastructure and liquidation engine behavior. While not every recent exploit resulted in complete protocol collapse, the scale and frequency of attacks show DeFi security remains one of the industry’s biggest unresolved problems.

How do DeFi hacks happen?

Most DeFi hacks happen because of vulnerabilities in smart contracts, compromised private keys, or weaknesses in protocol infrastructure.

Access control failures remain one of the biggest issues. If attackers gain access to admin wallets, validator keys, or upgrade permissions, entire protocols can be drained within minutes.

Flash loan attacks are another major category. These exploits allow attackers to borrow massive amounts of capital instantly, manipulate markets or protocol accounting, and repay the loan within the same transaction. Oracle manipulation often plays a role here, particularly in protocols relying on low-liquidity pricing feeds.

Reentrancy attacks remain a classic exploit type as well. These attacks repeatedly call vulnerable smart contract functions before balances update correctly, allowing funds to be drained.

Bridge infrastructure continues to be one of the most targeted areas in DeFi. Cross-chain protocols often combine multiple smart contracts, validators, and message-passing systems, creating significantly larger attack surfaces than standard lending or trading protocols.

Can cross-chain protocols get hacked?

Yes, and cross-chain protocols have consistently been among the most exploited areas in DeFi.

Bridges are inherently more complex than standard smart contracts because they need to coordinate assets and messages across multiple blockchains simultaneously. That complexity creates more opportunities for bugs, validator failures, and signature verification issues.

Many cross-chain systems are also relatively new compared to established Ethereum lending protocols, meaning they haven’t been battle-tested through multiple market cycles. Some bridges also rely heavily on centralized validator sets or multisig infrastructure, which can become a single point of failure if compromised.

Several of the largest DeFi exploits ever recorded, including Ronin, Wormhole, and Multichain, were all tied directly to bridge infrastructure.

How much money has been lost to DeFi hacks to date?

More than $10.77 billion has been lost to DeFi hacks and exploits to date, making decentralized finance one of the most heavily targeted sectors in crypto.

What are the most common DeFi hacks?

Compromised accounts now account for more than 50% of all DeFi attacks, overtaking traditional smart contract exploits as the biggest source of losses.

Rather than directly hacking code, attackers increasingly target developers, DAO contributors, and validator operators through phishing campaigns, malware, and social engineering. Once admin access is compromised, attackers can drain treasuries, push malicious upgrades, or seize control of protocol infrastructure.

Traditional smart contract exploits still remain common, though, especially around bridges, oracle systems, and flash loan vulnerabilities. Reentrancy attacks, liquidity pool manipulation, and price oracle exploits continue appearing across newer protocols that prioritize growth speed over security testing.

One of the biggest trends in 2026 is that many attacks are no longer purely technical. Operational security failures, poor wallet management, and weak governance controls are becoming just as dangerous as coding mistakes.

For developers, DAOs, and investors alike, basic security practices still matter enormously.

How can I protect myself from DeFi exploits?

The safest approach is sticking to audited, battle-tested protocols with long operating histories and strong security reputations.

Large platforms like Aave and Compound have survived multiple market crashes and exploit attempts because they prioritize conservative risk management and extensive security testing. Smaller protocols offering unusually high yields often carry significantly greater risk.

Audits also matter more than many investors realize. Only around 20% of hacked protocols to date had undergone proper auditing, while audited protocols accounted for just 10.8% of total value lost across DeFi exploits. Audits are not perfect, but they significantly reduce the likelihood of catastrophic vulnerabilities slipping into production.

Users should also avoid keeping excessive funds in a single protocol, revoke unnecessary wallet approvals regularly, and be cautious with newly launched cross-chain platforms or unaudited yield strategies.

Most importantly, never invest more than you can afford to lose. Even trusted DeFi platforms still carry smart contract, bridge, and governance risks that cannot be fully eliminated.

What can I do with losses from hacks?

You may be able to write off your loss as a tax deduction! Learn more in our guide to writing off crypto losses.

Disclaimer
The information on this website is for general information only. It should not be taken as constituting professional advice from Koinly. Koinly is not a financial adviser. You should consider seeking independent legal, financial, taxation or other advice to check how the website information relates to your unique circumstances. Koinly is not liable for any loss caused, whether due to negligence or otherwise arising from the use of, or reliance on, the information provided directly or indirectly, by use of this website.
GET STARTED

Save hours with Koinly!

No credit card required
Make crypto less taxing.
SOC2 Type 2 certifiedISO27001 certified
Product
Resources
Company
Legal
The information on this website is for general information only. It should not be taken as consulting professional advice from Koinly. Koinly is not a financial adviser. You should consider seeking independent legal, financial, taxation or other advice to check how the website information relates to you unique circumstances. Koinly is not liable for any loss caused, whether due to negligence or otherwise arising from the use of, or reliance on, the information provided directly or indirectly, by use of this website.