DeFi hacks cost $780.3M in Q2, now a structural yield risk

By Khal · · 2 min read

Editorial illustration for: DeFi security lapses cost $780.3 million in Q2, turning hacks into hidden participation tax
Published Jun 30, 2026, 7:22 p.m. (1 hour ago)

In brief

  • DeFiLlama logged 88 hacks totaling $780.3 million in Q2, with April accounting for $644.8 million
  • Infrastructure failures (bridges, signers, cross-chain messaging) drove most dollar losses
  • Users now price exploit risk as a hidden cost alongside gas fees and slippage

April bore the brunt

April 2024 carried the largest hack losses at $644.8 million, while May and June combined added $135.4 million. The concentration underscores how a handful of major exploits can reshape the risk landscape for an entire quarter.

DeFi Protocol targets accounted for $735.8 million of the $780.3 million total loss in Q2, while bridge-hack-flagged entries accounted for $353.4 million. These overlaps matter: many losses trace to shared infrastructure—bridges, signing systems, cross-chain messaging, admin permissions, and hot wallets that sit outside any single protocol's direct control.

The hidden tax on participation

The math of DeFi yield is changing. Users and liquidity providers must evaluate whether the route to yield depends on a bridge, oracle, frontend, signer set, or administrative path they cannot assess in real time. A pool can offer 15% APY, but that return means nothing if capital moves through a compromised oracle or cross-chain router.

The cost of DeFi participation now includes the risk that a permission, route, or proof layer fails while capital is in motion, beyond gas, slippage, and borrowing costs. This isn't priced in most yield calculators. It's a liquidity tax—invisible until it isn't.

Incidents pile up; infrastructure bleeds

Infrastructure-classified entries accounted for most of the known dollar losses in Q2, while protocol-logic entries accounted for most of the incident count. By June 30, amount-bearing hack entries totaled $16.65 billion cumulatively. DeFi Protocol targets accounted for $7.85 billion and bridge hacks for $3.26 billion.

Recent exploits have forced reckoning. The KelpDAO and LayerZero exploits demonstrated how a single exploit can push projects to rethink their security infrastructure. A THORChain halt following an exploit revealed another lesson: when routing trust breaks down, systems can stop first and ask questions later.

The message is clear. High yields still exist in DeFi—but they now carry a live cost of participation that wasn't there before.

Related stories