Lending Protocols Remain DeFi’s Achilles’ Heel: 67 Exploits and Counting

Hackers aren't chasing trends—they're chasing yield. And in the decentralized finance (DeFi) ecosystem, the money pools are deepest where lending protocols operate.

The Soft Underbelly of Smart Contracts

Forget flashy NFT heists or obscure token rug pulls. The real jackpot for digital thieves sits in the code governing billions in collateralized loans. Lending platforms, by their very design, become centralized treasure chests in a decentralized world—holding vast, liquid assets just waiting for a single logic flaw to be exploited.

Why Lending? Follow the Money

The math is simple for attackers: more total value locked (TVL) equals a bigger potential score. Lending and borrowing protocols consistently rank among the highest in TVL, making them the prime target for sophisticated exploits that manipulate price oracles, drain liquidity pools, or bypass collateral checks. It's the digital equivalent of robbing the bank vault instead of the convenience store.

A History Written in Code—and Losses

The tally speaks for itself. With sixty-seven major incidents on record, the pattern isn't just clear—it's glaring. Each exploit serves as a brutal stress test, revealing vulnerabilities in economic models and smart contract logic that white-hat auditors often miss. The industry's 'move fast and break things' ethos has a literal, costly interpretation here.

The Unending Arms Race

Protocol teams respond with upgraded security, bug bounties, and insurance wrappers. Yet, the fundamental tension remains: how to keep complex, interoperable financial logic both permissionless and impervious. Every fix potentially creates a new attack vector, turning DeFi security into a high-stakes game of whack-a-mole.

In the end, the relentless targeting of lending protocols exposes DeFi's core paradox—the quest for trustless, automated finance inevitably creates a system where trust is placed blindly in code. And as any Wall Street veteran might cynically note, where there's a vault, there's always someone trying to crack it. The only question is when the next sixty-seventh exploit becomes number sixty-eight.

Technical error is the main reason for losses from lending protocols

Overall, most large protocols aim to increase their security and audit their smart contracts. The chief source of losses for the past 12 months ended January 2026 shows a dominance of technical issues. 

Smart contract bugs were the root cause of the majority of incidents. The second most notable cause was compromised private keys or multisig wallets. In total, smart contracts led to $526M losses across 48 incidents in the past year. 

Lending protocols hold $53B in reported value locked, and may remain a target for exploits. The attacks target smaller protocols and sometimes, specific vaults. As Cryptopolitan reported, projects like Moonwell were exploited through flaws in oracles and pricing data. 

Price manipulation incidents were also a key type of exploit, with a total of 13 incidents in the past year and $65M in losses. 

Even audited protocols were at risk, losing a total of $515M. Out-of-scope exploits lost $193M, while unaudited contracts leaked another $77M in 24 incidents. Historically, among the top 30 hacks, unaudited code is the main reason in 58.4% of cases. Most projects go through audits, but this does not protect them from all risks, as on-chain apps have multiple sources of input and interaction.

Most of the attacks against DeFi rely on careful tracking and deep knowledge of their smart contracts. The other vector of stealing funds is directed at end users. While DeFi is permissionless, new cloned DEXs are appearing. Some pretend to be decentralized, but hold user deposits and require additional fees to withdraw. 

Don’t just read crypto news. Understand it. Subscribe to our newsletter. It's free.