Back

New Cross-Chain Vulnerabilities Threaten DeFi Security Across Multiple Blockchains

Severity: Medium (Score: 57.3)

Sources: Cryptorank, Mexc, Cryptoslate, cryptoslate.com

Published: 2026-06-07 · Updated: 2026-06-08

Keywords: defi, losses, million, hack, vectors, fading, risk

Summary

Decentralized finance (DeFi) has seen a significant reduction in losses, dropping from $2.62 billion in 2022 to $534 million by 2024. However, new vulnerabilities have emerged, particularly in cross-chain deployments, where a single flaw can impact multiple networks simultaneously. The Balancer V2 exploit in November 2025 exemplified this risk, draining $128 million across six chains due to an arithmetic precision flaw. As protocols increasingly share code across Ethereum, Arbitrum, Base, Polygon, Sonic, and OP Mainnet, the potential for systemic failures has risen. Bespoke protocol logic exploits accounted for 89.1% of DeFi losses in 2025, highlighting the shift in attack vectors. Despite the overall decline in total losses, the number of unique incidents rose to 83 in 2025, indicating a growing frequency of attacks with lower individual impacts. The evolving threat landscape necessitates enhanced security measures for multi-chain protocols. Key Points: • DeFi losses decreased from $2.62 billion in 2022 to $534 million in 2024. • New cross-chain vulnerabilities can drain funds across multiple networks simultaneously. • The Balancer V2 exploit in November 2025 drained $128 million due to a shared code flaw.

Detailed Analysis

**Impact** DeFi protocols across six major blockchains—Ethereum, Base, Arbitrum, Polygon, OP Mainnet, and Sonic—are affected by a new class of cross-chain vulnerabilities. The Balancer V2 Composable Stable Pools exploit drained approximately $128 million in under 30 minutes across these networks simultaneously. Industry-wide DeFi losses peaked at $2.62 billion in 2022 but fell to $534 million by 2024, with protocol logic exploits accounting for 89.1% of losses in 2025. The Ronin Bridge hack resulted in over $615 million stolen, with $114 million in Ethereum already moved through mixers, indicating ongoing operational and financial risks primarily in blockchain finance sectors globally. **Technical Details** The primary attack vector involves an arithmetic precision flaw in stable pool invariant math, exploited by chaining batched swaps to compound rounding errors into a full drain. This vulnerability was embedded in identical smart contract code deployed across six blockchains, enabling simultaneous multi-chain exploitation. The Ronin Bridge attack leveraged compromised validator keys to move 173,000 ETH, with attackers using multiple wallets and Tornado Cash for obfuscation. Eleven separate audits failed to detect the Balancer vulnerability, indicating the subtlety of the bug. No specific CVEs or malware tools were mentioned. **Recommended Response** Defenders should prioritize multi-chain security audits focusing on shared protocol logic and cross-chain infrastructure, including bridges and messaging layers. Deploy monitoring for anomalous batched swap transactions and rapid multi-wallet fund movements, especially those involving mixers like Tornado Cash. Harden contract code against arithmetic precision and rounding errors, and implement cross-chain incident response coordination and governance frameworks. Continuous tracking of known attacker wallets and updating threat intelligence feeds with related IOCs is advised.

Source articles (4)

  • DeFi's old hack vectors are fading - But the new risk can hit six chains at once — Cryptoslate · 2026-06-07
    Decentralized finance has gotten a lot safer over the past six years, and a new review of protocol losses from 2020 through 2025 puts a pretty large number behind that claim. Industry-wide DeFi losses…
  • DeFi's old hack vectors are fading – But the new risk can hit six chains at once — Cryptorank · 2026-06-07
    DeFi protocol losses peaked at $2.62 billion in 2022 and fell roughly 80% to $534 million by 2024, with median loss per incident down from $6 million in 2022 to $1.5 million in 2025 while unique incid…
  • Axie Infinity Ronin Bridge Hacker Has Already Moved 38293 Eth 114 8 Million — cryptoslate.com · 2026-06-07
    Hackers who stole over $615 million in the Ronin Network exploit have already moved over $114 million worth of Ethereum. Cover art/illustration via CryptoSlate. Image includes combined content which m…
  • DeFi's Old Hack Vectors Are Fading, but New Risk Spans Six Chains — Mexc · 2026-06-07
    DeFi’s threat landscape is shifting. Legacy exploit patterns that once dominated headlines are giving way to a newer class of cross-chain vulnerability, one capable of hitting six chains at once and a…

Timeline

  • 2022-01-01 — DeFi losses peak at $2.62 billion: Industry-wide losses reached an all-time high, primarily due to bridge hacks and flash loan attacks.
  • 2024-01-01 — DeFi losses drop to $534 million: Total losses fell significantly, reflecting improved security measures and reduced attack vectors.
  • 2025-11-01 — Balancer V2 exploit drains $128 million: An arithmetic precision flaw allowed an attacker to exploit vulnerabilities across six blockchains simultaneously.
  • 2025-12-01 — Unique DeFi incidents rise to 83: Despite lower individual losses, the frequency of DeFi hacks increased, indicating a shift in attack patterns.

Related entities

  • Balancer (Company)
  • Binance Bridge (Company)
  • Bybit (Company)
  • Harmony (Company)
  • Nomad (Company)
  • Poly Network (Company)
  • Qubit (Company)
  • Ronin Bridge (Company)
  • Ronin Network (Company)
  • Wormhole (Company)
  • Arbitrum (Company)
  • Base (Company)
  • Ethereum (Company)
  • Polygon (Company)
  • Sonic (Company)
  • North Korea (Country)
  • BNB Chain (Platform)
  • OP Mainnet (Platform)
  • Solana (Platform)
  • Tornado Cash (Tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed