Crypto’s security nightmare won’t be solved by ordinary audits

Opinion Crypto’s security nightmare won’t be solved by ordinary audits Without an update to the current auditing infrastructure, the crypto space will likely continue to suffer significant losses, explains Beyer. By Stefan Beyer | Edited by Betsy Farber Jun 17, 2026, 2:12 p.m. 4 min read Make preferred on Share Share this article Copy link X icon X (Twitter) LinkedIn Facebook Email Make preferred on (Shutterstock) The crypto sector has been plagued by cybersecurity issues for years. Malicious actors, particularly North Korea’s Lazarus Group , have stolen more than $2.2 billion since 2022, prompting the industry to triple its number of code audits within the same period of time. But more audits have not translated into fewer losses. Neither the total number of incidents nor the amount of money stolen is significantly declining. Our research at Oak Security explains this: the majority of successful attacks target human vectors. In fact, when we look at the top causes of exploits, most completely bypass the attack surface protected by audits. In other words, there is a real mismatch between the vulnerabilities that traditional audits examine, and the vulnerabilities that attackers exploit. The crypto space is likely to continue suffering from steep losses until it erases that mismatch by expanding security measures to include human and operational vectors and by addressing the following points to update the current auditing infrastructure. The auditing market has matured, but it’s not making a difference There is no question that code auditing has become significantly more sophisticated over the past few years. Security firms now deploy increasingly sophisticated tools and methods to uncover vulnerabilities in smart contracts before they go live. The industry’s code quality has genuinely improved. Audits are accomplishing exactly what they are designed to do — discovering errors in the code. And they’re working. Fewer attacks than before take advantage of faulty code to steal platform funds. The problem, however, is that we’re seeing a growing disconnect between what audits examine and what attackers actually exploit. Today, the industry’s largest losses don’t actually originate from traditional smart contract vulnerabilities. Rather, they come from compromised private keys, governance manipulation, insider compromise, malicious dependency updates and operational failures. As brilliant as they are at identifying code vulnerabilities, traditional audits cannot prevent a developer from falling victim to a phishing campaign. The best code in the world can still sit atop vulnerable operational infrastructure. In fact, our research shows that, when measured by financial damage, these operational exploits are often far more devastating than code vulnerabilities themselves. The industry has invested enormous resources into reducing smart contract risk, but the costliest attack vectors remain comparatively under-defended. It’s like the industry is still focused on defending against the last generation of attacks, whereas malicious actors have moved on to different strategies. Audits alone create a dangerous illusion of safety Platforms frequently advertise the number of audits they have completed, the reputation of the firms they hired, or the volume of findings identified during review. These have become shorthand indicators for whether a project is safe. But an audit shouldn’t be understood as a permanent guarantee of safety. It is a limited evaluation of a specific codebase at a specific moment in time, conducted under a defined scope and a set of assumptions. The moment a protocol upgrades its contracts, integrates new infrastructure, changes governance procedures, or alters operational practices, its security posture changes as well. When projects market themselves as “fully audited” in ways that imply broad protection against catastrophic failure, a dangerous illusion is created for users and teams alike, because this audit badge can encourage stakeholders to believe that security has already been solved. Meanwhile, the most serious risks increasingly exist outside the codebase. Consequences and solutions We understand that every time a protocol suffers a catastrophic exploit, mainstream confidence in the entire ecosystem deteriorates. That was felt particularly acutely during the recent KelpDAO hack . Most users do not distinguish between a smart contract bug and a centralized off-chain point of failure. They simply see another supposedly secure protocol lose millions of dollars overnight. Crypto cannot realistically expect mass adoption if its security narrative continues collapsing under the weight of repeated failures. Why would anyone risk their principal for a bit of yield? Audits remain essential. But the industry must stop treating them as the only answer to security risk. Crypto needs defense-in-depth, meaning that it needs to combine strong code review with hardened operational security practices and rigorous internal security training. It needs strong key management, signer decentralization, governance constraints, anomaly detection, real-time monitoring and circuit breakers. Basically, anything that makes human vector attacks harder to exploit. Platforms are not merely software products, but living organizations with human attack surfaces. The next phase of crypto security maturity will belong to projects that understand this distinction. Because attackers already do. They have adapted beyond the codebase to find the weak links in human systems. They are very motivated and very incentivized to find these vulnerabilities. Now it’s security’s turn to level up. Hack Note: The views expressed in this column are those of the author and do not necessarily reflect those of CoinDesk, Inc. or its owners and affiliates . Latest Crypto News 1 Mexican billionaire with 70% of his investment portfolio in bitcoin says it's better than real estate 14 minutes ago 2 Kevin Warsh's first Fed meeting could be more about communication than rates 16 minutes ago 3 CoinDesk 20 performance update: Bitcoin Cash (BCH) drops 3.1%, leading index lower 53 minutes ago 4 A new Bittensor proposal would turn validators into something like fund managers 1 hour ago 5 SpaceX's $2.6 trillion market cap nearly double that of bitcoin 2 hours ago 6 Bitcoin's June downturn leaves $8.6 billion in options out of the money 2 hours ago 7 Heir to 135-year Gulf dynasty is moving a $6 trillion trade market onto blockchain rails 2 hours ago 8 Three Fed signals that could make bitcoin pop 2 hours ago 9 UNI token surges while rest of crypto market looks to Fed's Warsh for guidance 3 hours ago 10 Forget retail traders: The real multi-trillion-dollar crypto future is building infrastructure for machines 3 hours ago Latest Research CEX Volumes Drop to Lowest Since September 2024 as RWA Perps Hit Record High CEX Volumes Drop to Lowest Since September 2024 as RWA Perps Hit Record High In May, combined exchange volumes fell 3.45% to $4.41T; the lowest since September 2024. RWA perpetual futures volumes rose 10.4% against the trend, hitting a new all-time high. By CoinDesk Research Jun 15, 2026 In May, combined exchange volumes fell 3.45% to $4.41T; the lowest since September 2024. RWA perpetual futures volumes rose 10.4% against the trend, hitting a new all-time high. Why it matters : In May, combined exchange volumes fell 3.45% to $4.41T; the lowest since September 2024. RWA perpetual futures volumes rose 10.4% against the trend, hitting a new all-time high. View Full Report More From Opinion If America wants to lead in crypto, it must protect the people who build it Stablecoins Were Meant to Disrupt Finance. Instead, They Became Idle Cash. The U.S. government is betting $2 Billion on quantum computing, and the defense side can't keep up