DeFi lending markets on EVM chains and Solana cost depositors about $3 for every $10,000 they put in over the past 12 months — a net loss rate of 3 basis points after recoveries. The figure comes from trailing non-bridge lending exploits totaling $30.9 million against an average total value locked of $99.6 billion. That’s a sliver of the perception of risk many hold, and it’s roughly the same annual rate as Americans dying from slip-and-fall accidents, according to the data.
The numbers behind the fear
The gross loss figure for DeFi lending — $30.9 million over 12 months — sounds like a lot. But set against nearly $100 billion in locked value, it shrinks. More than half of all historical DeFi hack losses come from bridge incidents, which distort the risk profile. Excluding bridges, total gross hacks hit $4.52 billion; include bridges and the number jumps to $7.75 billion. Lending markets, the data shows, have fared far better than cross-chain bridges.
Why April stood out
April 2026 was the worst month for crypto hacks since Bybit's $1.5 billion breach in 2025, with $606 million stolen. But 95% of those April losses came from just two protocols: Kelp DAO and Drift. That concentration matters. A handful of big exploits can spike monthly totals, but they don’t reflect the everyday risk of lending across dozens of markets. Diversification across protocols, the data suggests, cuts the odds of getting caught in a single blowup.
Recovery matters
Recoveries are a bigger part of the story than most headlines let on. For EVM and Solana lending markets, recovered funds reduced losses by 20% — more than double the 8% recovery rate across all DeFi. The stand-out case is Euler Finance’s 2023 flash loan exploit, where attackers returned every dollar. That kind of full restitution is rare, but it shows that lending protocols, because their code is often more audited and their communities more organized, can claw back a meaningful share.
What makes a protocol secure
Minimalist code design is emerging as a key security strategy. Each added line of smart contract code increases the attack surface. Immutability — once deployed, no one can tweak the contract — cuts future vulnerability risks. The data also shows that larger lending markets absorb smaller percentage losses during incidents, meaning scale itself can be a buffer. The takeaway for lenders: spread deposits across protocols, and pay attention to code complexity.
The next question is whether the industry can keep bridge hacks from dragging down the whole sector’s reputation. That gap — $4.5 billion versus $7.75 billion — won’t close until cross-chain security catches up.
