The Biggest Hacks and Exploits in DeFi History & What We Can Learn from Them

Contents

Last updated on June 20th, 2025 at 03:24 pm

DeFi’s promise of decentralized money, as we have painfully seen, comes with the peril of irreversible code vulnerabilities, poor architecture, and inadequate auditing. So it is not just as a magnet for investors and developers but also for sophisticated cybercriminals.

Since Bitcoin’s inception, the crypto space has seen a long line of hacks, from simple phishing scams to highly sophisticated smart contract exploits. According to Chainalysis, DeFi protocol hacks were a major driver behind the surge in stolen cryptocurrency during 2021 and 2022, with cybercriminals stealing over $3.1 billion in DeFi-related breaches in 2022 alone.

Yearly total value stolen in crypto hacks – Source: **Chainalysis**

The sad but true fact is that attackers are growing more refined as infrastructure scales. The number of hacking incidents jumped from 282 in 2023 to 303 in 2024, highlighting how vulnerable these systems remain. The biggest heists often stem from a single flaw—whether it’s an overlooked vulnerability in smart contract code, a compromised private key, or the exploitation of centralized control within a supposedly decentralized system.

This article looks at some of the most notorious breaches in crypto and DeFi history, breaking down what went wrong, how the industry responded, and what builders and investors can learn going forward.

The Most Devastating DeFi Exploits to Date

1. Mt. Gox (2014)

Loss: 850,000 BTC ($460 million at the time)
Type of Attack: Exchange Hot Wallet Exploit
Vulnerability: Transaction malleability + lack of internal controls
Recovery: Partial, about 200,000 BTC was recovered

Mt. Gox wasn’t a DeFi protocol in the modern sense, but the scale of the breach revealed in 2014 makes it a foundational event in crypto’s security narrative. At its peak, Mt. Gox handled over 70% of all global Bitcoin transactions.

But behind the scenes, its security practices were dangerously flawed. The exchange relied heavily on hot wallets, lacked basic internal audits, and failed to reconcile balances against blockchain data—leaving the door wide open for theft that probably went on for more than half of existence in full operation.

One primary vulnerability the attackers exploited was a bug known as transaction malleability, which allowed attackers to modify transaction IDs before confirmation. This tricked Mt. Gox into thinking withdrawals had failed, prompting it to resend funds—over and over.

In early 2014, withdrawal delays sparked user panic. On February 7, Mt. Gox froze all Bitcoin withdrawals, citing “technical issues.” Less than a month later, it declared bankruptcy. And a deeper internal investigation revealed the horrifying truth—850,000 BTC had vanished. This revelation sent shockwaves through the crypto industry, causing widespread panic.

A small glimmer of hope emerged in March 2014, when the exchange announced it had located 200,000 BTC in an old-format wallet. This reduced the total losses to 650,000 BTC, but it was still an astronomical amount.

2. Poly Network (2021) – The Largest DeFi Hack… Briefly

Loss: Over $610 million
Type of Attack: Smart Contract Exploit
Vulnerability: Cross-chain verification flaw
Recovery: Most funds were returned by the attacker

In August 2021, the Poly Network, a protocol enabling cross-chain asset swaps, was drained of $610 million worth of multiple cryptocurrencies. The attacker exploited a vulnerability in the contract calls that Poly Network used for its cross-chain transactions. This flaw allowed the hacker to bypass the security checks and authorise unauthorised withdrawals of funds from the platform.

The Poly Network team was able to quickly identify the wallet addresses used by the attacker to drain the funds across the different blockchains. As soon as this was discovered, the community, including exchanges, began blacklisting the wallet addresses to prevent further movement of the stolen assets.

In an unusual twist, the hacker returned most of the funds after claiming the exploit was a white-hat exercise. While the damage was reversed, the event exposed the complexities of cross-chain architecture and the need for airtight validation mechanisms.

3. Wormhole (2022) – $320M Drained from a Bridge

Loss: ~120,000 ETH (then ~$320 million)
Type of Attack: Smart Contract Exploit
Vulnerability: Signature verification bypass
Recovery: Losses were covered by Jump Crypto, status of lost crypto is unknown

Wormhole was one of the earliest Solana-Ethereum bridges facilitating cross-chain token transfers. In February 2022, an attacker found a bug in the verification logic and minted 120,000 Wrapped Ether (wETH), worth over $320 million at the time, without providing real ETH on Ethereum. The attacker bypassed Wormhole bridge’s security mechanism on the Solana blockchain and injected fake data into the system. This data spoofed the signature validation process, tricking the system into thinking that the transaction was legitimate. Once the attacker had successfully minted the tokens, they moved them to Ethereum and laundered the stolen funds.

After the breach, the Wormhole team quickly patched the vulnerability to maintain trust in the protocol, and Jump Trading, an investor in Wormhole, covered the loss. However, the hack underscored the fragility of bridge protocols, now regarded as one of DeFi’s most vulnerable vectors.

4. Ronin Bridge (2022)

Loss: ~$625 million
Type of Attack: Private key compromise
Vulnerability: Centralized validator model
Recovery: Partial; some assets recovered; ongoing lawsuits and investigations

The Ronin Bridge was used by Sky Mavis, the creator of popular P2E game, Axie Infinity, to move assets between Ethereum and the Ronin Network. In March 2022, attackers stole approximately 173,600 ETH and 25.5 million USDC, totaling around $625 million. The breach went unnoticed for nearly a week until a failed withdrawal raised red flags.

The vulnerability stemmed from a temporary arrangement months earlier, when the game’s governance board, AxieDAO, gave Sky Mavis permission to sign transactions on its behalf. Critically, this allowlist was never revoked. The attacker exploited the oversight, gaining access to four Sky Mavis validators and one DAO-controlled validator—just enough to fake authorization for two massive withdrawals.

While Sky Mavis has since expanded its validator set and introduced stronger monitoring, the hack reignited debate over how centralized some supposedly “decentralized” systems really are.

5. Bybit (2025)

Loss: ~$1.5 billion
Type of Attack: Front-end hijack
Vulnerability: Developer environment compromised, malicious JavaScript injected into wallet interface
Recovery: Under investigation; funds largely unrecovered

In February 2025, Bybit became the victim of the largest crypto heist to date—not through a smart contract flaw, but a compromised user interface. The attackers infiltrated the development environment of Safe, a wallet infrastructure provider, and embedded malicious JavaScript into its UI library.

This rogue script altered what users saw when authorizing transactions. Thousands, including Bybit, unknowingly signed permissions that redirected funds to attacker-controlled wallets. The exploit allowed over 401,000 ETH to be drained from Bybit’s cold wallet in a single malicious transaction disguised as routine.

Although the back-end contracts and blockchain systems remained untouched, the attack showed that even the most secure protocols are vulnerable when front-end systems are compromised. The incident sparked urgent calls across the industry to treat UI code with the same rigour as smart contracts—highlighting a blind spot in crypto security architecture.

Lessons Learned

Each hack/attack described above offers a different lesson for DeFi teams, security auditors, and users.

1. Use Cold Wallets + Multisig for Asset Storage

Mt. Gox taught the industry the dangers of hot wallets. Most exchanges today secure assets in cold storage, with multisig systems ensuring no single point of failure. If your DeFi protocol holds significant assets, implement multisig and cold wallet separation.

On the other hand, users should avoid storing large amounts of cryptocurrency on centralized exchanges. Not your keys, not your wallets, not your funds. The collapse of Mt. Gox left thousands of users without access to their funds. Self-custody solutions, such as hardware wallets, offer greater protection.

2. Audit Smart Contracts Regularly

Poly Network and Wormhole were both victims of coding flaws that could have been identified in advance. Audits are now common—but they’re not bulletproof. Teams must run multiple independent audits, engage in bug bounty programs, and revisit contracts as the protocol evolves.

3. Bridge Protocols Are Still a Minefield

Both Wormhole and Ronin highlight the systemic risk in bridge architecture. Bridges rely on off-chain verification, which makes them fundamentally more fragile than on-chain swaps. Developers should minimize the attack surface and explore trustless alternatives like zero-knowledge proofs and native asset bridges.

4. Front-End Security Matters

Bybit’s case makes one thing clear: even a well-secured blockchain is vulnerable if the interface is compromised. All web interfaces must be isolated, monitored, and subject to internal code audits. User-signed transactions need clarity and security warnings to prevent deception.

5. Decentralization Must Be Real, Not Just Claimed

Ronin was exploited due to validator centralization—only five of nine validators needed to sign off on transactions. To call a network decentralized, it must be functionally and technically distributed. Anything less is a marketing gimmick with security implications.

6. Bug Bounties Are Cheaper Than Exploits

In the case of Poly Network, a hacker returned $610 million, potentially avoiding a permanent loss. A robust bug bounty program offers white hats incentives to report issues rather than exploit them. If you don’t pay hackers to find your bugs, you may end up paying them a lot more afterwards.

Final Thought: Trust is Built on Code—and Culture

The most important takeaway from these DeFi hacks isn’t that smart contracts are dangerous—it’s that decentralized systems require an airtight architecture, transparent culture, and constant vigilance. Unlike banks, DeFi protocols cannot reverse fraudulent transactions or pause the system. Once an exploit is triggered, the funds are often gone for good.

Still, these incidents have driven innovation. The space has matured: multisig wallets are standard, audits are expected, and front-end security is under greater scrutiny. Each hack has served as an expensive lesson, forcing projects to raise their standards and users to become more security-conscious.

As DeFi continues to evolve, the industry must remember that the goal isn’t just building protocols that work—it’s building protocols that can’t be broken.

Disclaimer: This article is intended solely for informational purposes and should not be considered trading or investment advice. Nothing herein should be construed as financial, legal, or tax advice. Trading or investing in cryptocurrencies carries a considerable risk of financial loss. Always conduct due diligence.

If you want to read more market analyses like this one, visit DeFi Planet and follow us on Twitter, LinkedIn, Facebook, Instagram, and CoinMarketCap Community.