
Audit spending tripled since 2022, yet losses from hacks remain high. Oak Security research shows attackers now target human vectors, not code bugs. The KelpDAO hack is the latest example.
Alpha Score of 65 reflects moderate overall profile with strong momentum, strong value, weak quality, moderate sentiment.
The crypto industry has tripled its spending on code audits since 2022. North Korea's Lazarus Group alone stole more than $2.2 billion in that same period. The two trends are moving in opposite directions.
Audits catch bugs in smart contracts. They are good at that. The biggest losses now come from compromised private keys, governance manipulation, insider attacks, and malicious dependency updates. Those vectors sit outside the codebase. A developer who falls for a phishing campaign can drain a protocol regardless of how clean the contract is.
Oak Security's research shows that the majority of successful exploits bypass the attack surface that audits cover. Measured by financial damage, operational exploits are often far more devastating than code vulnerabilities. The industry is defending against the last generation of attacks while attackers have moved on.
Platforms market themselves as "fully audited" as if that badge guarantees safety. It does not. An audit is a snapshot of a specific codebase at a specific time under a specific scope. The moment a protocol upgrades, integrates new infrastructure, or changes governance, the security posture shifts. The KelpDAO hack is a recent example where users saw a supposedly secure protocol lose millions overnight.
Crypto cannot reach mass adoption if the security narrative keeps collapsing under repeated failures. The fix is defense-in-depth: strong key management, signer decentralization, governance constraints, anomaly detection, real-time monitoring, and circuit breakers. Anything that makes human-vector attacks harder to pull off.
In May, combined exchange volumes fell 3.45% to $4.41 trillion, the lowest since September 2024. Real-world asset perpetual futures volumes rose 10.4% against the trend, hitting a new all-time high. That divergence shows where capital is flowing even as the broader market cools. Platforms that treat security as a marketing checkbox rather than an operational discipline will be the ones that get exploited next.
Attackers have already adapted beyond the codebase. It is security's turn to level up.
Prepared with AlphaScala editorial tooling from the source reporting linked above. Indexable analysis may include a cited Alpha Score value. Publishing checks screen each story before release. Educational coverage, not personalized advice.