The annual average loss is only 0.03%, data breakdown of the real risks in DeFi lending

Article by: Alex McFarlane

Translated by: Chopper, Foresight News

Every disruptive financial technology development must go through growing pains, and decentralized finance (DeFi) is no exception. Early lending markets launched rapidly, with explosive growth, but the industry repeatedly faced various security attacks in public markets, then gradually explored and improved code security, collateral risk management, oracle mechanisms, liquidation logic, and governance systems.

Past risk cases are valuable references, but no longer represent the current mature DeFi ecosystem. After all, only reviewing history often fails to capture current opportunities.

Excluding security incidents related to cross-chain bridges, the on-chain DeFi lending activities on Ethereum Virtual Machine (EVM) and Solana have an estimated average annual loss rate from theft and malicious attacks of about 0.03% of the total value locked (TVL). All data in this analysis are compiled from hacker attack and vulnerability theft events marked on the DeFi Llama platform.

The core standard for assessing security risk is: how significant are the losses from exploited vulnerabilities relative to the amount of funds in the market?

A loss rate of 0.03% roughly equals the probability of an American accidentally slipping and falling to death. This indicates that, aside from the widespread panic, the actual security risk of DeFi lending operations is relatively low.

DeFi Security Incidents Breakdown

As of May 16, 2026, DeFi Llama reports that the total amount stolen across all categories of DeFi protocols has reached $7.75B, covering a very broad scope. The overall data includes cross-chain bridges, decentralized exchanges, derivatives protocols, blockchain game projects, digital wallets, underlying infrastructure failures, and non-lending DeFi businesses.

Among these, cross-chain bridges are the most risk-prone: excluding security incidents related to cross-chain bridges, the total stolen funds in DeFi drop to $4.52B.

Code execution only strictly follows written instructions, not the developer’s ideal expectations, which is the root cause of frequent vulnerabilities. Proper risk classification is crucial: DeFi is not a single risk-uniform track. Risks such as bridge thefts, DEX oracle manipulations, wallet phishing scams, and collateral asset vulnerabilities in lending markets are entirely different risk types.

Among all DeFi protocols, lending markets experience the highest frequency of attacks, mainly because: large amounts of assets are deposited long-term into smart contracts, making them primary targets for hackers.

Lending protocols and automated market makers (AMMs) are high-risk tracks, with the core commonality being the need to deposit large assets into smart contracts. Apart from cross-chain bridges, most security incidents are concentrated in these two types of protocols. This article will focus on analyzing lending and fund lending tracks.

Significant Improvement in Loss Rates

Today, the overall locked-in value in DeFi far exceeds the early vulnerability-prone stages of the industry, especially in the lending sector, where project risk control systems are more mature, code audits more comprehensive, and real-time network-wide risk monitoring increasingly refined. Excluding cross-chain bridge incidents, the annualized actual theft loss ratio for lending activities on EVM and Solana ecosystems has decreased substantially.

Euler has set a classic example of risk management, successfully recovering all stolen assets. In 2023, Euler was hacked for $197 million, which was fully recovered, and due to asset price fluctuations, ultimately recouped $240 million, achieving a positive surplus. This highlights the gap between the industry’s book losses and actual recovered amounts.

Using May 16, 2026, as a reference point, the past nearly year’s relevant data are summarized as follows:

Total on-record losses from theft in non-cross-chain lending on EVM and Solana: $30.9 million

Net actual losses after asset recovery: $30.1 million

Average daily locked-in funds in lending: $99.6 billion

On-record fund loss rate: 3.1 basis points

Actual net loss rate: 3 basis points

Converted, the annual fund loss remains stable at about 0.03% of the total lending locked-in market value.

Advantages of Asset Diversification

DeFi security incidents show a clear polarization: a very small number of large theft events account for the majority of the industry’s reported losses. Analyzing incident scales on a logarithmic scale reveals that various theft sizes approximately follow a log-normal distribution. Visually, most security incidents cause relatively small losses, with only a few extreme cases involving large-scale thefts.

Although ChatGPT has expressed different opinions, I believe these data strongly demonstrate that diversification of investment portfolios is an excellent method to prevent crimes.

From the perspective of risk transfer and commercial insurance, this data model also provides reasonable support for industry security insurance services. Insurers can set individual payout limits for different protocols and conduct orderly underwriting.

Moreover, most theft incidents have limited impact, far from enough to shake the entire lending sector’s capital pool. The larger the sector, the smaller the impact of a single security incident on the overall system.

Note: Some theft loss amounts appear to exceed the project’s own locked-in market value; such cases are uniformly counted as 100% loss. The main reasons for this discrepancy are twofold: first, there is a time lag between the lock-in market value statistics and the occurrence of security incidents, leading to asset volume changes; second, the lock-in statistics from DeFi Llama differ from the actual risk exposure asset standards.

While this estimation method is not perfect, it sufficiently reflects the industry’s current state: most vulnerabilities only affect individual modules within lending protocols, rarely causing total asset compromise, especially in large-scale top projects. This research also provides a key basis for DeFi industry risk hedging and asset security custody services.

Critical Importance of Asset Recovery

Asset recovery has also significantly improved the actual risk performance of the DeFi lending sector. Based on DeFi Llama’s data across all DeFi categories, the industry’s overall recovered assets amount to about 8% of the total recorded losses; excluding cross-chain bridge incidents, the recovery ratio for EVM and Solana lending sectors is even higher, reaching about 20% of the recorded losses.

In regions with well-established legal systems and mature regulatory governance, the success rate of recovering stolen funds is generally higher. This phenomenon also offers industry insights related to access permissions.

Bright Industry Outlook

Today, the security risks in DeFi lending are quantifiable and classifiable, with actual fund loss ratios continuously decreasing. Data proves that the industry has entered a mature development stage: the actual theft losses are extremely low relative to the vast existing capital, risks are clearly distinguishable, and risk boundaries are becoming more transparent.

In summary, there is no need to be swayed by external pessimistic opinions; data and facts sufficiently confirm the true risk level of the DeFi lending sector.