With rekt.news, we went through four years of data: 23,818 published audit findings from 22 firms, and 218 documented exploit incidents worth US$7.76 billion in losses. The full report and an interactive dashboard are at research.oaksecurity.io. Six things stood out.
1. Human-vector attacks dominate financial losses
Stolen keys, phishing, supply-chain compromise, and governance attacks account for 52% of all user-fund losses, more than every code-level defect category put together. The most expensive attack class in Web3 is one you can’t find by reading the code.
2. The Critical + High share is essentially flat
The combined Critical and High share of audit findings has remained near 17% for four consecutive years. Protocol code is not measurably improving in absolute terms, despite a maturing audit market.
3. Eight incidents drive half of all losses
The loss distribution is strongly heavy-tailed: the top 8 of 218 incidents account for 50.6% of aggregate damage, and the top 20 reach 71.4%. Tail risk dominates the ecosystem.
4. Most top exploit causes never make the top audit list
There is real overlap. Access control, oracle issues, logic errors, and integer arithmetic show up on both sides. But six of the ten largest exploit-loss categories, including stolen keys, phishing, and supply-chain attacks, sit outside the top audit categories, because code review can’t catch them.
5. Ethereum and BNB Chain absorb 94% of losses
Two chains carry 89% of incidents and 94% of losses. That tracks where the money and the tooling are, not some weakness specific to those chains.
6. Audit volume tripled, losses didn’t drop
Published audit findings grew from 2,526 in 2022 to 7,412 in 2024. Annual loss totals over the same window didn’t fall to match. More auditing hasn’t, on its own, made the ecosystem measurably safer.
What we take from this
The data lines up with what we see in every engagement: securing a protocol means securing a lot more than its smart contracts. Code defects live in the source, where an audit can find them. The human-vector compromises skip the code, and they’re now the bigger share of losses by value. That’s why our Operational Security Review and TRACE threat modelling treat systems and organisations as real security surfaces, not an afterthought to the protocol.