DeFi Lending Annual Loss Rate at 0.03%, Data Analysis Shows

Written by: Alex McFarlane

Translated by Chopper, Foresight News

Every disruptive fintech innovation inevitably undergoes growing pains, and decentralized finance (DeFi) is no exception. The early lending market launched rapidly and expanded at breakneck speed, leading the industry to face a series of security breaches in public markets, gradually refining code security, collateral risk management, oracle mechanisms, liquidation logic, and governance systems.

Past risk cases offer valuable insights, but they no longer reflect today’s mature DeFi ecosystem. After all, those who only review history often miss current opportunities.

After excluding security incidents related to cross-chain bridges, the annualized loss rate due to theft and malicious attacks on DeFi lending protocols on the Ethereum Virtual Machine (EVM) and Solana chains is approximately 0.03% of the total value locked (TVL). All data in this analysis are aggregated from DeFi Llama’s labeled events of hacks and vulnerability-based thefts.

The core criterion for assessing security risk is: how significant are the actual exploit losses compared to the total funds on the market?

A loss rate of 0.03% is roughly equivalent to the probability of an American citizen dying from an accidental slip and fall. This shows that, apart from the widespread market panic, the actual security risk of DeFi lending is relatively low.

As of May 16, 2026, DeFi Llama reports that the total amount stolen across all categories of DeFi protocols amounts to $7.751 billion, covering an extremely broad scope. This data includes cross-chain bridges, decentralized exchanges, derivatives protocols, blockchain gaming-related projects, digital wallets, underlying infrastructure failures, and non-lending DeFi services.

Cross-chain bridges are a major hotspot for risks: excluding security incidents related to cross-chain bridges, the total amount of stolen crypto in the DeFi sector drops to $4.518 billion.

Code executes only the exact instructions written, not the developer's intended outcomes, which is the root cause of various vulnerabilities. Categorizing risks is crucial: DeFi is not a uniform risk category—cross-chain bridge hacks, DEX oracle manipulation, wallet phishing scams, and collateral vulnerabilities in lending markets are all entirely different types of risks.

Among all DeFi protocols, lending markets are targeted most frequently due to a straightforward reason: large amounts of assets remain locked in smart contracts, making them prime targets for hackers.

Lending protocols and automated market makers (AMMs) are high-risk areas for security incidents, with a key commonality being the need to aggregate large amounts of assets into smart contracts. Aside from cross-chain bridges, the vast majority of security incidents occur within these two types of protocols. This article will focus on analyzing the lending and liquidity provisioning sectors.

Today, the total value locked in DeFi far exceeds that of the industry’s early stage, which was plagued by frequent vulnerabilities—especially in the lending sector, where project risk management systems are more mature, code audits are more comprehensive, and real-time on-chain risk monitoring has significantly improved. Excluding cross-chain bridge incidents, the annualized actual loss rate due to stolen funds in EVM and Solana ecosystem lending has decreased substantially.

Euler set a landmark case in risk management by successfully recovering all stolen assets. In 2023, after being hacked for $197 million, Euler not only recovered the full amount but, due to asset price fluctuations, ultimately reclaimed $240 million, achieving a positive surplus. This highlighted the gap between reported losses and actual recoveries in the industry.

As of May 16, 2026, aggregate relevant data from the past approximately one year:

• Total reported loss from non-cross-chain lending incidents involving EVM and Solana: $30.9 million
• Actual net loss after asset recovery: $30.1 million
• Daily locked funds in the lending sector: $99.6 billion
• Book loss rate: 3.1 basis points
• Actual net loss rate: 3 basis points

On an annualized basis, the capital loss remains steadily around 0.03% of the total locked value of loans.

DeFi security incidents exhibit a clear bimodal distribution: a very small number of extremely large theft events account for the vast majority of the industry’s total reported losses. When plotting incident sizes on a logarithmic scale, the distribution of theft amounts closely approximates a log-normal distribution. Intuitively, most security incidents result in relatively small losses, while massive thefts are concentrated in only a few extreme cases.

Although ChatGPT presents a different perspective, I believe this data strongly demonstrates that portfolio diversification is an excellent method for preventing crime.

From the perspective of risk transfer and commercial insurance, this data model also provides a solid foundation for the industry’s security insurance business, enabling insurers to set per-transaction payout limits for different protocols and conduct underwriting in an orderly manner.

Moreover, the vast majority of coin theft incidents have limited impact and are far from sufficient to shake the overall capital pool of the lending sector. Furthermore, the larger the overall size of the sector, the smaller the impact of any single security incident on the entire system.

Note: In some cases of stolen funds, the reported loss appears to exceed the project’s locked market capitalization; such cases are uniformly counted as 100% losses. This discrepancy arises primarily for two reasons: first, there is a time lag between the locking market capitalization data collection and the timing of the security incident, resulting in changes in asset volume; second, DeFi Llama’s methodology for calculating locked assets differs from the actual assets exposed to risk.

Although this estimation method is not absolutely perfect, it sufficiently reflects the current state of the industry: the vast majority of vulnerability exploits affect only a single business module within lending protocols, with very few cases resulting in total asset loss—especially among top-tier, high-volume projects. This survey data provides critical insights for DeFi risk hedging and asset custody services.

Asset recovery has also significantly improved the actual risk performance of the DeFi lending sector. According to aggregated data from DeFi Llama on DeFi thefts across all categories, the industry’s total recovered assets account for approximately 8% of the reported total losses; however, excluding cross-chain bridge incidents, the asset recovery rate for EVM and Solana lending protocols is higher, reaching around 20% of reported losses.

Asset theft cases occurring in regions with well-developed legal systems and mature regulatory governance generally have higher recovery success rates. This phenomenon also carries industry insights related to access control.

The security risks in the DeFi lending sector are now quantifiable and categorizable, with actual fund loss ratios continuously declining. Data demonstrates that the industry has entered a mature stage: actual losses from exploited vulnerabilities constitute an extremely small percentage of the sector’s total locked funds, all risks are clearly identifiable, and risk boundaries are becoming increasingly transparent.

In summary, don't be swayed by negative external narratives—data and facts clearly reflect the true risk level of the DeFi lending sector.