Immunefi says DeFi exploit losses fell 74% from the 2022 peak
The security firm's six-year audit said protocol losses dropped sharply from 2022 levels as attack patterns shifted, even as incident counts rose and AI intensified both offense and defense.
DeFi protocol losses tied to exploits fell 74% from a 2022 peak of $2.62 billion to $680.3 million in 2025, according to Immunefi's 2026 Ecosystem Vulnerability Audit. The report also showed a 75% drop in median loss per exploit, from $6 million in 2022 to $1.5 million in 2025, which the company called a more meaningful gauge of improving security. Immunefi said ecosystem-class attacks such as flash-loan oracle manipulations and reentrancy exploits affecting composability layers shrank from nearly 19% of losses in 2022 to under 1% in 2025, while infrastructure failures including private-key compromises and database attacks fell from 30.7% to 10.3%. Bridge exploit losses dropped from 73% of DeFi losses in 2022 to 3% in 2025, and flash-loan attacks declined from 54% of all losses in 2020 to less than 1% by 2025. The firm said the slight rebound in 2025 losses from $534 million in 2024 reflected multi-chain complexity and a small number of severe incidents rather than broad deterioration. Immunefi CEO Mitchell Amador said the industry is learning, but warned that rising incident counts and shared dependencies across code, signers, infrastructure, front ends, oracles and deployment practices could drive the next systemic failures.
- flash-loan attacks: Exploits that use uncollateralized, instant loans to manipulate markets or protocol logic within a single transaction.
- reentrancy exploits: Attacks that repeatedly call vulnerable smart-contract functions before earlier actions are fully completed.
- multi-chain deployments: Applications or protocols launched across more than one blockchain network, increasing operational and security complexity.