According to a report released on Thursday – titled “Immunefi’s 2026 Ecosystem Vulnerability Audit” – losses stemming from decentralized finance (DeFi) exploits tumbled by almost 74 percent from their 2022 peak of $2.62 billion to $680.3 million in 2025.
DeFi losses slide from 2022 peak
The report released by web3 security firm Immunefi noted that the median loss per exploit has also substantially pulled back, from $6 million in 2022 to approximately $1.5 million in 2025. The company called this figure a “more telling metric.”
In the report, Immunefi performed a 6-year analysis of DeFi exploits across major blockchains from 2020 through 2025.
Attacks that involved flash-loan oracle manipulations, and reentrancy exploits affecting composability layers reduced from about 19 percent of losses in 2022 to just 1 percent in 2025.
A reentrancy exploit occurs when a malicious contract repeatedly calls a protocol before the original transaction has finished updating its balances or state, allowing funds to be withdrawn multiple times.
In highly composable DeFi systems where protocols interact with each other, a flaw in one contract can fall across multiple integrated applications, amplifying the impact of the attack.
Similarly, it’s worth highlighting that the risk of overdependency on on-chain oracle data was also highlighted by Ethereum co-founder Vitalik Buterin. On Tuesday, Buterin remarked that algorithmic stablecoins need an options-based, liquidation free design.
The report also notes that private-key thefts and database exploits fell from around 30.7 percent of the losses in 2022, to 10.3 percent in 2025. Meanwhile, bridge exploits crashed from 73 percent of DeFi losses in 2022 to as low as 3 percent in 2025.
AI is lowering the entry barrier for attack
An interesting insight in the report pertains to the role of AI in DeFi exploits. Notably, AI is lowering the barrier to entry for attackers, enabling more people to read codebases faster and automate parts of vulnerability discovery.
That said, AI is being used by DeFi protocols for defensive purposes too. Unlike attacking a protocol, defence is mostly an issue of scale, which requires pattern recognition, monitoring, and simulating edge cases.
While the total amount of monetary value lost in DeFi exploits is going down, the overall interest in the space is dwindling too.
On May 23, on-chain data revealed that there is a serious liquidity crisis in DeFi, as the number of Wrapped Bitcoin (WBTC) active addresses fell to their lowest level of the year.
