Perhaps the most misleading phrase in crypto security is also the most common.
The smart contract can be executed exactly as written and still be part of the theft. If you’re wondering how, have you considered that the code may never be the part that breaks?
We blame the smart contracts (code), but the real weakness lies in the humans running the project. Attackers don’t find great algorithmic flaws; They trick a founder into clicking on a bad link, stealing their computer access keys, and changing the application from within. However, once money moves across the chain, these failures are often relegated to the same main category. Yes, you guessed it right – DeFi Breakthrough!
That’s the problem with diagnosis.
A smart contract bug, a bridge signature compromise, an oracle failure, a trail of governance abuse, and a stolen private key don’t describe the same wound. Once failure is misnamed, repair begins in the wrong place.
Ethereal projects recently This is framed as a problem with the control plane – the security of the systems surrounding the protocol, not just the logic of the protocol itself. AMBCrypto takes this argument in a narrower direction. In fact, before the industry can discuss a solution, it must properly name the failure.
Of course, the data makes misclassification difficult to ignore. For example, Halborn found that In 2024, off-chain incidents accounted for 56.5% of attacks and 80.5% of stolen funds.
String analysis is also found Private key compromises accounted for the largest share of stolen cryptocurrencies in 2024.
So the uncomfortable question is simple: Is “better cipher” enough when an attacker’s best course of action would be to steal the key that tells the cipher what to do?
If most losses come from off-chain vulnerabilities, why does the industry continue to label every major incident a DeFi hack?
The title is not a diagnosis
“DeFi hack” works as a headline because it is short. It fails to diagnose because it hides the thing that is actually broken.
Ritesh Kakad, co-founder of XDC Network, put it bluntly when he said:
The term DeFi hack has done a lot of damage. Not because it’s wrong, but because every time something breaks we use it as a stopping point instead of a starting point. Ronin and Nomad were sued under the same classification, but they were failures in the trust structure, and had nothing to do with the quality of the contract.
This distinction is important.
So, what’s actually broken?
A stolen private key, a failed bridge validator, a poisoned interface, and broken protocol logic can all end up moving funds across the chain. But they start in different places.
This brings us to where knowing the application level and control level helps.
The application level is what users touch and includes swaps, lending markets, vaults, transfers, and bridge activity. The control plane is what gives the system authority to act: administrator keys, signers, upgrade paths, bridge validators, oracles and administration permissions. Then, there’s the human and operational layer surrounding it: hardware, GitHub access, CI/CD pipelines, cloud accounts, contractor permissions, and incident response.
However, most general accounts combine these layers into one word – Hack.
Imagine opening a DeFi app and approving what appears to be a routine transaction. The page looks familiar. The wallet prompt seems normal. The blockchain later records valid consent. But what if the screen changes before the site sees it? What if the failure occurs in the application interface, access credentials, or workflow around the signing process?
How does crypto security compare to traditional technology companies?
Traditional enterprise systems typically separate these failures because each one triggers a different response. Cryptocurrencies often lose that accuracy once stolen funds reach the block explorer.
| Operational layer | Technological standard of the enterprise | Common Web3 vulnerability |
|---|---|---|
| Access control | Limits on who can log in, from what device, and with what approval. | Administrative duties are performed on personal laptops, with core team members often coordinating multi-million dollar procedures on a standard level. cable Or Discord chats. |
| Control plane | Layered approval systems and audit trails | Multisig can still leave a lot of power behind with a small group of people and switches. |
| CI/CD | It separates testing, approval, and release, so bad updates are harder to deploy. | bargaining credentials It can change what users or sites see |
The failure mode changes from one case to another
Autopsies (or evidence) tell a more complex story than the headlines. Most crypto dissections begin too late. They ask: How much was stolen? Before we ask: “What actually failed?”
Look at Ronin, for example, which is remembered as one of the definitions of cryptocurrency Bridge piercing. In March 2022, attackers drained 173,600 ETH and $25.5 million USD from the Ronin Bridge. However, mechanics are important here.
Ronin Bridge needed 5 out of 9 verified signatures to approve withdrawals. The attacker didn’t need to find a traditional bug in the smart contract to get there. Four Sky Mavis validation keys have been hacked. The fifth approval came through the old Axie DAO permission path associated with Ronin’s gas-free RPC setup, which had not been properly revoked.
Once those five approvals were obtained, the bridge treated the withdrawals as valid.
This is the part that the “bridge hack” label tends to flatten. The weakness wasn’t just the bridge as a product, or DeFi as a category. It was Power structure around the bridge: Who could approve movement, how those approvals were protected, and why the old access path was still important.
It’s the same story elsewhere
Ronin was no exception. Orbit series, MinisterX and Bybit They all point to the same pattern from different angles. until Wound attack incidents in France It belongs to the broader diagnostic conversation. These were not DeFi failures, but they demonstrated the same uncomfortable truth: attackers pursue control, whether that control resides in the code, the multi-signature, the browser interface, or the person.
Where does the money go?
Broader data complicates the usual story as well.
Immunefi recorded $1.635 billion in crypto losses across 40 incidents in the first quarter of 2025. They described it as the worst quarter for hacks in cryptocurrency history. But the division is important.
Most of this number came from two CEXs. Combined, these incidents accounted for approximately 94% of the quarter’s losses.
This does not mean that the risks of DeFi disappear. But in value terms, the quarter was dominated by CeFi and signature-related failures, not a wave of protocol account breaks.
Chainalysis’ report on the theft highlighted something similar as well.
It also found that personal wallet hacks became a larger part of the loss picture, rising from 7.3% of value stolen in 2022 to 44% in 2024. 158,000 individual wallet hack incidents affected 80,000 unique victims in 2025, even as DeFi hack losses continued to be suppressed despite rising TVL.
Read together, the data does not allow either side to win an easy argument.
The code on the chain still fails. Obviously, off-chain systems fail too. The most useful pattern is that large losses increasingly expose the mechanisms surrounding the token: validators, signers, interfaces, wallet infrastructure, cloud systems, personal devices, and human access. But the greatest danger begins after the first failure.
Why does one small error destroy the entire system?
In DeFi, a broken assumption rarely stays where it started. The bridge asset can become a security. Collateral can back loans. Loans can replenish coffers. Lockers can sit inside the complexes. By the time users see the headline, the risk may have already passed through several layers. Here misdiagnosis becomes more than just dirty language.
For your context, in TradFi, if a bank fails, regulators may freeze assets while they figure out what happened. In DeFi, code execution is done automatically.
Once the systems are connected, the wrong failure label can distort how the market understands each exposure built upon it.
The domino effect of interconnected risks
Composability is often treated as a great feature of DeFi. Protocols are seamlessly connected to each other, assets migrate across chains, tokens double as collateral, and liquidity is recycled endlessly across markets.
However, this frictionless design is a double-edged sword, because the same structure that accelerates growth also accelerates failure.
When a cross-chain bridge issues an asset, that asset rarely stays in place. He travels. It enters lending markets, sits inside yield vaults, is routed through aggregators, or acts as collateral for entirely separate positions.
If the bridge’s security model breaks down, the damage cannot be contained to the bridge nodes themselves. Every sub-protocol that treats this bridged asset as a secure, native store of value suddenly inherits corruption.
This is where the “Money Lego” metaphor rings so clean.
XChainWatcher The bridge version makes this problem more clear. The study found that bridge vulnerabilities have caused $3.2 billion in losses since May 2021, while also noting failures that regular “DeFi hack” coverage would miss.
Therefore, the first failure may begin as a bridge assumption, location, oracle, or governance path. The second-order failure is the movement of “trust” downstream. Toxins move through the financial plumbing long before the market realizes that a breach has occurred.
The better question is which layer failed
Is the code behaving incorrectly? Was the protocol fed bad data? Has the bridge auditor or multi-signer lost authority? Was the front end or CI/CD pipeline compromised before users even saw the transaction? Did the administration change the rules? Or was the person with access directly targeted?
These questions lead to different answers.
Better audits are important, yes. They can reduce risks at the code level. But they can’t solve stolen keys, compromised sites, weak bridge controls, exposed cloud credentials, and poor operational security. They certainly cannot prevent people from being targeted because they control access to crypto wealth.
This is the goal of accuracy. If the industry continues to mislabel failure, it will continue to fight the wrong fight.
“DeFi hack” may still be useful as a key acronym. However, as a diagnosis, it is often too straightforward to be true. Perhaps a better question is where the failure actually began.
Final summary
- DeFi protocols are seamlessly connected to each other; A security breach at one of the underlying layers causes immediate damage downstream.
- The vast majority of stolen funds are actually lost due to off-chain operational failures, compromised signing keys, and human vulnerabilities.
