Without an update to the current auditing infrastructure, the crypto space will likely continue to suffer significant losses, explains Beyer.

The crypto sector has been plagued by cybersecurity issues for years. Malicious actors, particularly North Korea’s Lazarus Group, have stolen more than $2.2 billion since 2022, prompting the industry to triple its number of code audits within the same period of time.

But more audits have not translated into fewer losses. Neither the total number of incidents nor the amount of money stolen is significantly declining. Our research at Oak Security explains this: the majority of successful attacks target human vectors. In fact, when we look at the top causes of exploits, most completely bypass the attack surface protected by audits.

In other words, there is a real mismatch between the vulnerabilities that traditional audits examine, and the vulnerabilities that attackers exploit. The crypto space is likely to continue suffering from steep losses until it erases that mismatch by expanding security measures to include human and operational vectors and by addressing the following points to update the current auditing infrastructure.

The auditing market has matured, but it’s not making a difference

There is no question that code auditing has become significantly more sophisticated over the past few years. Security firms now deploy increasingly sophisticated tools and methods to uncover vulnerabilities in smart contracts before they go live. The industry’s code quality has genuinely improved.

Audits are accomplishing exactly what they are designed to do — discovering errors in the code. And they’re working. Fewer attacks than before take advantage of faulty code to steal platform funds.

The problem, however, is that we’re seeing a growing disconnect between what audits examine and what attackers actually exploit. Today, the industry’s largest losses don’t actually originate from traditional smart contract vulnerabilities. Rather, they come from compromised private keys, governance manipulation, insider compromise, malicious dependency updates and operational failures.

As brilliant as they are at identifying code vulnerabilities, traditional audits cannot prevent a developer from falling victim to a phishing campaign. The best code in the world can still sit atop vulnerable operational infrastructure.

In fact, our research shows that, when measured by financial damage, these operational exploits are often far more devastating than code vulnerabilities themselves. The industry has invested enormous resources into reducing smart contract risk, but the costliest attack vectors remain comparatively under-defended. It’s like the industry is still focused on defending against the last generation of attacks, whereas malicious actors have moved on to different strategies.

Audits alone create a dangerous illusion of safety

Platforms frequently advertise the number of audits they have completed, the reputation of the firms they hired, or the volume of findings identified during review. These have become shorthand indicators for whether a project is safe.

But an audit shouldn’t be understood as a permanent guarantee of safety. It is a limited evaluation of a specific codebase at a specific moment in time, conducted under a defined scope and a set of assumptions. The moment a protocol upgrades its contracts, integrates new infrastructure, changes governance procedures, or alters operational practices, its security posture changes as well.

When projects market themselves as “fully audited” in ways that imply broad protection against catastrophic failure, a dangerous illusion is created for users and teams alike, because this audit badge can encourage stakeholders to believe that security has already been solved. Meanwhile, the most serious risks increasingly exist outside the codebase.

Consequences and solutions

We understand that every time a protocol suffers a catastrophic exploit, mainstream confidence in the entire ecosystem deteriorates. That was felt particularly acutely during the recent KelpDAO hack. Most users do not distinguish between a smart contract bug and a centralized off-chain point of failure. They simply see another supposedly secure protocol lose millions of dollars overnight.

Crypto cannot realistically expect mass adoption if its security narrative continues collapsing under the weight of repeated failures. Why would anyone risk their principal for a bit of yield?

Audits remain essential. But the industry must stop treating them as the only answer to security risk. Crypto needs defense-in-depth, meaning that it needs to combine strong code review with hardened operational security practices and rigorous internal security training.

It needs strong key management, signer decentralization, governance constraints, anomaly detection, real-time monitoring and circuit breakers. Basically, anything that makes human vector attacks harder to exploit.

Platforms are not merely software products, but living organizations with human attack surfaces. The next phase of crypto security maturity will belong to projects that understand this distinction. Because attackers already do. They have adapted beyond the codebase to find the weak links in human systems. They are very motivated and very incentivized to find these vulnerabilities. Now it’s security’s turn to level up.

Note: The views expressed in this column are those of the author and do not necessarily reflect those of CoinDesk, Inc. or its owners and affiliates.

In May, combined exchange volumes fell 3.45% to $4.41T; the lowest since September 2024. RWA perpetual futures volumes rose 10.4% against the trend, hitting a new all-time high.