Set aside prejudices, and re-evaluate the security of DeFi lending.

Written by: Alex McFarlane

Translated by: Chopper, Foresight News

Every disruptive fintech development must undergo growing pains, and decentralized finance (DeFi) is no exception. The early lending market rapidly launched and expanded in scale, while the industry faced various security attacks in the open market, then gradually explored and perfected code security, collateral asset risk control, oracle mechanisms, liquidation logic, and governance systems.

Past risk cases hold reference value, but can no longer represent the now-mature DeFi ecosystem. After all, those who only replay history often miss current opportunities.

Excluding security incidents related to cross-chain bridges, the current Ethereum Virtual Machine (EVM) and Solana chain-based DeFi lending business calculates an average annual loss rate from theft and malicious attacks at about 0.03% of the total value locked (TVL) in lending. The data for this analysis is consolidated from hacker attacks and vulnerability theft events reported by the DeFi Llama platform.

The core criterion for assessing security risk is: how significant are the losses from exploitations compared to the amount of funds in the market?

A loss rate of 0.03% roughly equates to the probability of accidental death due to slipping and falling among the American populace. Thus, it can be seen that, setting aside the prevailing panic in the market, the actual security risks of DeFi lending are actually at a relatively low level.

Detailed Breakdown of DeFi Security Incidents

As of May 16, 2026, DeFi Llama reported that the total amount of theft from all categories of DeFi protocols reached 7.751 billion dollars, and this statistic covers a wide range. The overall data includes cross-chain bridges, decentralized exchanges, derivatives protocols, blockchain game-related projects, digital wallets, underlying infrastructure failures, and non-lending DeFi businesses.

Among them, cross-chain bridges are a major risk area: excluding security incidents related to cross-chain bridges, the total loss amount from theft in the DeFi field is reduced to 4.518 billion dollars.

Code execution will strictly follow the written instructions rather than achieving the ideal expectations of developers, which is the root cause of various vulnerability occurrences. Properly categorizing risks is of great significance: DeFi is not a single track with uniform risks. Theft from cross-chain bridges, DEX oracle manipulation, wallet phishing scams, and collateral asset vulnerabilities in the lending market all belong to completely different types of risks.

Among all DeFi protocols, the lending market suffers the most frequent attacks, with a very simple reason: large amounts of assets are locked in smart contracts for extended periods, making them prime targets for hackers.

Lending protocols and automated market makers (AMMs) are high-frequency accident fields, sharing a core commonality of needing to pool large amounts of assets into smart contracts. Aside from cross-chain bridges, the vast majority of security incidents are concentrated in these two types of protocols. This article will focus on the analysis of the lending and borrowing track.

Funds Loss Rate Significantly Improved

Today, the total locked value in DeFi is much higher than in the early stages when vulnerabilities were frequent, especially in the lending track. Projects have more mature risk control systems, more comprehensive code audits, and increasingly refined real-time risk monitoring across the network. Excluding the cross-chain bridge incidents, the annualized actual theft loss ratio of EVM and Solana ecosystem lending businesses has significantly decreased.

Euler has created a classic risk disposal case, successfully recovering all stolen assets. In 2023, Euler lost 197 million dollars but not only fully retrieved the amount but also ended up recovering 240 million dollars due to asset price fluctuations, achieving a positive surplus, which also widened the gap between the industry's reported losses and the actual recovery amounts.

As of May 16, 2026, statistics on related data over the past year are as follows:

• Total reported loss due to theft for non-cross-chain lending businesses in EVM and Solana: 30.9 million dollars
• Actual net loss after asset recovery: 30.1 million dollars
• Daily average locked lending amount: 99.6 billion dollars
• Reported fund loss rate: 3.1 basis points
• Actual net loss rate: 3 basis points

Converted, the annual fund loss stabilizes at around 0.03% of the total locked lending market value.

Advantages of Asset Diversification

DeFi security incidents exhibit a clear polarization characteristic: a very small number of large theft events account for the vast majority of the total public losses in the industry. Organizing incident scales using logarithmic coordinates reveals that various theft incidents are approximately log-normally distributed. Visually, the losses caused by the vast majority of security incidents are relatively small, with significant high-value thefts concentrated in a few extreme cases.

Although ChatGPT presented different views, I believe these data strongly prove that portfolio diversification is an excellent method for crime prevention.

From the perspective of risk transfer and commercial insurance, this data model also provides reasonable support for the industry's security insurance business, allowing insurance institutions to set single-claim limits for different protocols and orderly conduct underwriting business.

Furthermore, the vast majority of theft incidents have limited impact, far from shaking the overall funding market of the lending track. Moreover, the larger the overall size of the track, the smaller the impact of a single security incident on the whole.

Note: Some theft incidents appear to exceed the project's own locked market value, and such cases are uniformly counted as 100% loss. This data discrepancy arises mainly from two reasons: first, the time of locked market value statistics differs from the time the security incident occurred, leading to variations in asset amounts; second, the locked value statistics criteria of DeFi Llama are inconsistent with the actual standards for assets at risk.

This calculation method, while not absolutely perfect, is sufficient to clearly reflect the industry's status: the vast majority of vulnerability attacks only affect a single business module within the lending protocol, with very few instances of total asset collapse, especially for large projects. This research data also provides key evidence for risk hedging and asset security custody services in the DeFi industry.

Asset Recovery Ability is Crucial

Asset recovery has similarly significantly optimized the actual risk performance of the DeFi lending track. Looking at the comprehensive data of DeFi Llama's all-category theft incidents, the overall asset recovery amount in the industry is about 8% of the total reported losses; whereas, after excluding cross-chain bridge incidents, the asset recovery proportion in the EVM and Solana lending track is even higher, reaching about 20% of the reported losses.

In regions with a well-established rule of law and mature regulatory governance, the success rate of recovering stolen assets is generally higher. This phenomenon also hides industry insights related to access permissions.

Promising Industry Prospects

Today, the security risks of the DeFi lending track have become quantifiable and categorizable, with the actual fund loss ratio continuously decreasing. Data proves that the industry has entered a mature development stage: actual losses from vulnerability theft compared to the massive locked fund amount are extremely low, and various risks are clearly distinguishable, with risk boundaries becoming increasingly transparent.

In summary, there is no need to be swayed by external pessimistic rhetoric; data and facts are sufficient to verify the true risk levels of the DeFi lending track.