Over the last few days, I spent some time adding protocol language info to DefiLlama's hack page (https://defillama.com/hacks) with 0xngmi's help. I used the opportunity to review the data and chart some stuff. 🧵

The page is a wonderful crowdsourcing effort and the most comprehensive structured dataset for crypto hacks around. Its "total value hacked" figure is an oft-cited reference in pieces about web3 security, but as high as it is...

...it's better thought of as a lower bound. Small hacks and rugs (<$100k) are common but clearly underreported. The data focuses only on protocols so phishing or poisoning attacks on individuals are excluded, but some have caused losses of over $60m! (https://tinyurl.com/2j6d6jw5)

Cross-referencing the hack list's chains with DefiLlama's tracked protocol list, we can get an estimate of the proportion of a chain's protocols that get hacked. Ethereum and Solana lead here, but the 2022 starting date favors younger chains.

That's only one part of the story though, as hack amounts can vary a lot. Normalizing by chain TVL shows a different picture. Fantom and Base lead due to the Multichain hack and Bald rugpull, respectively. And Solana had a string of major hacks (Mango, Wormhole, Cashio).

And since the hack data now has language info, we can also do language-based stats! Rust may be safe, but clearly not web3 safe. Solidity fares better but Vyper slithers ahead 🐍. Java comes from a single data point on ICON.