Lending Protocols Top DeFi Hack Targets After 67 Exploits; Smart-Contract Bugs Drive $526M Losses

Lending protocols have become the most-targeted sector in DeFi, recording 67 exploits over the past year and accounting for the largest share of incidents among 267 reported DeFi attacks. These protocols hold roughly $53 billion in reported TVL, making them attractive targets because they custody stablecoins and valuable collateral (ETH, BTC) and operate permissionlessly via smart contracts. Flash loans, oracle and price-manipulation attacks, liquidation triggers and new-token minting for interest have been key exploit vectors. Sentora data shows smart contract bugs were the chief cause of losses in the 12 months ending January 2026: 48 incidents tied to smart-contract issues resulted in about $526 million lost. Price-manipulation incidents numbered 13, causing roughly $65 million in damage. Audited protocols still suffered, losing $515 million, while unaudited contracts accounted for $77 million across 24 incidents; out-of-scope exploits totaled $193 million. The article notes examples such as Moonwell, which was exploited via oracle/pricing vulnerabilities. Secondary attack vectors include compromised private keys/multisigs and malicious cloned DEXs that trap user funds. For traders: the prevalence of protocol-level smart-contract risk and oracle/price manipulation increases systemic risk for lending markets, raises liquidation and collateral volatility risks, and underscores the need to monitor protocol audits, oracle configurations, and concentrate risk exposure management.