{"id":1980,"date":"2025-06-04T10:07:46","date_gmt":"2025-06-04T10:07:46","guid":{"rendered":"https:\/\/bitunikey.com\/news\/hackers-keep-exploiting-audited-defi-protocols-whats-missing-opinion\/"},"modified":"2025-06-04T10:07:47","modified_gmt":"2025-06-04T10:07:47","slug":"hackers-keep-exploiting-audited-defi-protocols-whats-missing-opinion","status":"publish","type":"post","link":"https:\/\/bitunikey.com\/news\/hackers-keep-exploiting-audited-defi-protocols-whats-missing-opinion\/","title":{"rendered":"Hackers keep exploiting audited DeFi protocols: What\u2019s missing? | Opinion"},"content":{"rendered":"
\n
\n
\n <\/use> <\/svg> <\/div>\n

\n Disclosure: The views and opinions expressed here belong solely to the author and do not represent the views and opinions of crypto.news\u2019 editorial. <\/p>\n<\/p><\/div>\n

<\/p>\n

DeFi is under attack\u2014but not from the threats the industry is used to defending against. While developers meticulously scan lines of code for vulnerabilities, attackers have shifted tactics, exploiting economic weaknesses that lie unnoticed beneath flawless programming.\u00a0<\/p>\n

<\/p>\n

For instance, the JELLY token exploit<\/a> on Hyperledger, where attackers were able to siphon over $6 million from Hyperledger\u2019s insurance fund, is a prime example. That exploit wasn\u2019t caused by coding errors at all, but by gameable incentives and unpriced risks that no one had scrutinized.<\/p>\n

DeFi cybersecurity has come a long way. Smart contract audits\u2014designed to catch bugs in a software\u2019s code\u2014are the norm nowadays. But we urgently need to broaden its scope beyond mere lines of code. Smart contract audits are fundamentally inadequate unless they also analyze economic and game-theoretic risks. The industry\u2019s over-reliance on code-only audits is outdated and dangerous, leaving projects vulnerable to an unending cycle of attacks.<\/p>\n

Recent attacks drive home the danger of economic exploits<\/h2>\n

In March 2025, Hyperliquid\u2019s exchange, which had its contracts audited, was ambushed by a $6 million exploit involving its JELLY token. How? Attackers didn\u2019t find a bug in the code; they engineered a short squeeze by abusing Hyperliquid\u2019s own liquidation logic, pumping JELLY\u2019s price, and manipulating the platform\u2019s risk parameters.<\/p>\n

In other words, Hyperliquid\u2019s designers hadn\u2019t priced in certain market behaviors\u2014an oversight that traditional audits didn\u2019t catch. Hyperliquid\u2019s case shows that impeccable code can\u2019t save a project that\u2019s built on shaky economic assumptions.<\/p>\n

Shortly before the JELLY incident, Polter Finance, a lending protocol on Fantom, was drained of $12\u202fmillion<\/a> through a flash loan attack<\/em>, another common type of attack that relies on economics, not coding vulnerabilities\u200b. The attacker took out flash loans and manipulated the project\u2019s price oracle, tricking the system into treating worthless collateral as billions in value.\u00a0<\/p>\n

The code did exactly what it was supposed to, but the design was flawed, making it possible for an extreme price swing to bankrupt the platform. The exploit proved so devastating that Polter Finance, a promising project, was forced to cease operations.\u00a0<\/p>\n

These are not isolated attacks\/events; they\u2019re part of a growing pattern in DeFi. In case after case, clever adversaries exploit protocols by manipulating market inputs, incentives, or governance mechanisms to trigger outcomes developers didn\u2019t anticipate. We\u2019ve seen yield farms gutted by reward loopholes, stablecoin pegs attacked via coordinated market moves, and insurance funds drained by extreme volatility.\u00a0<\/p>\n

Bolstering audits with economic & game-theoretic analysis<\/h2>\n

Traditional audits check whether \u201cthe code does what it\u2019s supposed to,\u201d but who checks if \u201cwhat it\u2019s supposed to do\u201d makes sense under adversarial conditions? Unlike a closed program, DeFi protocols live in a dynamic, adversarial environment. Prices fluctuate, users adapt strategies, and protocols interconnect in complex ways.<\/p>\n

While most web3 teams are staffed with engineers who can catch software bugs during development, few have in-house economic expertise, making it critical for audits to fill that gap and identify vulnerabilities in incentive design and economic logic.<\/p>\n

Truly rigorous audits include game-theoretic and economic analysis, which involve scrutinizing things like fee mechanics, liquidation formulas, collateral parameters, and governance processes. They force auditors to consider: \u201cGiven these rules, how could someone profit by bending them?\u201d<\/p>\n

For example, during an audit performed by Oak Security, we discovered that a perpetual swaps platform\u2019s insurance fund could be completely drained by volatility because it hadn\u2019t accounted for \u201cvega risk\u201d\u2014the protocol\u2019s sensitivity to volatility\u2014in its pricing model\u200b. This wasn\u2019t a code bug at all\u2014it was a design flaw that would have caused collapse in turbulent markets. Only a game-theoretic and economic deep dive caught it\u2014and luckily, we were able to flag the issue before launch.<\/p>\n

These economic exploits are well-documented, and not terribly difficult to spot\u2013\u2013but they only surface when auditors are asking the right questions, and thinking beyond the code on the page.<\/p>\n

Founders must demand more from auditors<\/h2>\n

Protocol founders should request that auditors examine all components of a trading system, including implicit logic and off-chain components, to ensure comprehensive security. In the best scenario, all mission-critical logic would be brought on chain.<\/p>\n

If you\u2019re a founder or investor, it\u2019s critical to ask your auditors: What about oracle manipulation? What about liquidity crunch scenarios? Did you analyze the tokenomics for attack vectors? If the answer is silence or hand-waving, you need to dig deeper.\u00a0<\/p>\n

The cost of these blind spots is simply too high\u2014incorporating economic and game-theoretic analysis isn\u2019t just a \u201cnice-to-have\u201d; it\u2019s a matter of survival for DeFi projects. We need to cultivate a culture where code review and economic review go hand in hand for every major protocol.\u00a0<\/p>\n

Let\u2019s raise the bar now\u2014before another multimillion-dollar lesson forces our hand.<\/p>\n

<\/p>\n

\n
\n<\/source><\/p>\n<\/picture><\/div>\n

<\/p>\n

\n
\n Jan Philipp Fritsche <\/div>\n

<\/p>\n

\n

Jan Philipp Fritsche<\/b> is the managing director of Oak Security, a cybersecurity firm specializing in web3 audits. Prior to his role at Oak Security, Dr. Fritsche amassed extensive experience in econometric and risk modeling, holding positions at institutions such as the European Central Bank and DIW Berlin. He holds a Ph.D. in Economics from Humboldt University of Berlin.<\/span><\/p>\n<\/p><\/div>\n

<\/p>\n

\n

<\/p>\n

\n <\/use>\n <\/svg><\/p>\n

<\/a><\/p><\/div>\n

<\/p><\/div>\n

<\/p><\/div>\n

<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"

Disclosure: The views and opinions expressed here belong solely to the author and do not represent the views and opinions of crypto.news\u2019 editorial. DeFi is under attack\u2014but not from the…<\/p>\n","protected":false},"author":1,"featured_media":1981,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-1980","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cryptocurrency"],"_links":{"self":[{"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/posts\/1980","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/comments?post=1980"}],"version-history":[{"count":1,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/posts\/1980\/revisions"}],"predecessor-version":[{"id":1982,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/posts\/1980\/revisions\/1982"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/media\/1981"}],"wp:attachment":[{"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/media?parent=1980"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/categories?post=1980"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/tags?post=1980"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}