Ethereum Smart Contract Security
Research Dashboard
Data compiled: 2026-02-28
|
Coverage: 2016–2025
|
24 documented exploits
|
Updated
Total DeFi Losses All-Time
$9.1B
DeFi protocol hacks, 2016–2025 (DefiLlama)
Worst Single Year
$3.8B
2022 — the bridge era — Chainalysis C1
Largest Single Hack
$1.5B
Bybit, Feb 2025 (Lazarus Group / DPRK — FBI confirmed)
Recovery Rate
~5–10%
~90% of losses are permanent; only 3 of 24 exploits fully recovered
Exploits Documented
24
Spanning 2016–2025 across all major chains
Vulnerability Categories
12
40+ sub-types; mapped to SWC Registry & OWASP SC Top 10
Lazarus Group Attributed
$2.5B+
5 confirmed attacks; 2022–2025 escalation
Potential Loss Reduction
40–50%
Achievable with full best-practice adoption over 3–5 years
◆ Central Research Finding
The ecosystem is getting technically better at known vulnerability classes while losing the aggregate arms race
— total annual losses continue rising due to state-sponsored attackers, composability complexity, and
structural market failures. The DeFi ecosystem is winning the war against smart contract vulnerabilities while
losing the war against sophisticated, state-sponsored threat actors who have shifted to easier targets: centralized
key custodians and social engineering of transaction signers.
-
1
North Korean state actors dominate the threat landscape.
The Lazarus Group is confirmed or credibly attributed in Wormhole ($320M, 2022), Ronin ($625M, 2022),
Harmony Horizon ($100M, 2022), Radiant Capital ($50M, 2024), and Bybit ($1.4B, 2025).
This single threat actor has stolen an estimated $2.5B+ from Ethereum-related protocols.
Their evolution from code exploitation to hardware wallet MITM and supply chain attacks represents a qualitative
escalation that no smart contract audit addresses.
-
2
Cross-chain bridges are the highest-value attack surface in DeFi history.
Six of twenty-four documented exploits targeted bridges (Poly Network, Wormhole, Ronin, Nomad, Harmony, Multichain),
accounting for over $1.8B in net losses.
Bridges concentrate large assets behind trust assumptions that are architectural rather than code-level,
making them irreducible targets until ZK-proof-based bridges achieve scale deployment.
-
3
Smart contract audits are necessary but provably insufficient.
Euler Finance was audited 10 times by 6 firms before losing $197M.
Wormhole was audited by the firm that later wrote the exploit post-mortem.
Beanstalk was audited by Halborn. Being audited prevents some attacks; it is not a safety guarantee.
Automated tools catch only 8–20% of exploitable bugs (IEEE, 2024).
-
4
Flash loan oracle manipulation dominated 2020–2022.
bZx, Harvest Finance, PancakeBunny, Cream Finance (Oct 2021), and Beanstalk all used flash loans to
manipulate spot-price oracles or governance. This attack class caused over $400M in losses
and was essentially made possible by DeFi protocols using Uniswap spot prices as trusted data feeds.
TWAP oracles and Chainlink feeds have substantially mitigated this class since 2022.
-
5
The attack surface extends far beyond smart contract code.
BadgerDAO ($120M), Vulcan Forged ($140M), Radiant Capital ($50M), and Bybit ($1.4B) were all compromised
via Web2 infrastructure, supply chain, or social engineering vectors that no on-chain audit can detect.
In 2024, 55% of incidents involved stolen private keys or compromised accounts.
-
6
Access control failures are the highest-dollar-impact category in recent years.
$953.2M in documented 2024 losses were attributed to access control failures and private key compromise,
making it the dominant loss driver — ahead of reentrancy, oracle manipulation, and flash loan attacks.
This category is largely invisible to static analysis tools.
-
7
A 40–50% reduction in annual losses is achievable through systemic adoption of best practices.
Requiring audits for all significant protocols, universal multisig for admin keys, Slither + Foundry fuzzing
in CI/CD, and timelocks on governance functions would address the majority of documented attack vectors.
The constraint is adoption economics and attacker adaptation, not tool availability.
⚠ Exploit History
Chronological catalog of all 24 documented exploits from The DAO (2016) to Bybit (2025).
Covers root causes, audit status, recovery outcomes, and attribution including Lazarus Group activity.
☯ Vulnerability Taxonomy
Structured classification of 12 major vulnerability categories and 40+ sub-types.
Maps to SWC Registry and OWASP Smart Contract Top 10. Includes code examples for critical patterns.
▦ Statistical Impact
Annual loss figures, vulnerability distribution, chain breakdown, and the "3% claim" analysis.
Compares crypto fraud rates to traditional finance with source-quality assessment.
✓ Prevention & Tooling
Comprehensive evaluation of static analysis tools (Slither, Mythril, Certora), fuzzers (Echidna, Foundry),
and audit practices. Includes cost-benefit analysis and realistic reduction estimates.
8 tools compared
Cost-benefit models
∎ DeFi-Specific Failures
Analysis of flash loan attacks, oracle manipulation, bridge exploits, and governance attacks
as distinct categories from code bugs. Covers composability cascades and systemic risk.
5 attack categories
Bridge deep-dives
◀ Root Cause Analysis
Political-economy analysis of why vulnerabilities persist despite tooling progress.
Covers incentive misalignment, language limitations, developer knowledge gaps,
and ranked systemic interventions.
Economic modeling
Policy implications