The crypto world’s favorite argument has a messier answer than both sides will admit. Whether decentralized exchanges are safer than CEXs depends almost entirely on who is holding the keys and whether they know what they are doing.
To answer the billion-dollar question nobody agrees on, let’s start with the scoreboard, because numbers are harder to argue with than feelings.
In 2024, the crypto industry lost roughly $2.2 billion to hacks and exploits, according to Chainalysis. Centralized exchanges ate the bigger share of catastrophic single events, with DMM Bitcoin losing $305 million and WazirX dropping $234.9 million in what felt like a particularly expensive summer for CEX operators.
Then came 2025, and Bybit rewrote the record books entirely. CEXs have lost well over $2 billion to hacks and exploits in roughly a year, with 71% of that figure traced to the Bybit breach in February 2025. That single incident became the largest crypto exchange hack ever recorded, which is not a title anyone applies to their LinkedIn profile.
On the other side of the ring, DEXs spent 2025 doing their best impression of a leaky garden hose. Sui’s largest DEX, Cetus, was drained of $220 million in just 15 minutes, the result of a rounding bug in a third-party math library used for liquidity and pricing calculations. Not a Hollywood heist.
A rounding error. Fifteen minutes. Gone. Balancer also took a hit from a similar rounding flaw in its V2 stable pool logic. The universe, it seems, has a deep and personal grudge against decimal places.
So when someone breathlessly asks whether decentralized exchanges are safer than centralized exchanges, the honest answer is “safer from what, exactly?”
The custody trap everyone falls into
Here is the argument DEX enthusiasts love, and they are not entirely wrong. CEXs are basically the world’s most attractive piggy banks. They hold everyone’s money in one place, employ humans who can be bribed, phished, or socially engineered by state-sponsored hackers in hoodies, and they sit behind terms and conditions that politely reserve the right to freeze your funds at any moment.
Hot wallet breaches caused 82% of all CEX losses over the past five years, remaining the top threat to centralized platforms. Meanwhile, access-control failures accounted for 59% of losses in some CEX incident reports, which is a very technical way of saying someone left a door open. The Bybit attack and the Phemex breach earlier in 2025 were both attributed to Lazarus Group, North Korea’s state-sponsored hacking collective, which apparently treats crypto exchanges like an ATM that belongs to everyone except the people who deposited there.
DEXs, by design, do not hold your funds. You keep your keys, you keep your coins, and in theory, no one can freeze or seize your assets because there is no one to call. This is genuinely better for users who understand what they are doing. If your risk is exchange insolvency, withdrawal freezes, or a rogue insider, a well-audited non-custodial protocol is a real improvement.
The problem is that “keeping your keys” sounds easy until you actually have to do it.
Who is actually safer? It depends on the user
Let’s be honest about something the crypto marketing materials never quite get around to. DEXs do not remove risk. They transfer it from the exchange’s security team to you, personally, in your browser, at 2 am, while you are approving a token you found in a Telegram group.
OKX CEO Star Xu publicly flagged DEX bots and custodial wallets as growing risk factors, noting that most current bots require users to upload private keys to cloud storage, which significantly heightens security risks. In other words, some of the tools built to make DEX trading easier are quietly recreating the exact CEX-style centralization risk that DEX enthusiasts wanted to escape. The irony is almost poetic.
Smart contract vulnerabilities, rug pulls, fake tokens, malicious approvals, oracle manipulation, front-running, and sandwich attacks are all real and recurring DEX risks. MEV alone, the practice of validators and bots reordering transactions to extract profit from regular users, continues to cost the ecosystem tens of millions annually.
And the user-facing side is arguably worse. Phishing through fake front-end websites, signing a malicious transaction because the popup looked legitimate, and approving unlimited token access to a contract that drains your wallet on Tuesday are all DEX-specific failure modes that no CEX customer has to think about.
DEX exploits cost the ecosystem $3.1 billion in H1 2025 alone, already surpassing many full-year totals from previous years. That is not a rounding error. That is a systemic problem with how decentralized finance handles security in practice versus how it handles security in the whitepaper.
The North Korean factor nobody talks about enough
Here is a subplot that deserves its own Netflix series. North Korean hackers stole at least $2.02 billion in cryptocurrency in 2025, a 51% increase over 2024, marking the most severe year on record for DPRK crypto theft, with these attacks accounting for 76% of all service compromises.
State-sponsored hackers overwhelmingly prefer centralized exchanges as targets, and for good reason. One successful social engineering attack on a few employees can unlock a billion-dollar vault. The Bybit breach was not a code exploit. It was a human compromise, where attackers wormed their way into signing workflows and walked off with history’s biggest crypto haul.
DEXs, by contrast, are less appealing to DPRK-linked groups for primary heists because there is no central pot to crack open. That said, once the money is stolen from anywhere, DEXs become very useful laundering infrastructure.
Stolen funds move through token swaps, obscure liquidity pools, and cross-chain bridges, creating a paper trail that looks like ordinary DeFi activity but functions as a washing machine. Following the Bybit breach, hundreds of millions were moved via Thorchain in what analysts described as an elaborate and systematic laundering operation. The blockchain shows everything, and yet the money still disappears.
Audits are good, but they are not magic
The DEX community loves an audit badge the way some people love a blue checkmark. It signals legitimacy and implies safety. The data suggests the relationship is more complicated.
The Bunni DEX shutdown, where respected audit firms Trail of Bits and Cyfrin failed to catch a critical vulnerability, reflects not incompetence but the fundamental limitations of audit methodology. Getting audited does not mean getting protected. It means someone looked carefully and did not find the problem that another person will eventually exploit.
Uniswap V4 represents the most serious structural attempt to address this, concentrating more logic into a small, heavily reviewed core and reducing the number of bespoke, under-audited contracts across individual pools. Security researchers are cautiously optimistic, expecting lower exploit impact per dollar of TVL rather than zero exploits. That is meaningful progress, but it is not a guarantee.
Meanwhile, governance has emerged as the new attack surface. DEXs face smart contract bugs, oracle manipulation, bridge vulnerabilities, and MEV extraction as their primary security challenges, and increasingly, governance mechanisms are being exploited rather than the contracts themselves. Raising multisig thresholds and adding timelocks helps, but a 3-of-11 multisig where three signers have compromised laptops is still a single point of failure dressed in decentralization clothing.
The market is telling us something
Despite all of this, the market is clearly voting with its volume. DEX spot market share doubled from 6.9% in January 2024 to 13.6% in January 2026, with absolute trading volume more than doubling from $95.86 billion to $231.29 billion. PancakeSwap and Uniswap both broke into the global top 10 spot exchanges by cumulative volume in the six months to January 2026, overtaking major centralized platforms.
Hyperliquid, a hybrid DEX with off-chain matching and on-chain settlement, hit $1.59 trillion in cumulative perps volume in that same period, making it the only decentralized platform in the top 10 perps exchanges globally. The model works. The execution is genuinely improving. The question is whether security is improving at the same pace as capital flows.
Based on the numbers, the honest answer is not yet.
So which one should you actually use?
This is where the op-ed is supposed to tell you the answer, and the answer is that there is not one. There are two, and which one applies to you depends on what kind of crypto participant you actually are, rather than what kind you imagine yourself to be.
If you are a long-term holder who trades infrequently, uses a hardware wallet, verifies contract addresses, keeps token approvals tight, and genuinely understands what you are signing, then self-custody through a mature, well-audited DEX eliminates the exchange bankruptcy and withdrawal-freeze risk that CEX users carry. The Bybit-size catastrophe simply cannot happen to funds you hold yourself.
If you trade regularly, prefer not to think about gas settings and approval limits, and would like someone to call when something goes wrong, a top-tier regulated CEX with proof-of-reserves attestations and a track record of making users whole after incidents is operationally safer for your day-to-day needs. Yes, it carries custodial risk. That risk is real and the numbers prove it. But the user-error risk on DEXs is also real, and the numbers prove that too.
The smartest practical setup, which most serious participants quietly use, is a split. Long-term capital stays in self-custody. Trading capital moves to the platform, centralized or decentralized, that best fits the activity.
The only safe answer is an honest one
Whether decentralized platforms are truly safer than their centralized counterparts is a question that will not be settled by a single data point, a single hack, or a single year of numbers. In 2025 alone, CEXs processed nearly $80 trillion in volume across spot and derivatives markets, while DEXs quietly doubled their footprint. Both models are growing. Both models are losing billions. Both models are improving, slowly, while their users bear the cost of the learning curve.
The future most industry observers agree on is not a winner. It is a convergence. CEX-style liquidity and user experience, wrapped around DEX-style custody and transparency, with better audits, higher governance thresholds, real-time monitoring, and wallet-level safety rails doing the work that individual users currently have to do manually.
Until that future arrives, the safest thing you can do with your crypto is understand exactly where it is, who controls it, what could go wrong, and whether you are prepared to deal with that when it does. Because in this industry, it usually does.
