The Top 10 DeFi Hacks Were Control-Plane Failures First
The biggest DeFi losses were not random smart-contract surprises. They were control-plane failures: bad authority, bad verification, and bad change management.
Establish the problem with technical depth
If you line up the current all-time leaderboard of major DeFi and crypto exploits, one pattern matters more than the exact ranking. The largest losses usually begin in the layer that decides who has authority and what the system is allowed to trust. That layer is the control plane: signer workflows, bridge verification, upgrade logic, dependency trust, and key custody. When it is weak, a protocol can look audited and still be economically open.
Current leaderboards compiled from Chainalysis and DeFiLlama data now include names like Bybit, Ronin, Poly Network, Wormhole, Cetus, Mixin, Euler, Nomad, Balancer, and Nobitex. The bottom of the list can move as prices and category definitions move. The top of the story does not.
| Incident | Approx. loss | What failed first |
|---|---|---|
| Bybit | $1.46B | Signing pipeline and Safe UI trust |
| Ronin | $624M | Validator key concentration and stale delegated authority |
| Poly Network | $612M | Cross-chain authorization path |
| Wormhole | $326M | Message verification bypass |
| Cetus Protocol | $223M | Shared-library math failure |
| Mixin Network | $200M | Cloud-hosted key infrastructure |
| Euler Finance | $197M | Lending invariant broken in an audited path |
| Nomad Bridge | $190M | Upgrade initialization turned verification into theater |
| Balancer v2 | $128M | Precision error compounded across repeated state transitions |
| Nobitex | $90M | Compromised private keys and destructive operator access |
The scale is the part investors should not sanitize. Chainalysis says the crypto industry lost more than $3.4 billion to theft in 2025, and that the February 21, 2025 Bybit compromise alone accounted for about $1.5 billion of that total. Bybit's own incident timeline says the loss came from a single Ethereum cold wallet after attackers spoofed the Safe multisig signing flow and changed the wallet logic through a disguised transaction. One compromised approval path erased a year of product execution.
Ronin exposed the same truth three years earlier in a more obviously "decentralized" setting. Ronin's March 29, 2022 disclosure says attackers drained 173,600 ETH and 25.5 million USDC after compromising validator keys. The key detail is structural: five of nine validator signatures were enough, Sky Mavis controlled four of them, and an Axie DAO allowlist path that should have expired did not. Too much authority stayed reachable after the team believed it was gone.
Poly Network, Wormhole, and Nomad make the bridge version of the same argument. Chainalysis says Poly Network lost $612 million on August 10, 2021 after an attacker exploited the smart contracts used for cross-chain transactions. Wormhole lost 120,000 wETH, roughly $326 million, after a verification bypass let the attacker mint value that was never actually locked on Ethereum. Nomad's bug was simpler still: after a June 21, 2022 upgrade, acceptableRoot(bytes32(0)) could evaluate to true, which meant unproven messages could be processed as legitimate.
Euler matters because it keeps honest engineers from hiding behind the phrase "that was just a bridge problem." Euler's own retrospective says the protocol was exploited in March 2023 for about $197 million. The root cause was not embarrassing beginner Solidity. It was a missing health check in the donateToReserves path, a function introduced to fix an earlier bug and reviewed before shipping. That is what modern failure looks like: not sloppy code in the obvious function, but one unsafe state transition in a system sophisticated enough to look credible.
The mechanism, the mistake, the misunderstanding
The mechanism behind the biggest losses is usually one of three lies.
The first lie is: this authority is legitimate. Bybit's signers saw a false reality and approved it. Ronin's validator design made nominally separate authority easier to aggregate than management believed. A private key or privileged machine is never "just ops." It is production authority.
The second lie is: this message has been verified. Poly Network, Wormhole, and Nomad were not fundamentally about yield strategies or tokenomics. They were about the protocol accepting forged or unproven state as authentic. In other words, the system's trust boundary was syntactically present and semantically broken.
Nomad's RCA shows why this is so dangerous:
function process(bytes memory message) public returns (bool success) {
require(acceptableRoot(messages[keccak256(message)]), "!proven");
// execute the message
}
That check looks fine until acceptableRoot(bytes32(0)) becomes true after an upgrade. Then verification still exists in the code, but not in reality. That distinction matters. A security control that remains visible after it has stopped constraining the system is worse than a missing control, because teams keep operating as if protection still exists.
The third lie is: the system's accounting is still true. That is the Euler, Cetus, and Balancer class. An invariant is a condition that must remain true across every valid path through the system, not just in one happy-path unit test. Solvency is an invariant. Conservation of collateral is an invariant. Euler failed because a path that looked operational could push an account into an unhealthy state without reasserting health. Cetus and Balancer show the other version of the same story: tiny arithmetic assumptions stop being tiny once automated capital can cycle through them at machine speed.
The misunderstanding is that teams still budget around the code plane and under-budget the control plane. The code plane is the contract logic people review line by line. That work matters. But only a minority of the biggest incidents are classic contract-logic failures. The rest are authority failures, verification failures, or infrastructure failures that a narrow audit process will not close by itself.
That is why "was it audited?" is such a weak diligence question. A protocol can answer yes and still have unsafe signer ceremonies, weak bridge assumptions, unreviewed upgrade scripts, stale permissions, or shared libraries nobody stress-tested as if they held the treasury. The market prices all of those mistakes the same way: as losses.
What good looks like
Good security starts by modeling the control plane as part of the product, not as plumbing around the product.
For signer and privilege paths, that means hardware-backed approvals, independent transaction decoding, strict role expiry, removal of temporary delegations, and routine access review. A multisig is not safety by itself. It is only one part of a signing system. If every signer is trusting the same compromised UI or the same poisoned device, the threshold is cosmetic.
For bridges, verifiers, and upgrades, it means treating proof libraries, initialization logic, and deployment scripts as treasury-critical code. Teams should test zero values, replay scenarios, upgrade migrations, and failure paths as aggressively as they test deposits and withdrawals. Shared libraries deserve the same suspicion as first-party code because the protocol inherits their mistakes at full blast radius.
For core protocol accounting, good looks like writing invariants before the implementation is declared done. Then prove those invariants under adversarial sequencing with stateful fuzzing, fork-based simulations, and diff-specific review on every meaningful change. Tools such as Foundry invariant tests, Echidna, Slither, and Medusa help, but only if they are aimed at truths that matter. "No revert on deposit" is not a security property. "Collateral cannot become withdrawable before debt remains safe" is.
Finally, good security has runtime teeth. Ronin's write-up is still one of the clearest warnings in the sector because the theft sat undetected until a user could not withdraw. Large outflows, role changes, unexpected mints, paused-state flips, and upgrade execution should all be visible quickly enough that the team can respond before social media explains the incident for them.
ChainShield's angle
ChainShield's view is that Web3 security has to move up a layer.
The industry does not need another firm that reads Solidity in isolation and hands management a PDF that sounds definitive. It needs security work organized around change surfaces and authority surfaces: what changed, who can approve it, what dependency is newly trusted, what upgrade path can mutate the protocol's truth, and which live signals would tell you the model is already broken.
That frame works for both halves of the audience. Founders and investors get a language that maps directly to treasury risk and governance risk. CTOs and Solidity engineers get a security program that matches how failures actually happen in production.
The top 10 DeFi hacks of all time are not just a hall of shame. They are a design brief. Teams that study only the Solidity fragment are learning the wrong lesson. The big money is still being lost where systems decide who to trust.
ChainShield Discovery Runs are designed to identify high-risk issues quickly, validate what matters, and give engineering teams a faster path to remediation.
Request Security Quote