What Can Go Wrong

Smart contract risk

The phrase "code is law" sounds like a feature. In practice, it's a warning. When a protocol's logic is immutably deployed on-chain, every bug becomes permanent — and every exploit pays out at market rates.

Smart contracts are programs that hold real money. They execute exactly what they're written to do, which means logical errors, edge cases, and unexpected interactions between composable protocols are attack vectors, not just bugs to patch in a future update.

The record

In 2016, The DAO — then holding about 15% of all Ether in circulation — lost $60M to a reentrancy attack. The attacker exploited a function that sent ETH before updating its internal balance. By recursively calling back into the withdraw function before state updated, they drained the contract repeatedly. The fix required a hard fork of the entire Ethereum network.

In 2021, Compound distributed approximately $150M in COMP tokens due to a bug in a governance upgrade. The error was in logic that calculated token distributions — not malicious, but a reminder that even well-audited upgrades introduce new risk surfaces.

In 2023, Euler Finance lost $197M in a flash loan attack that exploited a flaw in how the protocol handled donations to the reserve pool. The attack bypassed liquidation checks, allowing the attacker to create a position with more debt than collateral. Remarkably, the attacker returned most of the funds weeks later.

Common attack vectors

Reentrancy. A contract calls an external address before updating its own state. The external contract calls back in, sees stale state, and exploits the discrepancy. The DAO hack is the canonical example. Mitigated by checks-effects-interactions pattern and reentrancy guards.

Integer overflow/underflow. Pre-Solidity 0.8, arithmetic didn't automatically revert on overflow. A value wrapping from maximum to zero could bypass access checks or allow unlimited minting. SafeMath libraries and compiler versions above 0.8 make this less common, but legacy contracts remain exposed.

Access control failures. Misconfigured function visibility or missing role checks let attackers call privileged functions — minting tokens, draining reserves, changing oracle addresses. Auditors specifically hunt for these, yet they still ship.

Logic errors in composability. DeFi's power comes from protocols building on protocols. A lending protocol that integrates with a yield aggregator that integrates with an AMM creates interaction paths no single audit can fully enumerate.

What to look for

Audit recency and scope. A 2021 audit on a contract that's been upgraded three times since is nearly worthless. Check that audits cover the actual deployed bytecode, not a prior version.

Bug bounty programs. Protocols with active Immunefi programs (ideally $1M+ critical payouts) are paying for adversarial attention. The absence of a bug bounty is a red flag.

Time-locked upgrades. Proxies and governance upgrades should have timelocks — typically 24–72 hours — so users can exit before malicious changes take effect.

Circuit breakers. Emergency pause mechanisms, deposit caps, and withdrawal rate limits reduce blast radius when exploits occur. They don't prevent attacks but can limit how much gets taken before the team responds.

Liquidation risk

DeFi lending is built on overcollateralization. You post $150 of ETH to borrow $100 of USDC. If your collateral value drops below a threshold — say $130 — the protocol liquidates your position to recover the debt. This keeps the protocol solvent. The risk is what happens when it doesn't work cleanly.

Black Thursday: the system under pressure

March 12, 2020. ETH dropped roughly 50% in a matter of hours as COVID market panic cascaded into crypto. MakerDAO's collateral auctions were designed for a functioning mempool. They got network congestion instead.

Liquidation bots couldn't get their transactions included fast enough. Gas prices spiked so dramatically that many bots simply stopped bidding. In the resulting auctions, some liquidators submitted bids of exactly $0 — and won. They claimed $8.3M of collateral for nothing, leaving the protocol with an equivalent hole in its balance sheet.

MakerDAO covered the shortfall with a FLOP auction of newly minted MKR tokens, diluting holders. The protocol survived, but only because it had a governance backstop. Not every protocol does.

Cascading liquidations

Liquidations don't happen in isolation. A large liquidation sells collateral on-chain, which moves the price. Lower prices push more positions below their health thresholds, triggering more liquidations. Those liquidations move prices further. In illiquid markets — small caps, newer assets — this spiral can be severe enough to cause bad debt even on well-collateralized protocols.

Risk management mechanisms

Health factor monitoring. Aave's health factor (and similar metrics across lending protocols) tells you how far you are from liquidation. A health factor of 1.0 triggers liquidation; staying above 1.5–2.0 gives meaningful buffer against volatile moves.

Isolation mode. Aave v3 introduced isolation mode for long-tail assets, capping the total debt that can be collateralized by a single riskier asset. This contains contagion when a newer token collapses.

Partial liquidations. Rather than liquidating an entire position, modern protocols liquidate only what's needed to restore health. This reduces market impact and is less punishing for borrowers who are only slightly undercollateralized.

Liquidation bonuses. Liquidators receive a bonus (typically 5–10%) for closing underwater positions. This incentivizes fast response — but the bonus also represents a cost to the borrower, so it's effectively the tax on being wrong about price direction.

Oracle manipulation

Smart contracts can't read the real world. A lending protocol needs to know the price of ETH. A derivatives protocol needs to know when an option expires in-the-money. A stablecoin needs to know if its collateral is still worth what the system thinks it is. All of this data comes from oracles — and oracles can be manipulated.

Mango Markets: textbook oracle attack

October 2022. Avraham Eisenberg publicly described his strategy afterward, calling it a "highly profitable trading strategy." The protocol's governance would later debate whether it was legal. The mechanics were precise.

Eisenberg opened large MNGO perpetual positions on both sides — long and short — then used approximately $10M in capital to aggressively buy MNGO tokens on spot markets, pumping the price roughly 10x in minutes. Mango's oracle read this manipulated price. His long perp position was suddenly worth hundreds of millions in paper profit.

He then borrowed against that inflated collateral value, draining the protocol's treasury of approximately $117M in various tokens. After the dust settled, he negotiated with Mango's governance to return most of it in exchange for keeping $47M and having the protocol agree not to pursue legal action. That agreement didn't hold — he was arrested in December 2022.

The flash loan amplifier

Flash loans allow borrowing arbitrarily large amounts of capital within a single transaction, provided it's repaid by transaction end. When a protocol's oracle reads the spot price from an on-chain DEX pool, a flash loan lets an attacker move that price dramatically within one atomic transaction — manipulate the oracle, exploit the protocol, repay the loan, and pocket the proceeds. No upfront capital required beyond gas.

Safer oracle designs

Chainlink and off-chain aggregation. Chainlink nodes fetch prices from centralized and decentralized sources off-chain, aggregate them, and post the result on-chain. This separates the price feed from DEX liquidity — a flash loan can't move Coinbase's price. The trade-off is trust assumptions and update latency.

TWAPs (time-weighted average prices). Uniswap v3's TWAP oracle averages prices over a configurable window — often 30 minutes. Manipulating a TWAP requires sustaining the manipulated price for the entire window, which is prohibitively expensive to hold for long periods on liquid markets. Still vulnerable on illiquid assets with thin pools.

Circuit breakers on price deviation. Protocols can pause operations if oracle price deviates more than a threshold from a reference. This is a last line of defense — it trades liveness for safety when prices move suspiciously fast.

Bridge risk

Bridges are the most consistently dangerous infrastructure in crypto. Not because the cryptographic primitives are weak, but because they're high-value custodians with complex trust assumptions, and sophisticated attackers have had years to study them.

By the end of 2024, roughly $2.5 billion had been lost to bridge exploits. That number represents not just lost user funds, but the cost of the industry's repeated failure to learn the same lesson: bridges concentrate value and attack surface simultaneously.

Three defining exploits

Ronin Bridge, March 2022: $625M. The Axie Infinity bridge used 9 validators. Attackers — later attributed to North Korea's Lazarus Group — socially engineered their way to 5 private keys through fake job offers and compromised infrastructure. With 5 of 9 keys, they authorized fraudulent withdrawals. The exploit wasn't discovered for six days.

Wormhole, February 2022: $320M. A signature verification bug let the attacker forge the guardian signatures required to mint wrapped ETH on Solana. The attacker minted 120,000 wETH backed by nothing. Jump Crypto, the protocol's backer, replenished the funds within a day — an unusual outcome.

Nomad, August 2022: $190M. A message verification flaw meant that any message marked as already-processed could be replayed. Once the initial exploit was noticed publicly, hundreds of copycat transactions drained the bridge within hours. It was effectively a permissionless open-source exploit.

The bridge trilemma

Bridge design involves three properties that are difficult to achieve simultaneously:

Trustless. Relying on cryptographic proofs rather than human validators. Light clients and ZK proofs get close to this, but they're slow and expensive to deploy.

Generalizable. Supporting arbitrary message passing and any asset, not just a fixed whitelist of tokens.

Capital-efficient. Not requiring large liquidity pools or long lock periods to function at scale.

Choosing the right bridge

Native/canonical bridges (e.g., Ethereum ↔ Arbitrum official bridge) are operated by the L2 itself and inherit its security model. Slower withdrawals (7 days for optimistic rollups), but the most trustworthy option for large amounts.

Liquidity networks (e.g., Across, Stargate) use on-chain liquidity pools and relayers to provide fast transfers. The trust surface is larger, but they're practical for smaller amounts where speed matters.

Light client bridges verify the source chain's consensus on the destination chain cryptographically. IBC (Cosmos) works this way. Expensive to build, requires per-chain integration, but the most principled approach to cross-chain trust.

Governance attacks

On-chain governance is plutocracy by design. Token holders vote. More tokens means more votes. This is not a bug — it's the explicit mechanism for decentralized protocol control. The vulnerability is that "token holder" is not the same as "long-term aligned stakeholder," and the gap between the two is exploitable.

Beanstalk: governance in a single transaction

April 17, 2022. Beanstalk was a credit-based stablecoin protocol. Its governance system allowed emergency proposals to pass with immediate execution — no timelock. That design choice cost the protocol $182M.

The attacker flash-borrowed approximately $1 billion in assets across Aave, Uniswap, and SushiSwap within a single transaction. This gave them enough capital to acquire a supermajority of Beanstalk's governance tokens. With that voting power, they submitted and immediately passed a malicious governance proposal that transferred the protocol's treasury to their wallet. They then repaid the flash loans and kept the profit.

The entire sequence — borrow, acquire tokens, propose, vote, execute, drain, repay — happened atomically in one transaction. From Beanstalk's perspective, the attacker had legitimately passed a governance vote.

Structural defenses

Timelocks. Compound's governance model requires a 2-day delay between vote passage and execution. During that window, users can exit the protocol before a malicious change takes effect. Timelocks don't prevent bad proposals from passing — they just make the consequences survivable.

Vote-escrow (veTokenomics). Curve's model requires locking tokens for up to 4 years to receive maximum voting power. You cannot flash-loan locked tokens — they're committed capital. This aligns voting power with economic exposure. The trade-off is centralization of governance power among large, long-term holders.

Snapshot-based voting. Using token balances at a past block (the "snapshot") for voting weights means an attacker needs to hold tokens before the snapshot is taken — not just during the vote. This makes flash loan attacks impossible but opens up vote-buying markets around snapshot timing.

Guardian multisigs. A small trusted group (typically the founding team and investors) holds veto power over governance decisions. This is explicitly a trust trade-off — it reintroduces centralization — but many protocols keep it as an emergency brake until governance matures enough to remove it.