A quarterly updated empirical analysis of 23,818 published audit findings from 22 firms and 218 real-world exploit incidents totalling US$7.76 billion in losses. Produced by Oak Security in collaboration with rekt.news.
Exploit data shared with explicit written permission.
rekt.news has documented Web3 exploits from the perspective of the victims since 2021, building the most comprehensive public archive of incident data in the industry. For this report we were granted explicit written permission to ingest, classify and analyse the entire rekt.news archive of incidents from 2022 through Q1 2026.
218 incidents totalling US$7.76 billion form the exploit-side ground truth in this report. We thank the rekt.news team for the data-sharing arrangement that made this analysis possible.
The numbers below summarise the most material patterns across audit output and exploit incidents. Detailed methodology, charts and citations are provided in the full report.
Private-key compromise, phishing, supply-chain compromise and governance attacks now account for more than half of all user-fund losses — surpassing every code-level defect category combined.
The combined Critical+High share of audit findings has remained near 17% for four consecutive years — protocol code is not measurably improving in absolute terms despite the maturing audit market.
The loss distribution is strongly heavy-tailed: the top 8 of 218 incidents account for 50.6% of aggregate damage. The top 20 reach 71.4%. Tail risk dominates the ecosystem.
There is real overlap — access control, oracle issues, logic errors and integer arithmetic appear prominently on both sides. But six of the ten largest exploit-loss categories — including private-key compromise, phishing and supply-chain attacks — sit outside the top audit categories, because they cannot be found through code review.
Two chains carry the overwhelming majority of incidents (89%) and losses (94%) — a function of TVL concentration and EVM tooling maturity rather than chain-specific weakness.
Published audit findings grew from 2,526 in 2022 to 7,412 in 2024 as the audit market matured. Annual loss totals across the same window show no corresponding decline. More auditing has not translated, in aggregate, into a measurably safer ecosystem.
Securing a protocol means securing far more than its smart contracts. The data shows two distinct classes of exposure — code-vector defects auditable in source, and human-vector compromises that bypass the code entirely.
The traditional smart-contract audit surface — defects discoverable through code review, fuzzing and formal methods.
The operational, organisational and social surface — out of reach of any contract-only audit.
For four consecutive years, attackers earned more from compromising people, processes and infrastructure than from breaking smart-contract logic. The trend is consistent; the response from the ecosystem has not been.
Hardening operational security — signer hygiene, dependency review, domain controls, incident playbooks, employee onboarding — is now at least as important as a thorough code audit.
See our advisory servicesThe full PDF carries the complete methodology, source citations and per-firm attribution — below is a summary of the four data pillars.
23,818 published findings ingested from 22 audit firms’ public reports, 2022 – Q1 2026.
218 real-world incidents from the rekt.news archive, used with explicit written permission.
Findings and incidents normalised into a unified severity, category and root-cause taxonomy.
Year-over-year trend, Pareto / heavy-tail, mean-vs-median, chain and stack concentration.
Twelve charts, ten numbered sections and the complete methodology — including everything we left out of this page. Free, CC BY-ND 4.0.
