Audits do exactly what they are designed to do – detect errors in the code. And they work. Fewer attacks than before are exploiting flawed code to steal platform funds.
The problem, however, is that we’re seeing a growing disconnect between what audits examine and what attackers actually exploit. Today, the industry’s biggest losses don’t actually stem from traditional smart contract vulnerabilities. Rather, they come from compromised private keys, governance manipulation, insider compromise, malicious dependency updates, and operational errors.
As brilliant as they are at identifying code vulnerabilities, traditional audits cannot prevent a developer from falling victim to a phishing campaign. The best code in the world can still sit on top of a vulnerable operational infrastructure.
In fact, our research shows that when measured by financial damage, these operational exploits are often far more devastating than code vulnerabilities themselves. The industry has invested enormous resources in reducing smart contract risk, but the most expensive attack vectors remain relatively under-defended. It’s as if the industry is still focused on defending against the latest generation of attacks, while malicious actors have moved on to different strategies.
Audits alone create a dangerous illusion of security
Platforms often advertise the number of audits they have completed, the reputation of the firms they hired, or the amount of results identified during the review. These have become shorthand indicators of whether a project is safe.
