Key points:
- In 2024, DeFi-related hacks caused over $1 billion in losses, 33% more than the year before. The trend continues in 2025.
- Rug pulls, coding flaws, and phishing scams are among the main risks.
- A long-running DeFi platform has stayed breach-free for five years.
DeFi Is Still Easy to Exploit
Hackers haven’t slowed down. In 2024, the vast majority of crypto security incidents targeted DeFi. Smart contract bugs, wallet misconfigurations, and outright scams cost users billions. And 2025 isn’t looking better.
High-profile cases included DMM Bitcoin’s $330 million loss and WazirX’s $230 million breach. Projects like Radiant Capital and Hedgey Finance were also drained. The takeaway: most DeFi platforms still treat security as optional.
Rug Pulls: Flashy Tokens, Silent Exits
Rug pulls are the simplest scam in DeFi, and they still work. In 2024 alone, 58 such incidents wiped out over $100 million. The formula is familiar: hype a token, inflate the market cap, then disappear.
Some of these were brazen. “SHARPEI,” a meme token pushed with fake celebrity endorsements, reached $54 million before the team dumped their holdings and walked away. Scams like these thrive because it’s cheap and easy to launch tokens without scrutiny.
Code Bugs Keep Draining Funds
Many DeFi losses don’t come from scams, but from bugs in the code. In one case, a DEX on Sui was exploited for $223 million due to an arithmetic error. Another, Sonne Finance, lost $20 million from copying vulnerable code.
Most of these incidents are preventable. Reused contracts, skipped audits, and weak access controls still plague the sector. In some cases, compromised private keys gave attackers full control.
Phishing Is Getting Smarter
More than ever, users, not just code, are being targeted. In 2024, phishing scams overtook other exploits in total losses. Scammers used fake sites, social impersonation, and malicious links to steal private keys or approvals.
Some tactics involved bribing insiders. Others tricked developers into handing over contract access. As smart contracts improve, more attackers are simply bypassing them and going after users directly.
Security Signaling Is Rare, but It Works
While most of DeFi scrambles to keep up, a few platforms are showing what a preventive approach looks like. For example, DEXTools, a DeFi analytics platform, has remained unbreached for five years. It doesn’t hold user funds, but it does introduce friction through risk scores, contract analysis, and live threat detection that helps users spot danger before it’s too late.
Its token rating system, DEXTscore, flags red flags like limited liquidity, owner control, or hidden traps. In a space that’s still driven by FOMO, even a basic warning system can reduce damage.
What Needs to Change
The core problems, like unchecked code, permissionless scams, and low user awareness, aren’t new. But they’re still unsolved. Better audits and more rigorous testing would help. So would clearer risk signaling.
Tools that give users better context before they click, buy, or connect are still the exception. And that needs to change. DeFi won’t grow unless security becomes a default, not a feature.
