TL;DR: Thinking your crypto project’s Total Value Locked (TVL) tells you how likely it is to get hacked? Think again.
Table of Contents
Open Table of Contents
#hacked
Rekt.
Pwnd.
Hacked.
Exploited.
Profitable Trading Strategy.
Words you do not want to hear as a smart contract engineer. Especially about your protocol.
The cold, hard truth? When there’s real money on the line, every single crypto project eventually draws the gaze of black-hat hackers. Automated scanners are already out there, tirelessly poking and prodding for weaknesses. And with the rise of powerful Large Language Models (LLMs), both sides of this digital arms race are only getting more sophisticated. This means active protection is becoming incredibly important – though, honestly, how to achieve that reliably is still a puzzle for all of us. On the flip side, we might even see ”retroactive protection” become the norm, allowing for the reversal of funds after an exploit, much like the Sui Network’s move after the Cetus hack.1
Today, I wanted to answer the question: when does your crypto project truly catch the eye of serious hackers? I’m not talking about the automated bots that exploit rookie mistakes (those should never even see production). I mean the old-school manual hackers, the sophisticated groups, maybe even nation-state actors. My hunch was that there might be a direct link between a protocol’s TVL2 – that enticing pot of gold – and its likelihood of appearing on their radar. Let’s dive into the data and see what it tells us.
TVL ~ Incentive: A Hacker’s Payday?
Before we dig into the numbers, let’s chat about incentives. What’s the absolute most a hacker could walk away with from your project? Roughly speaking, it’s your TVL. Of course, it could be more if they manage to exploit something like router authorisations, or far less if their specific attack vector doesn’t grant access to all the locked value.
Then there are the operational costs. If an exploit can’t be pulled off with a simple flash loan and requires upfront capital, well, our would-be attackers need to be sufficiently funded themselves. And let’s not forget the risk of failure – a botched exploit could mean losses for the exploiter. So, sometimes, even a rational hacker might decide to pass on an opportunity, even if it looks profitable on paper, because the risk isn’t quite worth the reward.
But motives are complex, and incentives stretch beyond just TVL. Remember Avi, who seemed to want to prove that ”code is law”? Or Jared, who just loves showcasing his front-running skills? And who could forget DeFi100, brazenly bragging about their exit-scam?
So, while TVL might not be the perfect measure of incentive, it should tell us something important, right?
Attackers & Attack Vectors: Know Thy Enemy
The world of crypto hacks is a wild west, with a dizzying array of attack vectors depending on the project’s unique design. Here’s a quick rundown of some common culprits:
- Improper Input Validations: Attackers use inputs the protocol just wasn’t prepared for. (Always, always remember your edge cases!)
- Incorrect Calculations: Often due to arithmetic errors, logic blunders, or those pesky over/underflows. (Seriously, double-check your math.)
- 3rd-Party/Oracle Manipulation: When you rely on outside data, tweaking those sources can wreak havoc. (Always consider your chain of risk!)
- Access Control Flaws: Forgetting to set proper access controls is a surprisingly common, and easily exploited, oversight.
- Re-entrancy: Relying on other contracts can lead to unintended consequences if not handled carefully. (Brush up on your CEI patterns!)
- Flash Loans: Borrowing massive sums of money to be repaid in the same block can overwhelm a developer’s expectations. (Really, really check your edge cases!)
- Compromised Private Keys: Gaining unauthorised access to privileged keypairs has spelled disaster many times.
- UI-Based Attacks: Exploiting user interfaces can lead to huge losses. While not strictly smart contract issues, they cause immense pain (just ask Bybit!).
These vulnerabilities can be leveraged by different types of attackers. An internal actor might compromise private keys. Flash loan-based attacks require almost no upfront funds, making them accessible to many. Oracle manipulation, on the other hand, can be quite expensive. And some attacks are purely social engineering, demanding zero capital, just time and patience.
The Data: Unpacking Crypto Hack Trends
Let’s take a look at the data3 to see how the dynamics play out.
N.B.: The data set we are looking at today contains many non-DeFi hacks & rugs such as CEXes, known individual drains, and more.
How Attack Frequency Changes with TVL
Our initial hypothesis was all about that relationship between TVL (the incentive) and attracting the serious hackers. Below, you’ll see a plot of the Marginal Hack Rate against Total Value Locked.
At first glance, there’s a visible inverse relationship: as TVL climbs, the marginal hack rate generally dips. The orange “Log-trend” line neatly captures this downward slope. It kind of makes sense, right? You might think projects with higher TVL invest more heavily in security, face more scrutiny, or are simply built more robustly, leading to a lower marginal probability of being hacked.
But: R2=0.03. Ouch.
What does that incredibly low number mean? It tells us that only 3% of the variation in the marginal hack rate can actually be explained by the log-trend in TVL. That is, while there might be a general trend, TVL alone is a poor predictor of whether your protocol will get hacked. This strongly suggests that a whole host of other factors – things like the sheer quality of your code, the rigor of your audits, the expertise of your team, the specific attack vectors present, and even broader market conditions – play a far, far more significant role in determining a protocol’s vulnerability. Simply accumulating a high TVL isn’t your magic shield against hackers.
This also subtly highlights a bias in how we tend to remember and report hacks. The massive, headline-grabbing exploits stick in our minds, while the smaller, more frequent ones with limited impact often fly under the radar.
Crypto Hacks by Amount Lost: What Does a “Typical” Hack Look Like?
Next up, let’s look at the distribution of hack incidents based on the value lost. This histogram is quite revealing:
- Smaller Hacks Dominate: See those tall bars on the left? That tells us a larger number of hacks involve relatively smaller amounts of money.
- Big Bucks, Fewer Incidents: As the “Amount lost in hack” spirals upward, the frequency of hacks generally drops off. Those eye-watering $100M+, $200M+, even $400M+ hacks are much rarer – though, to be fair, that also lines up with the fact that truly gigantic DeFi protocols are rarer than smaller ones by TVL.
Note the different bucket sizes!
The data confirms that the median hack amounts to $300k. So, while the news cycles might be dominated by multi-million dollar exploits, the vast majority of actual hack incidents are on a much smaller scale.
Funds Lost in Crypto Hacks Over Time
Finally, this chart plots individual hack events, showing the dollars lost on a logarithmic scale against the hacking date from early 2021 to mid-2025. Each dot is a single hack.
This chart reveals several patterns:
- No Clear Trend in Individual Hack Size: Notice how there isn’t a clear upward or downward trend in the magnitude of individual hacks over time. Big hacks (the dots higher up on the y-axis) appear consistently throughout the period, as do the smaller ones. This suggests that the potential for significant losses has remained pretty constant, year after year.
- Constant Activity: The density of points appears relatively consistent. This isn’t a problem that flared up and died down; it’s a persistent, ongoing challenge.
- Hackers Never Sleep: The sheer presence of hacks across the entire timeline, spanning wildly different amounts of money, hammers home one undeniable truth: hacking is an omnipresent and relentless threat in the crypto space. It’s not going away; it’s just evolving.
Conclusion
So, what have we learned? While there’s a faint inverse correlation between a projects’s TVL and its marginal hack rate, the truth is that TVL alone is a weak indicator of security. Hackers aren’t just fixated on the absolute biggest payouts; they’re driven by exploitable vulnerabilities, regardless of a protocol’s size.
We’ve seen that smaller hacks are far more common, with the $300k median hack figure showing us the typical incident. Yet, the consistent occurrence of multi-million dollar exploits across time serves as a stark reminder: the potential for catastrophic losses is always lurking.
Ultimately, crypto security here isn’t a destination; it’s a continuous, evolving journey. While incentives like TVL certainly play a role in drawing attention, the primary driver of hacks isn’t TVL.
As in traditional finance, the age-old wisdom holds true in crypto: remaining solvent will make you a winner over time.
For founders: your project is constantly under threat and you cannot think that surviving a certain TVL milestones makes you more robust, or conversely, less robust against attacks. You need to be always on the look out and think about your security spend holistically.
For security teams: invest in robust security practices, commit to continuous auditing, and cultivate a deep understanding of potential attack vectors. Because if gas < profit
, your protocol isn’t just on the radar… it’s already a target.4
Footnotes & acknowledgements
Footnotes
-
Before you go and bash Sui too much, remember the DAO hack. ↩
-
While I usually TVL to refer to the value locked in a TVL, here TVL is more loosely defined and encompasses total value secured, AUM, and other metrics that are attributable to the total funds on a platform, project, secured by a key pair, etc. ↩
-
Data primarily sourced from Rekt Database, enhanced with data from Rekt and Defillama. Outliers (~1% of dataset) cleaned for analysis & charts. ↩