Losses from exploits targeting decentralised finance protocols fell 74% between 2022 and 2025, dropping from a peak of $2.62 billion to $680 million, according to Immunefi's Ecosystem Vulnerability Scoreboard published Thursday.

The decline reflects structural changes in how DeFi protocols are built and audited, though the security firm's CEO warned that the remaining attack surface is shifting toward human-layer vulnerabilities that code improvements alone cannot fix.

The figures cover DeFi protocol-level losses specifically. Total crypto losses across all categories were far higher in 2025, driven primarily by the $1.5 billion theft from centralised exchange Bybit through a multisig phishing attack. The Bybit incident, the largest single crypto theft in history, represented 44% of all stolen value in 2025. Immunefi classifies it as an operational and Web2 security failure rather than an on-chain protocol exploit.

---

The structural shift behind the numbers

The 2022 peak was concentrated in bridge exploits: attacks on the cross-chain infrastructure that moves assets between blockchain networks. Bridge losses accounted for 73% of all DeFi losses that year, with the Ronin Network breach (approximately $624 million), the BSC Beacon bridge attack ($566 million), and the Wormhole exploit ($326 million) collectively accounting for roughly 58% of that year's total.

By 2025, bridge-related losses had fallen to just 3% of total DeFi losses. Ecosystem-class attacks such as flash-loan manipulations and re-entrancy exploits, which represented roughly 19% of losses in 2022, now account for under 1%.

The reason for that shift is architectural. Bridges have been rebuilt with stronger multi-signature schemes, time locks, and formal verification. Auditing standards have risen, with multiple independent reviews becoming a baseline expectation for well-capitalised protocols. Code-level losses as a share of total value locked across DeFi reached 0.66% in 2025, the lowest rate on record against a total DeFi TVL of approximately $123.6 billion.

Those gains did not follow a straight line. Total DeFi losses reached approximately $1.7 billion in 2023, then fell to a record low of $534 million in 2024, making the 2025 figure of $680 million a modest rebound rather than a continuation of unbroken decline.

What remains is harder to patch. Protocol logic exploits now account for 89% of remaining DeFi losses, meaning attackers have moved from targeting infrastructure to targeting how individual protocols are designed to behave. The median loss per hack fell from $6 million in 2022 to $1.5 million in 2025, but the top five exploits in the 2024 to 2025 period still account for roughly 62% of all stolen funds, and the top ten account for 73%, a power-law concentration that keeps catastrophic outlier risk alive.

---

Responsible disclosure outpacing exploits four to one

Immunefi's data also captures what is not happening. Across its platform, approximately 1,238 critical vulnerabilities have been responsibly disclosed compared to around 320 exploited on-chain. That roughly four-to-one prevention ratio has emerged alongside the growth of the bug bounty market, which reached $1.76 billion globally in 2025 and is projected to reach $5.74 billion by 2034. Immunefi reports that 93% of critical crypto vulnerabilities are disclosed through its platform.

"On-chain security is improving dramatically, and will continue to," said Mitchell Amador, CEO of Immunefi. "From the perspective of DeFi and on-chain protocol code, I believe 2026 will be the best year yet for on-chain security."

Amador was less sanguine about the broader threat environment. "Over 90% of projects still have critical, exploitable vulnerabilities. Less than 1% of the industry uses firewalls, and fewer than 10% use AI detection tools," he said. He addressed the 2025 total-losses headline directly: "Despite 2025 being the worst year for hacks on record, those hacks stem from Web2 operational failures, not onchain code."

---

What this means for users in Africa and South Asia

The security improvements carry particular weight in emerging markets, where DeFi is not a speculative vehicle for many users but functional financial infrastructure.

Sub-Saharan Africa received more than $205 billion in on-chain value between mid-2024 and mid-2026, a 52% year-over-year increase. Stablecoins represent 43% of regional crypto transaction volume and are used for trade settlement, remittances, and business payments. Africa now leads the world in stablecoin ownership among crypto-active users at 79%, according to the BVNK Stablecoin Utility Report 2026. For those users, an exploit in a protocol they rely on for daily transactions is not a portfolio drawdown. It is a loss of savings or working capital with no insurance backstop. The severity is reinforced by post-hack token data: the median hacked token loses 61% of its value in the six months following an exploit, and 83.9% of hacked tokens remain price-suppressed at that point.

The comparison is stark on remittance costs alone. Traditional transfers to Sub-Saharan Africa averaged 8.78% of transaction value in the first quarter of 2025. Stablecoin transfers average 0.5 to 1%. Security improvements that sustain user trust in DeFi rails directly affect the economic case for those transfers.

Nigeria and Ethiopia ranked in the top 15 of Chainalysis's 2025 Global Crypto Adoption Index, while India consistently places among the highest-adoption markets globally.

A growing cohort of white-hat security researchers from India, Nigeria, Kenya, and Pakistan contributes to international bug bounty programs, including Immunefi, where the average critical vulnerability payout is approximately $52,800. The talent pipeline reflects an expanding responsible-disclosure culture across the region: Pakistan's NADRA launched its 2026 Bug Bounty Challenge to stress-test national identity infrastructure, and India's UIDAI selected 20 bug bounty researchers for its Aadhaar biometric database program. Bangladesh, Sri Lanka, and Nepal are also significant stablecoin and remittance-chain markets where DeFi security carries direct household-level consequences.

---

The AI variable

Newly funded AI security firms are beginning to integrate into development pipelines. Octane Security raised $6.75 million from Gemini and Circle in early 2026 and has already identified and blocked an exploit that could have cost one protocol more than $8 million. Sherlock AI, which entered beta in late 2025 and is trained on thousands of real audit findings, provides continuous vulnerability monitoring grounded in a deep library of historical exploit data. Almanax supports Solidity, Move, Rust, and Go, integrating directly into CI/CD pipelines for ongoing smart-contract surveillance across multiple languages.

Amador framed the coming period as a two-sided contest. "In 2026, AI will change the tempo of security on both sides," he said. "Defenders will rely increasingly on AI-driven monitoring and response that operates at machine speed, while attackers use the same tools for vulnerability research, exploit development, and social engineering at scale."

With code-level security improving but human-layer risk rising, his broader conclusion was direct: "Security has to move from static to continuous. That means real-time threat monitoring, human-aware response protocols, and tooling that keeps pace with evolving risk, not just a one-time audit. The entire industry needs to treat security as infrastructure, not insurance."