Audits are accomplishing exactly what they are designed to do — discovering errors in the code. And they’re working. Fewer attacks than before take advantage of faulty code to steal platform funds.
The problem, however, is that we’re seeing a growing disconnect between what audits examine and what attackers actually exploit. Today, the industry’s largest losses don’t actually originate from traditional smart contract vulnerabilities. Rather, they come from compromised private keys, governance manipulation, insider compromise, malicious dependency updates and operational failures.
As brilliant as they are at identifying code vulnerabilities, traditional audits cannot prevent a developer from falling victim to a phishing campaign. The best code in the world can still sit atop vulnerable operational infrastructure.
In fact, our research shows that, when measured by financial damage, these operational exploits are often far more devastating than code vulnerabilities themselves. The industry has invested enormous resources into reducing smart contract risk, but the costliest attack vectors remain comparatively under-defended. It’s like the industry is still focused on defending against the last generation of attacks, whereas malicious actors have moved on to different strategies.
Audits alone create a dangerous illusion of safety
Platforms frequently advertise the number of audits they have completed, the reputation of the firms they hired, or the volume of findings identified during review. These have become shorthand indicators for whether a project is safe.