Over the past five years, billions in user funds have been lost to protocol hacks. Some projects bounced back. Others never fully recovered.
In this article, we outline the five most common post-hack outcomes, analyze 10 major exploits, and break down how each project responded. We also share the key steps every Web3 protocol should take to be prepared before a hack ever happens.
The Hacker Is Silent and the Funds Are Lost
No response or communication.
Funds are typically laundered via mixers or cross-chain bridges.
The Hacker Takes a Bounty and Returns the Rest
Negotiation occurs; the attacker receives 5–10% as bounty.
No legal action is pursued in return for cooperation.
The Hacker Returns Everything Without a Bounty
Motivated by ethics or pressure.
All funds are returned voluntarily.
The Protocol or Its Backers Covers the Losses
Project absorbs the loss using treasury or third-party support.
Often seen with VC-backed or centralized platforms.
Protocol Relaunch or Fundraising
Community funding, IOUs, or token-based recovery.
May include protocol overhaul and governance reforms.
1. Bybit (2025, $1.43B) Bybit worked with blockchain forensics and offered a 10% bounty, while the Lazarus-linked attacker stayed silent and scattered funds across dozens of wallets.
2. Ronin Bridge (2022, $625M) Sky Mavis, the developer of the popular blockchain game Axie Infinity and operator of the Ronin network, paused operations, raised $150M, reimbursed users, and worked with the FBI; the North Korean attackers never responded.
3. Poly Network (2021, $610M) Hacker returned all funds after claiming it was for fun; Poly offered a bounty and security role, both declined.
4. Wormhole (2022, $320M) Jump Crypto, a digital asset firm and backer of Wormhole, fully replenished the stolen 120,000 wETH from its own capital; the attacker has never been identified.
5. Cetus (2025, $223M) Contracts were paused, most funds frozen, and a governance vote was launched for full user compensation; no response from attacker.
6. Euler (2023, $197M) Protocol paused, bounty offered, and ~84% of funds were returned voluntarily by the attacker.
7. Nomad Bridge (2022, $190M) Offered a 10% bounty; recovered ~$37M through white-hat returns; one individual was later arrested.
8. Wintermute (2022, $160M) Issued a public bounty and traced stolen funds into Curve pools, but no assets were recovered and attacker never responded.
9. Beanstalk (2022, $182M) Flash loan-based governance attack; protocol paused and relaunched after raising $10M via a "Barn Raise" campaign.
10. Bitmart (2021, $196M) Hot wallet keys compromised; Bitmart covered all user losses using its own funds and resumed operations gradually.
The best defence starts long before anything goes wrong. Every protocol should have a well-defined, battle-tested incident response plan. This includes:
Engaging two key partners: a blockchain-savvy incident response firm and legal counsel familiar with your governance structure.
Creating a clear communication strategy for internal teams and external stakeholders.
Defining roles and responsibilities ahead of time to avoid chaos and confusion during critical moments.
Outlining pre-approved actions, such as emergency halts, multisig freezes, or fund quarantines.
Because every hack is different, a one-size-fits-all response won’t work. Instead, build a "black swan" scenario plan with your key stakeholders and security partners, so when the unexpected happens, your team knows exactly what to do with speed and confidence.
Conclusion
In Web3, how you respond to a hack matters as much as how you prevent one. If your protocol gets hit, your actions in the next 72 hours could define your project's long-term fate. Be paranoid, be prepared, and above all - be transparent.
Don’t forget to follow CD Security on Twitter, as well as the author chrisdior.eth, for daily Web3 insights and security tips. Stay informed and stay secure!