The OWASP Smart Contract Top 10: 2026 report just dropped, and the numbers are sobering. 122 deduplicated incidents in 2025 resulted in $905.4 million in losses. When I step back and look at the cumulative damage since 2020—over $4.2 billion lost to DeFi protocol exploits—I have to ask: Are we actually getting better at security, or are attackers just getting smarter?
The Reentrancy Paradox
Here’s what caught my attention: reentrancy attacks dropped from #2 to #8 in the OWASP rankings. On the surface, this looks like progress. We’ve been hammering the importance of checks-effects-interactions for years, and developers finally listened. OpenZeppelin’s ReentrancyGuard became standard. Auditors check for this reflexively.
But here’s the unsettling part—reentrancy still caused $35.7 million in losses in 2025. It didn’t disappear; it just got overshadowed by more lucrative attack vectors.
The New Threat Landscape
What replaced reentrancy at the top of the list? Flash loan attacks, oracle manipulation, and business logic flaws. Access control vulnerabilities alone accounted for $953.2 million in losses. The OWASP 2026 list now includes proxy and upgradeability vulnerabilities for the first time—attack surfaces that didn’t even exist in early DeFi.
The pattern I’m seeing: modern attackers chain multiple vulnerabilities together. The bZx exploit in early 2020 pioneered the flash loan + oracle manipulation combo (~$350K stolen). Fast forward to 2025, and we’re seeing sophisticated multi-step attacks:
- Cheese Bank (2020): $3.3M via AMM-based oracle manipulation
- PancakeBunny (2021): $45M flash loan attack
- Mango Markets (2022): $117M governance + oracle exploit
- Beanstalk Farms (2022): $182M
- Makina Protocol (2025): $5M exploiting oracle vulnerability with flash loan
These aren’t script kiddies finding low-hanging fruit. These are sophisticated operations that understand DeFi composability better than many of us who are building it.
Defense vs. Attack Surface
Here’s my hypothesis: We improved our defenses against known vulnerabilities, but we expanded our attack surface faster than we could secure it.
Every new DeFi primitive—from flash loans to cross-chain bridges to upgradeable proxies—adds complexity. Complexity is the enemy of security. We built increasingly sophisticated protocols while attackers studied how these components interact in unexpected ways.
Look at the data trajectory:
- 2024: $3.38B in total crypto theft
- 2025: $3.4B (year-end), with $3.1B lost in just the first half from hacks and fraud
- Smart contract exploits in 2025: $905M from 122 incidents
- By Q3 2025: Over $1.8B drained from DeFi protocols
We’re not trending in the right direction.
The Uncomfortable Questions
Is DeFi fundamentally insecure? Or are we going through growing pains that every new technology experiences?
Are audits giving us false confidence? Multiple “audited” protocols still got exploited because auditors can’t predict every interaction in a composable DeFi ecosystem.
Should we prioritize simplicity over features? The most successful protocols (Uniswap V2, for example) maintain relatively simple, auditable codebases.
Are we teaching developers the right things? If everyone focuses on preventing reentrancy but misses access control flaws that cause 10x more damage, we’re failing.
What This Means Going Forward
The 2026 OWASP report isn’t just a security audit—it’s a mirror reflecting our priorities back at us. Reentrancy fell in the rankings not because we solved it, but because we created bigger problems.
I don’t have answers, but I know we need to have this conversation. Every protocol team, every developer, every security researcher needs to honestly assess: Are we building faster than we can secure? And if so, what do we do about it?
What’s your take? Are we making progress, or are we just running on a treadmill while attackers get faster?
Trust but verify, then verify again.