Hackers keep exploiting audited DeFi protocols: What’s missing? | Opinion

Disclosure: The views and opinions expressed here belong solely to the author and do not represent the views and opinions of crypto.news’ editorial.

DeFi is under attack—but not from the threats the industry is used to defending against. While developers meticulously scan lines of code for vulnerabilities, attackers have shifted tactics, exploiting economic weaknesses that lie unnoticed beneath flawless programming.

You might also like: DeFi needs a (healthy) dose of paranoia about risk management | Opinion

For instance, the JELLY token exploit on Hyperledger, where attackers were able to siphon over $6 million from Hyperledger’s insurance fund, is a prime example. That exploit wasn’t caused by coding errors at all, but by gameable incentives and unpriced risks that no one had scrutinized.

DeFi cybersecurity has come a long way. Smart contract audits—designed to catch bugs in a software’s code—are the norm nowadays. But we urgently need to broaden its scope beyond mere lines of code. Smart contract audits are fundamentally inadequate unless they also analyze economic and game-theoretic risks. The industry’s over-reliance on code-only audits is outdated and dangerous, leaving projects vulnerable to an unending cycle of attacks.

Recent attacks drive home the danger of economic exploits

In March 2025, Hyperliquid’s exchange, which had its contracts audited, was ambushed by a $6 million exploit involving its JELLY token. How? Attackers didn’t find a bug in the code; they engineered a short squeeze by abusing Hyperliquid’s own liquidation logic, pumping JELLY’s price, and manipulating the platform’s risk parameters.

In other words, Hyperliquid’s designers hadn’t priced in certain market behaviors—an oversight that traditional audits didn’t catch. Hyperliquid’s case shows that impeccable code can’t save a project that’s built on shaky economic assumptions.

Shortly before the JELLY incident, Polter Finance, a lending protocol on Fantom, was drained of $12 million through a flash loan attack, another common type of attack that relies on economics, not coding vulnerabilities​. The attacker took out flash loans and manipulated the project’s price oracle, tricking the system into treating worthless collateral as billions in value.

The code did exactly what it was supposed to, but the design was flawed, making it possible for an extreme price swing to bankrupt the platform. The exploit proved so devastating that Polter Finance, a promising project, was forced to cease operations.

These are not isolated attacks/events; they’re part of a growing pattern in DeFi. In case after case, clever adversaries exploit protocols by manipulating market inputs, incentives, or governance mechanisms to trigger outcomes developers didn’t anticipate. We’ve seen yield farms gutted by reward loopholes, stablecoin pegs attacked via coordinated market moves, and insurance funds drained by extreme volatility.

Bolstering audits with economic & game-theoretic analysis

Traditional audits check whether “the code does what it’s supposed to,” but who checks if “what it’s supposed to do” makes sense under adversarial conditions? Unlike a closed program, DeFi protocols live in a dynamic, adversarial environment. Prices fluctuate, users adapt strategies, and protocols interconnect in complex ways.

While most web3 teams are staffed with engineers who can catch software bugs during development, few have in-house economic expertise, making it critical for audits to fill that gap and identify vulnerabilities in incentive design and economic logic.

Truly rigorous audits include game-theoretic and economic analysis, which involve scrutinizing things like fee mechanics, liquidation formulas, collateral parameters, and governance processes. They force auditors to consider: “Given these rules, how could someone profit by bending them?”

For example, during an audit performed by Oak Security, we discovered that a perpetual swaps platform’s insurance fund could be completely drained by volatility because it hadn’t accounted for “vega risk”—the protocol’s sensitivity to volatility—in its pricing model​. This wasn’t a code bug at all—it was a design flaw that would have caused collapse in turbulent markets. Only a game-theoretic and economic deep dive caught it—and luckily, we were able to flag the issue before launch.

These economic exploits are well-documented, and not terribly difficult to spot––but they only surface when auditors are asking the right questions, and thinking beyond the code on the page.

Founders must demand more from auditors

Protocol founders should request that auditors examine all components of a trading system, including implicit logic and off-chain components, to ensure comprehensive security. In the best scenario, all mission-critical logic would be brought on chain.

If you’re a founder or investor, it’s critical to ask your auditors: What about oracle manipulation? What about liquidity crunch scenarios? Did you analyze the tokenomics for attack vectors? If the answer is silence or hand-waving, you need to dig deeper.

The cost of these blind spots is simply too high—incorporating economic and game-theoretic analysis isn’t just a “nice-to-have”; it’s a matter of survival for DeFi projects. We need to cultivate a culture where code review and economic review go hand in hand for every major protocol.

Let’s raise the bar now—before another multimillion-dollar lesson forces our hand.

Source