Without improvements to the existing auditing framework, significant losses in the crypto sector are likely to persist, according to Beyer.
By Stefan Beyer|Edited by Betsy Farber Jun 17, 2026, 2:12 p.m. 4 min readMake preferred on ShareShare this articleCopy linkX (Twitter)LinkedInFacebookEmailMake preferred on (Shutterstock)The cryptocurrency industry has faced ongoing cybersecurity threats for many years. Notably, North Korea's Lazarus Group has pilfered over $2.2 billion since 2022, which has led the sector to triple its code audit efforts in that timeframe.
However, an increase in audits has not resulted in a decrease in security breaches. The frequency of incidents and the total value stolen remain largely unchanged. Research from Oak Security indicates that most successful attacks exploit human vulnerabilities rather than technical flaws. In fact, many of the main causes of breaches circumvent the areas typically covered by audits.
This highlights a significant gap between the types of vulnerabilities assessed by conventional audits and those exploited by attackers. The crypto industry will likely continue to incur heavy losses until it addresses this discrepancy by broadening security protocols to encompass human and operational factors while also updating the existing auditing processes.
The auditing landscape has evolved, yet impact remains limited
It is clear that code auditing has advanced considerably in recent years. Security firms now utilize increasingly sophisticated tools and methodologies to detect vulnerabilities in smart contracts before they are deployed. This has led to real improvements in code quality across the industry.
Audits are successfully identifying coding errors as intended, resulting in fewer attacks exploiting faulty code to misappropriate funds.
However, there is a growing disconnect between what audits focus on and the actual vulnerabilities exploited by attackers. Currently, the most significant losses stem not from traditional smart contract flaws, but from compromised private keys, governance manipulation, insider threats, malicious dependency updates, and operational failures.
While audits excel at pinpointing code vulnerabilities, they cannot prevent a developer from falling prey to phishing schemes. Even the most secure code can be undermined by weak operational frameworks.
Moreover, our findings reveal that operational exploits often result in financial damages that surpass those caused by code vulnerabilities. The industry has heavily invested in minimizing smart contract risks, yet the most financially damaging attack vectors remain comparatively vulnerable. It appears the sector is still concentrating on defending against outdated attack methods, while perpetrators have shifted their tactics.
Relying solely on audits creates a misleading sense of security
Many platforms promote their completed audits, the credibility of the auditing firms, or the number of findings from these evaluations as indicators of safety.
However, audits should not be viewed as a foolproof assurance of security. They represent a limited assessment of a specific codebase at a particular time, performed under defined parameters and assumptions. When a protocol upgrades its contracts, incorporates new infrastructure, modifies governance protocols, or changes operational practices, its security status is altered as well.
When projects declare themselves as “fully audited” in ways that suggest comprehensive protection against failures, they create a hazardous illusion for both users and developers. This audit label can lead stakeholders to mistakenly believe that security concerns have been fully addressed. Meanwhile, the most critical vulnerabilities are increasingly found outside of the codebase.
Implications and pathways forward
It is recognized that each time a protocol experiences a severe exploit, public trust in the entire ecosystem diminishes. This was particularly evident during the recent KelpDAO incident. Most users do not differentiate between a smart contract vulnerability and a centralized off-chain failure; they simply observe yet another supposedly secure platform losing millions overnight.
Mass adoption of cryptocurrency cannot be realistically anticipated if its security narrative continues to falter due to repeated failures. Why would anyone risk their principal for a modest return?
While audits are vital, the industry must cease treating them as the sole solution to security issues. The crypto sector needs a layered defense approach, combining thorough code reviews with robust operational security practices and comprehensive internal security training.
This includes effective key management, decentralization of signers, governance constraints, anomaly detection, real-time monitoring, and circuit breakers. Essentially, any measures that complicate human vector attacks will be essential.
Platforms are not just software applications; they are dynamic organizations with human vulnerabilities. The next stage of crypto security advancement will belong to those projects that recognize this reality. Attackers have already adapted to exploit weaknesses in human systems. They are motivated and incentivized to discover these vulnerabilities. Now, it is time for security to evolve accordingly.
HackNote: The views expressed in this article are those of the author and do not necessarily reflect those of CoinDesk, Inc. or its owners and affiliates.
Latest Crypto News- 1BitGo stock surges on $50 million share buyback as value languishes 65% below IPO price8 minutes ago
- 2Mexican billionaire with 70% of his investment portfolio in bitcoin says it's better than real estate1 hour ago
- 3Kevin Warsh's first Fed meeting could be more about communication than rates1 hour ago
- 4CoinDesk 20 performance update: Bitcoin Cash (BCH) drops 3.1%, leading index lower1 hour ago
- 5A new Bittensor proposal would turn validators into something like fund managers2 hours ago
- 6SpaceX's $2.6 trillion market cap nearly double that of bitcoin2 hours ago
- 7Bitcoin's June downturn leaves $8.6 billion in options out of the money3 hours ago
- 8Fifth-generation Kanoo group member is moving a $6 trillion trade market onto blockchain rails3 hours ago
- 9Three Fed signals that could make bitcoin pop3 hours ago
- 10UNI token surges while rest of crypto market looks to Fed's Warsh for guidance4 hours ago
CEX Volumes Drop to Lowest Since September 2024 as RWA Perps Hit Record High
CEX Volumes Drop to Lowest Since September 2024 as RWA Perps Hit Record High
In May, combined exchange volumes fell 3.45% to $4.41T; the lowest since September 2024. RWA perpetual futures volumes rose 10.4% against the trend, hitting a new all-time high.
By CoinDesk ResearchJun 15, 2026In May, combined exchange volumes fell 3.45% to $4.41T; the lowest since September 2024. RWA perpetual futures volumes rose 10.4% against the trend, hitting a new all-time high.
Why it matters:
In May, combined exchange volumes fell 3.45% to $4.41T; the lowest since September 2024. RWA perpetual futures volumes rose 10.4% against the trend, hitting a new all-time high.
View Full ReportMore From Opinion