We analyzed a sample of over 550 hacks that occurred in the blockchain space over the past 15 years.

Our initial hypothesis was that the proportion of hacks related to smart contracts has gone down in recent years. We assumed that as developer tooling improved, smart contract libraries became more widespread, audits became more common, and knowledge of known vulnerabilities increased, smart contract-related exploits would become less frequent.

The goal was to test this assumption and look at how the trends in smart contract vs non-smart contract hacks have evolved over time. We wanted to either confirm or reject this hypothesis based on what the data shows.

We used a dataset listing over 550 known hacks. With some help from an AI assistant, we manually reviewed and categorized each hack based on its root cause. In total, we used twelve categories:

• Credential Theft

• Smart Contract

• Rug Pull / Fraud

• Frontend

• Governance

• Human Error

• Infrastructure

• Insider

• Malware

• Other Phishing

• Supply Chain

• Unknown

In cases where multiple vectors were involved, we picked the most specific one. For example, if malware was used to steal a private key, we categorized the hack under Credential Theft. When the root cause was unclear, we labeled it as Unknown.

We then grouped these categories into four larger buckets:

1. Smart Contract

2. Rug Pull / Fraud

3. Other

4. Unknown

Looking at the chart, we can see that the number of hacks increased sharply in 2022 and 2023, with both years recording about 130 attacks. That number significantly decreased in 2024, and the trend suggests it seems to be decreasing again in 2025.

Since 2020, about 40% of all blockchain hacks have been related to smart contracts. This is coherent with the emergence of DeFi, which gained momentum around that time.

This indicates that while smart contracts are not the majority cause of exploits, they still represent by far the largest proportion of hacks as a single category, followed by Credential Theft and Infrastructure-related breaches. Since that share remains relatively constant, this would refute our original hypothesis.

Looking only at the number of hacks doesn’t tell the full story. Some years may have more hacks but cause less financial damage, or vice versa.

To dig deeper, we grouped all attacks based on the estimated value stolen:

• Less than $100K

• $100K to $1M

• $1M to $10M

• $10M to $100M

• Over $100M

Smart contract exploits occupy a consistent proportion of attacks between $100K and $100M, being the top attack vector category across these tiers. Credential Theft and Infrastructure issues also appear regularly in high-value incidents.

We chose to exclude FTX from the graph to improve readability and avoid skewing the distribution too much.

From 2019 to 2022, smart contracts accounted for a growing share of the total value lost. This share remained steady in 2022 and 2023, but has declined in 2024 and so far in 2025.

This means that when looking at the total value lost rather than number of attacks, the data confirms that smart contract-related attacks are becoming relatively less damaging compared to other categories.

Smart contract vulnerabilities account for over $5 billion in total value lost. They remain the leading attack vector in terms of cumulative damage.

They are followed by:

• Credential Theft — approx. $3.1B

• Other Phishing — approx. $2.4B

• Infrastructure — approx. $1.5B

• Smart contract vulnerabilities account for 40% of all hacks.

• Credential theft, phishing, and infrastructure are major threat vectors

• Security must be holistic, not just focused on smart contracts

While this analysis has limitations, it helped us identify a few interesting insights into how Web3 security has evolved.

We do not yet have enough historical data to draw definitive conclusions. However, based on what we observed, the proportion of value lost to smart contract vulnerabilities seems to be decreasing. This suggests that the security measures implemented in recent years, such as improved tooling, the widespread use of libraries, and the growing accessibility of audits, are starting to pay off.

At the same time, the data clearly shows how important it is to secure the entire Web3 stack. Security should not stop at the smart contract layer. Credential theft, phishing, and infrastructure vulnerabilities continue to represent significant risks and cannot be ignored.

Although the industry invests heavily in smart contract audits, we often see projects overlooking other critical components of their systems. As smart contracts become more robust, attackers are increasingly turning to other layers to find weaknesses.

The emergence of AI has also changed the landscape. Attacks that were once limited to skilled threat actors, such as large-scale phishing campaigns, are now easier to launch and much more scalable.

Security is constantly evolving. Teams need to remain vigilant, adapt to emerging threats, and respond quickly in order to protect their users and safeguard their projects over the long term

If you're building in Web3 and want help securing your entire stack e.g., smart contracts, infrastructure, operations, and more, reach out to us.

We are a community of experienced security engineers helping teams protect their projects from top to bottom.

We analyzed a sample of over 550 hacks that occurred in the blockchain space over the past 15 years.

Our initial hypothesis was that the proportion of hacks related to smart contracts has gone down in recent years. We assumed that as developer tooling improved, smart contract libraries became more widespread, audits became more common, and knowledge of known vulnerabilities increased, smart contract-related exploits would become less frequent.

The goal was to test this assumption and look at how the trends in smart contract vs non-smart contract hacks have evolved over time. We wanted to either confirm or reject this hypothesis based on what the data shows.

We used a dataset listing over 550 known hacks. With some help from an AI assistant, we manually reviewed and categorized each hack based on its root cause. In total, we used twelve categories:

• Credential Theft

• Smart Contract

• Rug Pull / Fraud

• Frontend

• Governance

• Human Error

• Infrastructure

• Insider

• Malware

• Other Phishing

• Supply Chain

• Unknown

In cases where multiple vectors were involved, we picked the most specific one. For example, if malware was used to steal a private key, we categorized the hack under Credential Theft. When the root cause was unclear, we labeled it as Unknown.

We then grouped these categories into four larger buckets:

1. Smart Contract

2. Rug Pull / Fraud

3. Other

4. Unknown

Looking at the chart, we can see that the number of hacks increased sharply in 2022 and 2023, with both years recording about 130 attacks. That number significantly decreased in 2024, and the trend suggests it seems to be decreasing again in 2025.

Since 2020, about 40% of all blockchain hacks have been related to smart contracts. This is coherent with the emergence of DeFi, which gained momentum around that time.

This indicates that while smart contracts are not the majority cause of exploits, they still represent by far the largest proportion of hacks as a single category, followed by Credential Theft and Infrastructure-related breaches. Since that share remains relatively constant, this would refute our original hypothesis.

Looking only at the number of hacks doesn’t tell the full story. Some years may have more hacks but cause less financial damage, or vice versa.

To dig deeper, we grouped all attacks based on the estimated value stolen:

• Less than $100K

• $100K to $1M

• $1M to $10M

• $10M to $100M

• Over $100M

Smart contract exploits occupy a consistent proportion of attacks between $100K and $100M, being the top attack vector category across these tiers. Credential Theft and Infrastructure issues also appear regularly in high-value incidents.

We chose to exclude FTX from the graph to improve readability and avoid skewing the distribution too much.

From 2019 to 2022, smart contracts accounted for a growing share of the total value lost. This share remained steady in 2022 and 2023, but has declined in 2024 and so far in 2025.

This means that when looking at the total value lost rather than number of attacks, the data confirms that smart contract-related attacks are becoming relatively less damaging compared to other categories.

Smart contract vulnerabilities account for over $5 billion in total value lost. They remain the leading attack vector in terms of cumulative damage.

They are followed by:

• Credential Theft — approx. $3.1B

• Other Phishing — approx. $2.4B

• Infrastructure — approx. $1.5B

• Smart contract vulnerabilities account for 40% of all hacks.

• Credential theft, phishing, and infrastructure are major threat vectors

• Security must be holistic, not just focused on smart contracts

While this analysis has limitations, it helped us identify a few interesting insights into how Web3 security has evolved.

We do not yet have enough historical data to draw definitive conclusions. However, based on what we observed, the proportion of value lost to smart contract vulnerabilities seems to be decreasing. This suggests that the security measures implemented in recent years, such as improved tooling, the widespread use of libraries, and the growing accessibility of audits, are starting to pay off.

At the same time, the data clearly shows how important it is to secure the entire Web3 stack. Security should not stop at the smart contract layer. Credential theft, phishing, and infrastructure vulnerabilities continue to represent significant risks and cannot be ignored.

Although the industry invests heavily in smart contract audits, we often see projects overlooking other critical components of their systems. As smart contracts become more robust, attackers are increasingly turning to other layers to find weaknesses.

The emergence of AI has also changed the landscape. Attacks that were once limited to skilled threat actors, such as large-scale phishing campaigns, are now easier to launch and much more scalable.

Security is constantly evolving. Teams need to remain vigilant, adapt to emerging threats, and respond quickly in order to protect their users and safeguard their projects over the long term

If you're building in Web3 and want help securing your entire stack e.g., smart contracts, infrastructure, operations, and more, reach out to us.

We are a community of experienced security engineers helping teams protect their projects from top to bottom.