Crypto’s security nightmare won’t be solved by ordinary audits

The crypto sector has been plagued by cybersecurity issues for years. Malicious actors, particularly North Korea’s Lazarus Group, have stolen more than $2.2 billion since 2022, prompting the industry to triple its number of code audits within the same period of time.

But more audits have not translated into fewer losses. Neither the total number of incidents nor the amount of money stolen is significantly declining. Our research at Oak Security explains this: the majority of successful attacks target human vectors. In fact, when we look at the top causes of exploits, most completely bypass the attack surface protected by audits.

In other words, there is a real mismatch between the vulnerabilities that traditional audits examine, and the vulnerabilities that attackers exploit. The crypto space is likely to continue suffering from steep losses until it erases that mismatch by expanding security measures to include human and operational vectors and by addressing the following points to update the current auditing infrastructure.

The auditing market has matured, but it’s not making a difference

There is no question that code auditing has become significantly more sophisticated over the past few years. Security firms now deploy increasingly sophisticated tools and methods to uncover vulnerabilities in smart contracts before they go live. The industry’s code quality has genuinely improved.

Audits are accomplishing exactly what they are designed to do — discovering errors in the code. And they’re working. Fewer attacks than before take advantage of faulty code to steal platform funds.

The problem, however, is that we’re seeing a growing disconnect between what audits examine and what attackers actually exploit. Today, the industry’s largest losses don’t actually originate from traditional smart contract vulnerabilities. Rather, they come from compromised private keys, governance manipulation, insider compromise, malicious dependency updates and operational failures.

As brilliant as they are at identifying code vulnerabilities, traditional audits cannot prevent a developer from falling victim to a phishing campaign. The best code in the world can still sit atop vulnerable operational infrastructure.

In fact, our research shows that, when measured by financial damage, these operational exploits are often far more devastating than code vulnerabilities themselves. The industry has invested enormous resources into reducing smart contract risk, but the costliest attack vectors remain comparatively under-defended. It’s like the industry is still focused on defending against the last generation of attacks, whereas malicious actors have moved on to different strategies.

Audits alone create a dangerous illusion of safety

Platforms frequently advertise the number of audits they have completed, the reputation of the firms they hired, or the volume of findings identified during review. These have become shorthand indicators for whether a project is safe.