Today we’re publishing Oak Security’s first empirical study of the Web3 security landscape. Four years of data. 23,818 audit findings. 218 exploits. $7.76 billion in losses. One uncomfortable finding running through all of it.

For the past four years, the industry has talked about Web3 security as if it were one thing. The data says it’s two — and they don’t line up.

We analysed every public audit finding we could get our hands on between January 2022 and March 2026 — 23,818 findings across 22 firms and 2,978 reports. We paired that with 218 real-world exploit incidents documented by Rekt News, representing roughly $7.76 billion in cumulative losses.

The headline finding is this: the categories that auditors surface are not the categories that drive realised losses.

Of the twelve most frequent audit categories and the twelve largest exploit-loss root causes, only one — access control — appears in the top four on both sides. Private key compromise, phishing, and social engineering account for nearly half of all dollar losses across the four-year window, but a negligible share of audit findings. The industry has spent a decade hardening Solidity. The money is being taken somewhere else.

A few of the numbers that stood out to us:

• 49.6% of cumulative losses came from human-vector attacks (keys, phishing, supply chain, governance manipulation)

• 48% of incidents affected protocols that had received at least one public audit

• 8 incidents account for more than half of all losses; 20 incidents account for over 70%

• 89% of incidents happened on Ethereum or BNB Chain

• Q1 2026 is the first quarter since 2022 where code-level bugs dominated both incident count and losses — a possible rotation, or just a quiet patch

The full 33-page report is available here

A note of thanks

This report could not exist without Rekt News. They granted us explicit permission to use their incident archive as primary research data, and the four-year picture of realised losses you’ll see in the report is built on their reporting. The investigative work the Rekt team has done — incident by incident, post-mortem by post-mortem — is the empirical foundation the rest of the industry now builds on.

P.S. Our podcast and Rekt News are participating in TheDAO Security Fund’s current quadratic funding round, alongside other public goods working to make Web3 safer. The fund is deploying ETH reactivated from the original 2016 DAO hack If you liked the reports, please consider supporting our podcast, CypherTalk, and Rekt.