DeFi Lending Hack Losses Equal 3 Basis Points of TVL
DeFi Lending Hack Losses Reach 3 Basis Points of TVL – Data Shows Limited Impact Relative to Capital Locked
Key Takeaways
- Non bridge lending exploits on EVM chains and Solana totaled $30.9 million over the past 12 months.
- Average Total Value Locked in these markets stood at $99.6 billion, resulting in 3.1 basis points gross losses and 3 basis points net after recoveries.
- For every $10,000 deposited, the annualized realized hack loss equaled about $3.
- Recoveries reduced lending losses by roughly 20 percent, compared with 8 percent across all DeFi protocols.
Twelve Month Data Shows $30.9 Million in Lending Exploits
Lenders who placed funds in decentralized finance borrowing markets on Ethereum Virtual Machine chains and Solana experienced realized hack losses of approximately 3 basis points of Total Value Locked over the past year. The calculation is based on data derived from DefiLlama records through May 16.
Keyring Network founder Alex McFarlane isolated non bridge lending exploits and compared trailing 12 month gross losses of $30.9 million against an average TVL of $99.6 billion. This resulted in a gross loss rate of 3.1 basis points. After accounting for recoveries, the figure declined slightly to 3 basis points net.
In practical terms, if you spread $10,000 across the largest EVM and Solana lending markets during that period, the realized annualized hack loss would have equaled about $3. The estimate excludes bridge related incidents, oracle failures, and protocol specific bugs. It also assumes that deposits were not placed in a market that experienced a large scale event.
Bridge Incidents Distort Broader DeFi Hack Figures
DefiLlama records $7.75 billion in gross hack losses across the broader DeFi sector over its full history. When bridge related incidents are excluded, the total declines to $4.52 billion. This distinction highlights the significant share of losses attributable to cross chain infrastructure rather than core lending protocols.
The lending specific figures therefore represent a narrower segment of the DeFi market. By focusing on borrowing and lending protocols on EVM chains and Solana, the data isolates one of the largest capital pools within decentralized finance and measures exploit losses relative to the amount of capital actively deployed.
According to McFarlane, the relevant metric for assessing exploit risk is the size of realized losses compared with the capital using the market. He compared the 3 in 10,000 probability to the rate at which Americans die from slip and fall accidents, using the analogy to frame the scale of realized losses in relation to TVL.
Hack Distribution Skews Toward Large Outliers
The data indicates that exploit sizes are unevenly distributed. A small number of large incidents account for a significant share of cumulative damage, while most events remain relatively small. On a logarithmic scale, the pattern approximates a lognormal distribution.
Most exploits affect a specific component within a lending market rather than draining an entire protocol. Larger markets also tend to absorb a smaller percentage impact when incidents occur. This dynamic means that the relative damage to total capital can vary significantly depending on protocol size and design.
April illustrated how single events can shape monthly totals. Crypto hackers extracted $606 million that month, marking the worst monthly total since the 2025 breach at Bybit. The Kelp DAO and Drift incidents accounted for 95 percent of April losses, according to the report.
Recoveries Reduce Net Damage in Lending Protocols
Recoveries play a measurable role in lowering net losses. Across all DeFi protocols tracked by DefiLlama, capped recoveries amount to about 8 percent of gross damage. For EVM and Solana lending protocols excluding bridges, the recovery rate rises to roughly 20 percent.
One notable case was Euler Finance, where the attacker returned all stolen funds after a 2023 flash loan exploit. While not representative of every incident, such recoveries reduce the long term realized loss rate for lenders when measured against TVL.
The difference between gross and net figures in the lending category reflects this effect. The 3.1 basis points gross loss rate narrows to 3 basis points after recoveries are taken into account.
Protocol Design and Minimalism as Risk Factors
Developers continue to debate how protocol design influences exploit risk. Morpho contributor Merlin Egalite stated that minimalism is a dividing line between safer and riskier lending markets. He argued that lending protocols are among the most complex to secure and that each additional line of code increases the potential attack surface.
Immutability and limited feature sets are presented as approaches intended to reduce the likelihood of introducing new vulnerabilities through updates. While the reported 3 basis point figure reflects realized history rather than a guarantee, it provides a quantifiable reference point for lenders, insurers, and capital allocators.
The data also shows that Aave and Morpho continue to absorb a significant share of new lending capital in 2026. At the same time, the year has already included major single incidents, such as the Kelp DAO event in April, underscoring that large losses remain possible even if the aggregate annualized rate appears limited relative to TVL.
Our Assessment
The reported 3 basis point net loss rate places non bridge lending exploits on EVM chains and Solana at $30.9 million against $99.6 billion in average TVL over the past 12 months. Recoveries reduced gross losses, and large outlier events accounted for a significant share of total damage. The data isolates lending protocols from bridge incidents and provides a measurable benchmark for evaluating realized exploit losses relative to capital locked in these markets.
