2025 was not defined by new vulnerabilities. It was defined by where losses actually occurred.
Despite years of investment in smart contract audits, over 83% of all losses in 2025 came from access control failures and infrastructure compromise, not from exotic contract exploits. The dominant failure modes were operational, permission-based, and human-controlled.
This report analyzes every major loss event of 2025, breaking them down by attack vector, chain, category, and systemic pattern. The conclusion is unambiguous:
Web3 no longer fails at the execution layer. It fails at the control layer.
Key Incidents That Defined 2025
Unlike prior years, 2025 losses were persistent and distributed, not dominated by a single exploit class.
Major Incidents Snapshot
Balancer v2 & forks: $137.4M gross
Accounting & precision loss, composability failure
Stream Finance: $93.0M
Privileged function abuse
BtcTurk: $48.0M
Hot wallet access control failure
CoinDCX: $44.2M
Compromised infrastructure
GMX: $42.0M
Accounting & logic errors
SwissBorg: $41.5M
Third-party infrastructure compromise
Upbit: $36.0M
Hot wallet compromise
Hyperliquid (user key): $21.0M
Private key compromise
Yearn (yETH): $9.0M
Infinite mint logic flaw
These incidents span DeFi, CEXs, and users, but they share one trait: failure of permissions, controls, or operational safeguards.
Losses by Attack Vector
Attack Vector Share of 2025 Losses
| Attack Vector | Share |
|---|---|
| Access Control & Privileged Abuse | ~43% |
| Infrastructure / Hot Wallets | ~40% |
| Logic & Accounting Errors | ~12% |
| User-Layer / Phishing | ~4% |
| Oracle Manipulation | ~1% |
| Front-End Attacks | <0.1% |
Interpretation
- Access control replaced reentrancy as Web3’s most expensive vulnerability class.
- Infrastructure losses rivaled access control, proving that most damage now happens off-chain.
- Logic bugs still exist, but they are secondary contributors, not primary drivers.
Who Actually Lost the Money
Losses by Category
| Category | Share |
|---|---|
| Centralized Exchanges | ~56% |
| DeFi Protocols | ~39% |
| Users / Wallets | ~4% |
| Other | ~1% |
CEXs remain the largest sink of capital loss due to liquidity concentration and weak operational controls. DeFi losses are fewer but structurally more complex.
Losses by Blockchain / Ecosystem
Ethereum and EVM chains absorbed the majority of losses simply because they host the most capital.
| Chain | Loss Share |
|---|---|
| Ethereum + L2s | ~70% |
| CEX (Chain-Agnostic) | ~21% |
| Bitcoin | ~15% |
| Solana | ~7% |
| Others | ~5% |
This is not a security indictment of Ethereum. It is a capital distribution reality.
H1 vs H2 2025: The Shift That Matters
H1 2025
- Mega breaches (Bybit)
- Single-event dominated
- Infrastructure failures set the tone
H2 2025
- Fewer mega breaches
- Persistent $20–100M incidents
- Access control and accounting failures dominated
Lower totals did not mean lower risk.
They meant attack surface diffusion.
Additional Read
Systemic Risk Themes Identified
- Composability risk is underpriced
- Security tooling is static, attackers are adaptive
- Operational security is now the primary perimeter
- User losses are institutional in scale
- Known patterns failed repeatedly due to lack of enforcement
Evidence-Backed Priorities for 2026
Priority 1: Enforced Access Control
- Role isolation
- Privilege decay
- Runtime permission monitoring
Priority 2: Continuous Detection
- Always-on scanners
- Admin behavior anomaly alerts
Priority 3: Composability Standards
- Shared risk disclosures
- Circuit breakers
Priority 4: User Safety by Design
- Spend limits
- Transaction simulation
- Delayed withdrawals
Conclusion
2025 ended the myth that audits equal security.
The dominant failures were known, preventable, and repeatedly ignored. Security in 2026 will be judged not by reports, but by control enforcement, runtime visibility, and operational discipline.