Skip to content

When Will Your Protocol Get Hacked?

Posted on:17 June 2025 at 19:40

TL;DR: Thinking your crypto project’s Total Value Locked (TVL) tells you how likely it is to get hacked? Think again.

Table of Contents

Open Table of Contents

#hacked

Rekt.

Pwnd.

Hacked.

Exploited.

Profitable Trading Strategy.

Words you do not want to hear as a smart contract engineer. Especially about your protocol.

The cold, hard truth? When there’s real money on the line, every single crypto project eventually draws the gaze of black-hat hackers. Automated scanners are already out there, tirelessly poking and prodding for weaknesses. And with the rise of powerful Large Language Models (LLMs), both sides of this digital arms race are only getting more sophisticated. This means active protection is becoming incredibly important – though, honestly, how to achieve that reliably is still a puzzle for all of us. On the flip side, we might even see ”retroactive protection” become the norm, allowing for the reversal of funds after an exploit, much like the Sui Network’s move after the Cetus hack.1

Today, I wanted to answer the question: when does your crypto project truly catch the eye of serious hackers? I’m not talking about the automated bots that exploit rookie mistakes (those should never even see production). I mean the old-school manual hackers, the sophisticated groups, maybe even nation-state actors. My hunch was that there might be a direct link between a protocol’s TVL2 – that enticing pot of gold – and its likelihood of appearing on their radar. Let’s dive into the data and see what it tells us.

TVL ~ Incentive: A Hacker’s Payday?

Before we dig into the numbers, let’s chat about incentives. What’s the absolute most a hacker could walk away with from your project? Roughly speaking, it’s your TVL. Of course, it could be more if they manage to exploit something like router authorisations, or far less if their specific attack vector doesn’t grant access to all the locked value.

Then there are the operational costs. If an exploit can’t be pulled off with a simple flash loan and requires upfront capital, well, our would-be attackers need to be sufficiently funded themselves. And let’s not forget the risk of failure – a botched exploit could mean losses for the exploiter. So, sometimes, even a rational hacker might decide to pass on an opportunity, even if it looks profitable on paper, because the risk isn’t quite worth the reward.

But motives are complex, and incentives stretch beyond just TVL. Remember Avi, who seemed to want to prove that ”code is law”? Or Jared, who just loves showcasing his front-running skills? And who could forget DeFi100, brazenly bragging about their exit-scam?

So, while TVL might not be the perfect measure of incentive, it should tell us something important, right?

Attackers & Attack Vectors: Know Thy Enemy

The world of crypto hacks is a wild west, with a dizzying array of attack vectors depending on the project’s unique design. Here’s a quick rundown of some common culprits:

These vulnerabilities can be leveraged by different types of attackers. An internal actor might compromise private keys. Flash loan-based attacks require almost no upfront funds, making them accessible to many. Oracle manipulation, on the other hand, can be quite expensive. And some attacks are purely social engineering, demanding zero capital, just time and patience.

Let’s take a look at the data3 to see how the dynamics play out.

N.B.: The data set we are looking at today contains many non-DeFi hacks & rugs such as CEXes, known individual drains, and more.

How Attack Frequency Changes with TVL

Our initial hypothesis was all about that relationship between TVL (the incentive) and attracting the serious hackers. Below, you’ll see a plot of the Marginal Hack Rate against Total Value Locked.

Figure 1: Marginal Hack Rate against Total Value Locked

At first glance, there’s a visible inverse relationship: as TVL climbs, the marginal hack rate generally dips. The orange “Log-trend” line neatly captures this downward slope. It kind of makes sense, right? You might think projects with higher TVL invest more heavily in security, face more scrutiny, or are simply built more robustly, leading to a lower marginal probability of being hacked.

But: R2=0.03. Ouch.

What does that incredibly low number mean? It tells us that only 3% of the variation in the marginal hack rate can actually be explained by the log-trend in TVL. That is, while there might be a general trend, TVL alone is a poor predictor of whether your protocol will get hacked. This strongly suggests that a whole host of other factors – things like the sheer quality of your code, the rigor of your audits, the expertise of your team, the specific attack vectors present, and even broader market conditions – play a far, far more significant role in determining a protocol’s vulnerability. Simply accumulating a high TVL isn’t your magic shield against hackers.

This also subtly highlights a bias in how we tend to remember and report hacks. The massive, headline-grabbing exploits stick in our minds, while the smaller, more frequent ones with limited impact often fly under the radar.

Crypto Hacks by Amount Lost: What Does a “Typical” Hack Look Like?

Next up, let’s look at the distribution of hack incidents based on the value lost. This histogram is quite revealing:

Figure 2: Count of hacks for various hack sizes Note the different bucket sizes!

The data confirms that the median hack amounts to $300k. So, while the news cycles might be dominated by multi-million dollar exploits, the vast majority of actual hack incidents are on a much smaller scale.

Funds Lost in Crypto Hacks Over Time

Finally, this chart plots individual hack events, showing the dollars lost on a logarithmic scale against the hacking date from early 2021 to mid-2025. Each dot is a single hack.

Figure 3: Funds lost in hacks on a timeline

This chart reveals several patterns:

Conclusion

So, what have we learned? While there’s a faint inverse correlation between a projects’s TVL and its marginal hack rate, the truth is that TVL alone is a weak indicator of security. Hackers aren’t just fixated on the absolute biggest payouts; they’re driven by exploitable vulnerabilities, regardless of a protocol’s size.

We’ve seen that smaller hacks are far more common, with the $300k median hack figure showing us the typical incident. Yet, the consistent occurrence of multi-million dollar exploits across time serves as a stark reminder: the potential for catastrophic losses is always lurking.

Ultimately, crypto security here isn’t a destination; it’s a continuous, evolving journey. While incentives like TVL certainly play a role in drawing attention, the primary driver of hacks isn’t TVL.

As in traditional finance, the age-old wisdom holds true in crypto: remaining solvent will make you a winner over time.

For founders: your project is constantly under threat and you cannot think that surviving a certain TVL milestones makes you more robust, or conversely, less robust against attacks. You need to be always on the look out and think about your security spend holistically.

For security teams: invest in robust security practices, commit to continuous auditing, and cultivate a deep understanding of potential attack vectors. Because if gas < profit, your protocol isn’t just on the radar… it’s already a target.4


Footnotes & acknowledgements

Footnotes

  1. Before you go and bash Sui too much, remember the DAO hack.

  2. While I usually TVL to refer to the value locked in a TVL, here TVL is more loosely defined and encompasses total value secured, AUM, and other metrics that are attributable to the total funds on a platform, project, secured by a key pair, etc.

  3. Data primarily sourced from Rekt Database, enhanced with data from Rekt and Defillama. Outliers (~1% of dataset) cleaned for analysis & charts.

  4. h/t oot2k