‘Median hack size’ keeps shrinking even as DeFi sees 3 exploits in 24 hours – what’s going on?
2026 is shaping up as another heavy year for crypto security incidents. Attack techniques are getting more advanced, attack surfaces are broader, and exploits are hitting everything from obscure tokens to major lending platforms. In just the last 24 hours alone, almost half a dozen separate incidents have drawn attention – three of them in the DeFi sector.
Yet, despite this flurry of activity, on‑chain data shows something counterintuitive: attackers are, on average, walking away with less money per hack than they used to.
Below is a breakdown of the latest exploits, how the funds moved, and why the median hack size is trending down even as the number of incidents climbs.
—
A vulnerability hits FCOW on BNB Smart Chain
Web3 security firm TenArmor flagged one of the first incidents of the day involving FCOW, a token deployed on BNB Smart Chain (BSC).
According to the firm’s analysis, an attacker took advantage of a vulnerability in the token’s contracts, draining around 61,300 dollars’ worth of funds. Investigators spotted a suspicious on‑chain transaction that allowed them to follow the stolen assets in real time.
The exact technical vector behind the FCOW attack has not yet been made public. However, the incident once again highlights the structural risk that lightly audited or forked contracts face on BSC, where rapid token launches often outpace robust security reviews.
—
DefiTuna’s lending pools drained for over half a million
Shortly after, DefiTuna reported that an exploit had targeted its lending markets. The attacker specifically focused on its pools, inflicting an estimated 580,000‑dollar loss.
The USDC pool was hit particularly hard, ending up with a deficit roughly equal to the total value stolen. While the platform’s team stressed that an investigation was ongoing, they also indicated that they had already pinpointed the attack vector and deployed additional safeguards to stop the same method from being reused.
This type of attack fits a broader pattern in DeFi: lending and borrowing protocols tend to be highly complex, with multiple intertwined contracts, making them fertile ground for logic flaws, mispriced collateral, and oracle manipulation.
—
Cascade’s CLS vault attacked for 1.34 million USDC
A more substantial incident occurred on Cascade, which suffered an exploit of its CLS vault, as reported by blockchain security company PeckShield. User funds worth approximately 1.34 million USDC were drained.
The attacker did not keep the funds stationary. Instead, they quickly routed the stolen money through several networks:
– Bridged assets from Arbitrum to Solana
– Moved them again to Ethereum using Relay Protocol
– Converted the proceeds into DAI during the process
This multi‑chain laundering route is now standard practice for sophisticated attackers, who try to fragment their tracks across different ecosystems, liquidity layers, and tokens to delay or block tracing and recovery attempts.
—
Resolv Labs exploiter resurfaces, moving over 580 ETH
The day’s turmoil was not limited to fresh attacks. Blockchain sleuths also noticed renewed activity from the wallet behind the March exploit of Resolv Labs, where roughly 25.9 million dollars had been stolen.
In the last few hours, that address has transferred 580 ETH – worth about 1.09 million dollars – and appears to be feeding the funds through cryptocurrency mixing services. This further complicates attribution, blacklisting, and law‑enforcement intervention.
The timing of these movements, amid a cluster of new exploits, raises questions about whether some attackers are testing how quickly exchanges, protocols, and analytics firms now respond to suspicious flows.
—
Large BONK holder starts offloading a multibillion‑token stash
Adding to market anxiety, a wallet that had legitimately bought 4.426 trillion BONK – a position then valued at roughly 21.2 million dollars – from the project’s treasury has begun selling.
The address has already transferred 1.19 trillion BONK, worth about 4.11 million dollars, to Binance, implying a likely sale. Despite these transfers, the wallet still holds close to 3.2 trillion BONK, estimated around 10.85 million dollars.
Although this is not a hack, the behavior of such a large holder matters for market structure. Continued selling or further deposits to centralized exchanges could trigger additional selling pressure, impacting liquidity, volatility, and traders’ willingness to hold the token through drawdowns.
—
How the funds are being laundered
Looking across these incidents, a familiar pattern emerges:
– Attackers tend to move quickly, often within minutes or hours of an exploit.
– Cross‑chain bridges are used to hop between networks and jurisdictions.
– Assets are swapped between stablecoins and volatile tokens to fragment liquidity trails.
– Mixing and privacy tools are used to break the visible link between stolen funds and cash‑out addresses.
The Cascade exploit is a textbook example: Arbitrum → Solana → Ethereum → DAI, all in a tight sequence. The Resolv Labs exploiter’s renewed use of mixers shows that older attackers are also relying on increasingly layered laundering strategies to protect their stolen capital.
These tactics make it more difficult for victims and investigators to freeze funds, but they’ve also pushed defenders to improve monitoring and early‑warning systems.
—
2026 vs. 2025: more hacks, less money (per hack)
Despite the constant headlines, aggregate numbers tell a nuanced story. Data from DeFiLlama shows that as of July 2026, total losses for the year are hovering around 1 billion dollars. That is less than half of the 2.135 billion dollars stolen over the same period in 2025.
So, what is changing?
Haseeb Qureshi, Managing Partner at Dragonfly, has pointed out a key trend: the median hack size – the “middle” value if you lined up all hacks from smallest to largest – is shrinking year after year. According to him, the industry is gradually moving toward a pattern where:
> “We’re seeing more frequent incidents, but they tend to be smaller and often hit small or mid‑tier protocols rather than the massive, system‑level blows we saw in earlier cycles.”
In other words, while the number of exploits remains high, the typical payoff per attack is declining.
—
Why the median hack size is going down
Several structural shifts in the crypto ecosystem help explain why attackers are often walking away with smaller hauls:
1. Better security on the biggest targets
Large protocols with billions in total value locked now routinely commission multiple audits, formal verifications, live bug‑bounty programs, and continuous monitoring. While this doesn’t eliminate risk, it significantly raises the cost and difficulty of pulling off a massive “one‑shot” exploit.
2. Faster detection and response
Security firms, analytics platforms, and protocol‑level alert systems can now flag abnormal transactions almost in real time. Once an exploit is spotted, developers and partners can pause contracts, halt front‑ends, or coordinate with exchanges to freeze incoming funds. That limits how much can be drained before the door slams shut.
3. More fragmented liquidity
Capital is no longer concentrated in a handful of DeFi giants. Volume and value are scattered across many chains (Ethereum, BNB Smart Chain, Solana, Arbitrum, etc.), specialized protocols, and niche tokens. For attackers, this often means they target smaller pools because the biggest, most obvious honeypots are heavily guarded.
4. Attackers preferring “low‑hanging fruit”
Many scams and exploits no longer aim for a single nine‑figure jackpot. Instead, they focus on quickly exploiting poorly written or unaudited contracts with tens or hundreds of thousands of dollars. Running multiple smaller exploits across emerging projects can be less risky than trying to break the best‑secured protocols.
5. Growing ecosystem of defensive tools
On‑chain surveillance, anomaly‑detection algorithms, and insurance‑like mechanisms allow faster triage and, in some cases, partial recovery or compensation. This doesn’t stop incidents but can materially reduce the net loss per event.
—
What this means for DeFi users and builders
A declining median hack size should not be confused with a safe environment. If anything, users now face a broader, more persistent threat landscape:
– More frequent, smaller exploits mean you are statistically more likely to interact with a compromised contract at some point, especially on newer chains or with unproven projects.
– Security asymmetry persists: large, established platforms are relatively safer, while smaller protocols rushing to market often skimp on security budgets.
– Reputational risk is rising: even a modest exploit can permanently damage a project’s credibility, impact token prices, and make future fund‑raising nearly impossible.
For developers, this environment reinforces a few priorities:
– Bake security into the design from day one, rather than patching holes after deployment.
– Limit the initial value in smart contracts via caps and gradual TVL growth, instead of allowing unlimited deposits on day one.
– Use time‑locks, multi‑sig governance, and circuit breakers so that critical changes or emergency pauses can be enacted without centralized abuse.
—
How smaller protocols can avoid becoming easy targets
Many of the exploits highlighted – from FCOW’s contract weakness to DefiTuna’s lending pool issues – share one trait: they sit outside the small group of flagship DeFi blue chips.
Smaller projects can reduce their odds of being the next headline by:
– Commissioning at least one reputable audit before mainnet launch, and another after any major upgrade.
– Reusing battle‑tested code instead of copying and modifying complex logic they don’t fully understand.
– Running a public bug bounty program, even with modest rewards, to encourage responsible disclosure from white‑hat hackers.
– Minimizing complexity in v1 releases; every additional feature or parameter is another potential attack surface.
– Enforcing deposit and borrow limits that can be raised gradually as confidence in the contracts grows.
Even if these measures cannot eliminate risk, they can transform a protocol from an easy target into a harder one – often enough to make attackers move on to the next, weaker victim.
—
Practical takeaways for everyday DeFi users
For individual users, the trend toward smaller but more frequent hacks calls for a different kind of discipline:
– Diversify your exposure
Avoid concentrating a large portion of your portfolio in a single DeFi protocol, no matter how attractive the yields look.
– Favor protocols with clear security practices
Check whether a project has documented audits, time‑tested contracts, transparent teams, and publicly explained risk controls.
– Be cautious with new launches
Freshly deployed contracts, especially on fast‑moving chains, may not have undergone rigorous testing. Treat anything new as experimental until it proves otherwise.
– Watch for abnormal behavior
Sudden changes in yields, unexplained pauses, abnormal token minting, or large withdrawals from insiders or whales can all be red flags.
– Keep only what you need in hot wallets
Store long‑term holdings in more secure environments; use DeFi mainly with funds you can afford to risk.
—
The bigger picture: DeFi security is evolving, not solved
The past 24 hours illustrate both sides of modern DeFi:
– On one hand, attackers are still active, creative, and willing to probe every corner of the ecosystem – from mid‑tier lending pools to obscure tokens and dormant exploit wallets.
– On the other hand, total losses are trending down compared to the previous year, and the typical hack is smaller, suggesting that security measures are gradually working where they are most mature.
The industry is transitioning from an era dominated by a few massive, ecosystem‑shaking heists to a landscape defined by numerous, lower‑value incidents. This shift is a sign of progress in some areas – particularly among major protocols – but it also highlights how much of the long tail of DeFi remains dangerously underprotected.
In that sense, 2026 is indeed a “year of exploits.” Not because the numbers are bigger than ever, but because the constant volley of attacks is forcing DeFi to grow up, protocol by protocol and line of code by line of code.

