🛡️ DeFi Security
Over $3.8 billion has been stolen from DeFi protocols since 2020. Reentrancy attacks, flash loan exploits, oracle manipulation, rug pulls, and governance takeovers have wiped out entire protocols overnight. This hub maps every major attack vector, scores their frequency and severity, and gives you a concrete security checklist before you ever deposit.
🎯 DeFi Risk Radar
10 attack vectors × severity × frequency. Click a bubble to learn more. Larger = higher impact.
💀 Common Attack Vectors
Reentrancy
Exploit external call callbacks to drain funds before state updates. The DAO (2016), several Uniswap V2 pools, and many other protocols fell to this.
Oracle Manipulation
Feed false price data to protocols using spot prices as collateral valuations. Mango Markets ($114M) and many bZx forks are canonical examples.
Flash Loan Attacks
Borrow massive capital in a single tx to manipulate markets. Pancake Bunny, Harvest, Mango Markets — all exploited in one atomic transaction.
Rug Pulls & Scams
Developer dumps tokens, honeypot contracts, or exits scams. Squid Game token, AnubisDAO, dozens of meme coin rugs — hardest to recover from.
Bridge Exploits
Validator key compromise, fake deposit proofs, message replay. Ronin ($625M), Wormhole ($325M), Nomad ($190M) — all bridge failures.
Governance Attacks
Flash-borrow governance tokens to pass malicious proposals. Beanstalk ($182M) is the canonical case — governance-as-security-model can backfire badly.
📅 Notable Hacks Timeline
✅ DeFi Security Checklist
Run through this before depositing in any protocol.
Trail of Bits, OpenZeppelin, Spearbit, Certik — not just a single audit
Immunefi or similar platform with meaningful payouts for critical bugs
Changes require a delay window (48h–7d) so users can exit if needed
No single EOA control of critical admin functions
Time in production under live conditions exposes edge cases
Protocol should maintain emergency reserves proportional to TVL
Verifiable on Etherscan — you can audit the code yourself
If a single team controls everything, it's not DeFi — it's a database with extra steps
🛠️ Personal Security Best Practices
Never keep large amounts in a hot wallet. Hardware wallets like Ledger and Trezor keep private keys offline, immune to phishing and malware.
Check for audits from reputable firms. Multiple audits are better than one. No audit = significantly higher risk.
Don't put all your assets into one protocol. If Euler can lose $197M, any protocol can be exploited. Spread your risk.
Old token approvals can be exploited. Use tools like revoke.cash to review and revoke approvals you no longer need.
Use portfolio trackers to watch for unusual activity. Set up alerts for large withdrawals from protocols you're deposited in.
Protect Your Crypto: Hardware Wallets
The single best thing you can do for DeFi security is keep your assets in a hardware wallet when not actively using them. Your private keys never leave the device — even if your computer is compromised, your crypto stays safe.
Affiliate links — we may earn a commission at no extra cost to you. We only recommend products we trust.
Explore DeFi Security Topics
Common DeFi Exploits
Reentrancy, flash loan attacks, oracle manipulation, sandwich attacks — interactive visualizations of how they work and how to prevent them
How to Read an Audit Report
What auditors check, severity levels, common findings, and red flags to watch for before depositing in a protocol