Audits do exactly what they are designed to do: discover errors in the code. And they work. Fewer attacks than before take advantage of faulty code to steal funds from the platform.
The problem, however, is that we are seeing a growing disconnect between what audits look at and what attackers actually exploit. Today, the industry’s biggest losses don’t actually come from traditional smart contract vulnerabilities. Rather, they come from compromised private keys, governance manipulation, internal compromise, malicious dependency updates, and operational failures.
As brilliant as they are at identifying vulnerabilities in code, traditional audits cannot prevent a developer from falling victim to a phishing campaign. The best code in the world may still sit atop vulnerable operational infrastructure.
In fact, our research shows that, when measured in terms of financial damage, these operational exploits are often far more devastating than the code vulnerabilities themselves. The industry has invested enormous resources to reduce smart contract risks, but the most costly attack vectors remain relatively underdefended. It’s as if the industry is still focused on defending against the latest generation of attacks, while malicious actors have adopted different strategies.
Audits alone create a dangerous illusion of security
Platforms frequently advertise the number of audits they have conducted, the reputation of the companies they have hired, or the volume of findings identified during the review. These have become shorthand indicators of whether a project is safe.
