Smart contract risk is not your only risk

I recently started analyzing 2021's DeFi hacks involving loss of funds.

One of the first thing I noticed is that over 30% of the 100+ hacks did not involve smart contract security. That means that about a third of the attacks could not have been prevented with a smart contract audit.

I see many crypto startups describe their security practices in terms of the number of smart contract audits they have received. Many protocols also have a bug bounty program on Immunefi or similar platforms. It goes without saying that these are necessary practices. It's not just data we are protecting, but funds. Smart contract risk is serious, and scary.

But there are other common loss scenarios:

• private keys are stolen
• backend systems misconfigurations are abused
• intruders compromise bridging servers
• malicious insiders collude

The decentralized finance industry built a $2 trillion financial market without institutional help. The possibilities boggle the mind. But we build these new protocols on top of the same distributed systems used by the legacy industry.

Many of the security challenges you will face live at the boundary between distributed ledgers and public clouds.