13How DeFi Gets Hacked: the Most Common Exploits Explained
How hackers exploit DeFi protocols — 5 common methods.
DeFi protocols manage billions of dollars without intermediaries, making them an ideal target for hackers. Open-source code, complex contracts, and rapid development create numerous vulnerabilities. Even after audits, bugs often remain unnoticed, and users are not protected from phishing and key compromise. In 2025, attacks became more sophisticated and widespread, with $2.47 billion stolen in just six months.
How exactly are DeFi protocols hacked, why are they still so vulnerable, and how can you protect your funds? We break it down in this article.
DeFi Hacking Methods
Flash Loan Attacks
A flash loan is a mechanism for obtaining an instant unsecured loan, provided it’s repaid within a single transaction. In DeFi, flash loans were originally intended as arbitrage tools, but in practice, they’ve become an effective weapon for attacks.
In 2025, flash loans continue to be used by hackers to manipulate asset prices, drain liquidity, and bypass protocol logic restrictions. Often, a combination is used: flash loan + price manipulation + calculation error. This makes protection especially difficult for young DeFi projects.
Example: Attack on Impermax
In April 2025, the Impermax protocol on the Base blockchain was attacked via a flash loan. The attacker used a flash loan to interact with Uniswap V3 pools, manipulating fee calculations and LP positions.
Due to a logic error in Impermax V3, the system miscalculated accrued fee income. The hacker caused a collateral revaluation and obtained excess funds, which were then successfully withdrawn.
Damage: $152,000–$300,000.
Example: Attack on Dexodus Finance
In May 2025, newly launched derivative protocol Dexodus Finance was hacked. The hacker took out a flash loan of about $10,500 and executed an attack by reusing oracle signatures.
They set an artificially low ETH price ($1,816 instead of market value), opened a 100x leveraged position, and secured profits. The vulnerability was that the protocol didn’t check the freshness of oracle signatures, allowing old data to be used.
Damage: ~$300,000.
Smart Contract Exploits
Vulnerabilities in smart contract code are one of the main reasons for successful attacks. These include:
- Reentrancy — when a contract is called again before updating its internal state.
- Incorrect logic checks — flawed formulas and calculations.
- Programmer errors, such as integer overflow.
Example: Cetus Protocol
A major exploit occurred in May 2025 on Cetus, a decentralized exchange on the Sui blockchain. The hacker found a bug in the exchange program where “virtual liquidity” in one pool was calculated incorrectly.
The attacker exploited an integer overflow vulnerability and deposited a very small amount of tokens into the pool. Due to the coding error, the contract believed it had received a huge amount of liquidity. The hacker then took a flash loan and withdrew real funds, earning tens of millions of dollars.
Damage: ~$223 million, but validators managed to freeze ~ $160 million and partially recover the funds.
Oracle Manipulation
An oracle is an external data source from which smart contracts get asset prices. Attackers exploit vulnerabilities to artificially distort prices and deceive protocols.
Example: Loopscale and Resupply
In April 2025, Loopscale protocol on Solana was attacked via a vulnerable oracle. It received token prices from DEXs without additional verification. The hacker took a flash loan and executed a trade with RateX PT tokens in a low-liquidity pair, greatly inflating its price in a single transaction.
The system saw the inflated price and allowed a large loan backed by this asset. The attacker immediately withdrew liquidity, and when the price returned to market value, the collateral was insufficient, leaving the protocol with losses.
Loopscale damage: ~$5.8 million. After negotiations, $2.9 million was returned for a bounty.
In June 2025, Resupply protocol, which managed synthetic reUSD tokens, suffered a similar attack. The hacker exploited that collateral prices were determined via ResupplyPair — a pool connected to a DEX without verification.
The steps: flash loan, large trade, price pump, collateral at inflated prices, and withdrawal of reUSD.
Resupply damage: ~$9.6 million.
Bridge and Cross-Chain Protocol Attacks
Cross-chain bridges transfer crypto between blockchains, using deposit contracts or escrow systems. They’re often targeted because they hold large amounts of funds and have complex verification mechanisms that can contain vulnerabilities.
Main Attack Vectors:
- Compromise of validator or multisig private keys.
- Logic errors in bridge operations.
- Message spoofing or oracle data manipulation.
Example: Force Bridge
In June 2025, a hacker breached Force Bridge — connecting Nervos, Ethereum, and BNB Chain — and stole millions of dollars. The vulnerability was in weak access control for real-time monitoring. The attacker tested with a $25 withdrawal before executing the full exploit.
Damage: ~$3.8 million.
Phishing and Social Engineering (Key Compromise)
In just the first half of 2025, users lost over $1.7 billion from wallet compromises and another $410 million from phishing — about 35% of all global crypto losses in this period.
Human error is the main off-chain vulnerability exploited in attacks. Hackers deceive employees or users to gain access to keys, private wallets, seed phrases, or infrastructure modules. They use everything from phishing sites to insider leaks. These attacks threaten DeFi projects, centralized exchanges, and crypto payment businesses alike.
To reduce company risks, access levels for employees must be configured properly. For example, BitHide’s crypto wallet assigns role-based access: employees only see functions and data required for their jobs without full wallet or admin access.
Example: Bybit Hack
Major centralized exchange Bybit fell victim to an attack involving social engineering and signature interface compromise. Lazarus Group hacked the environment of a wallet developer and replaced the transaction signing interface. As a result, three validators unintentionally approved a transaction that altered contract logic.
Damage: ~$1.4 billion.
Example: MetaMask
In May 2025, hackers exploited Ethereum’s new delegation feature — EIP-7702. MetaMask users received phishing pop-ups requesting “confirm delegation.” One user lost $146,551 in ETH in a single transaction.
DeFi users must remember the risks of phishing links. In another article, we explained Drainer-as-a-Service scams, which stole nearly $500 million last year.
What Happens After Hacks
Laundering via DEXs and Mixers
Attackers send stolen tokens to decentralized exchanges to convert them into stablecoins. They also use mixers like Tornado Cash and Railgun to hide fund origins. For businesses, it’s critical to check all incoming assets for AML risk to avoid freezes.
Analysts note that hackers who steal private keys usually use bridges and mixers immediately, while others use DEXs. Such tactics make fund tracking harder, but modern blockchain analytics often reveal laundering routes and repeated schemes across incidents.
Negotiations and Fund Returns
Sometimes exchanges and protocols publicly offer “white bonuses” — rewards for returning stolen funds. In such cases, hackers partially or fully return assets, as with Loopscale. Other successful negotiations include:
ZKSync Era. After an internal wallet compromise led to a $5 million loss, the team offered the hacker anonymity and a 10% bounty. The attacker returned all stolen funds.
zkLend. In February 2025, zkLend lost about $9 million due to a smart contract bug. Developers immediately offered the hacker 10% for voluntary return. Part of the funds were returned within a day, and talks continued via anonymous channels.
Freezing and Seizing Funds
One notable case was the operation against Russian exchange Garantex in March 2025. US, German, and Finnish law enforcement froze assets worth over $28 million and seized servers and domains linked to the exchange. Investigators reported that Garantex processed over $96 billion in transactions over several years.
Investigations and Lawsuits
In the US and Europe, prosecution of crypto fraudsters is intensifying. In June 2025, a lawsuit was filed in New York against organizers of a £330 million Ponzi scheme. Joint law enforcement efforts blocked accounts, domains, and platforms involved.
How to Protect Against DeFi Attacks
Although most DeFi attacks target smart contracts and protocol infrastructure, users usually bear direct losses. To minimize risk, follow basic security rules.
1. Use Non-Custodial Wallets
Private keys are your main access to funds. Never store them in notes apps, cloud storage, or unprotected computers. Companies should use solutions built for them, like BitHide’s non-custodial crypto wallet. Its software runs on the client’s server, so no third parties have access to private keys, assets, or business data.
2. Verify Sites Before Connecting Wallets
Scammers create phishing copies of popular DeFi services. Always check site URLs before connecting MetaMask or other wallets. Only use official links, for example from CoinGecko or CoinMarketCap.
3. Don’t Leave Large Sums in Protocols
Even audited projects can be hacked. Only keep in DeFi what you’re prepared to lose. Store assets in cold wallets or in BitHide crypto wallet.
4. Revoke Token Approvals
When you approve token access in DeFi apps, permissions can remain indefinitely, creating risk if the project is hacked. Check and revoke old approvals via specialized services.
5. Don’t Sign Unknown Transactions
If your wallet asks to confirm “delegation,” “approve,” or strange operations, stop and check their purpose. One mistake can drain your entire wallet.
6. Be Cautious on Social Media and Messengers
Avoid clicking links in chats, especially for “airdrops,” “refunds,” or “activity checks.” Scammers often impersonate project admins or support.
7. Stay Informed
Follow trusted sources (PeckShield, CertiK, ScamSniffer, Rekt.news). The sooner you learn of a protocol attack, the higher your chance to withdraw funds in time.
8. Be Wary of UX Elements
In June 2025, major incidents occurred on Cointelegraph and CoinMarketCap — hackers exploited interface element vulnerabilities (banners, “doodle” images) to inject phishing pop-ups asking users to connect wallets and confirm “rewards.” Some users lost funds.
Conclusion
DeFi remains one of the riskiest sectors in crypto. Attacks are becoming more sophisticated, causing billions in losses, and users and businesses can lose funds with a single click. The main threats are smart contract bugs, oracle price manipulation, bridge vulnerabilities, and human error.
Protecting your assets and infrastructure requires a comprehensive approach: technical security, proper access configuration, and safe tools for crypto operations.
BitHide’s business crypto wallet includes technologies that protect against exploits: encrypted callbacks, multiple IP address rotations for each transaction, and single-use addresses for fund aggregation. Contact our manager to learn how BitHide can help your business work with crypto conveniently and securely.
