The contract layer has got harder to break, so the value has moved up. It sits in the authorisation layer now, the keys and modules and bridge signers and peer configs that decide who is allowed to move funds. That layer is the number one problem in Web3 security right now, expensive out of all proportion to how often it actually gets hit. And it draws almost none of the review the contracts do.

Look at May and you could almost miss it. Around $68M lost across the month, down roughly 90 percent from April, one of the quieter stretches of the year. The headline looks like progress until you read the breakdown.

Code bugs still did the most damage by raw dollars, somewhere around $45M of the total. So no, we have not solved smart contract security, and anyone telling you otherwise is selling something. But the severe, drain-the-protocol contract exploit is getting harder to pull off against live production code, and the monthly data has started to show it. Audits got sharper. The obvious bug classes mostly get caught now. That is the one part of this story that is actually going well.

Then look at the bridges. They were the single biggest category of loss in May, around $28.6M, more than 40 percent of everything stolen. The word bridge hides what these things actually are. A bridge is barely a smart contract. It is a set of signing keys deciding which withdrawals are real, with some Solidity wrapped around them for decoration. Almost every serious bridge loss this year came through the keys and the signers and the operational controls around them. Call it what it is. Opsec.

The incident counts get this wrong. Opsec failures are nowhere near the most common attacks. DeFiLlama logged 29 incidents in May and only seven were key compromises. But frequency is the wrong scoreboard. April makes the point with a sledgehammer. Two incidents that month, Drift and Kelp, took well over half a billion dollars between them. Both had audited, working contracts and lost the money one layer up, through a blind-signing failure and a subverted cross-chain verifier. Low frequency, total blast radius.

You do not have to go back to April. Last week alone produced a module signature flaw at Gnosis Pay, a stolen deployer key at StakeDAO that forged a multi-trillion token mint, a suspected signing-key compromise at Gravity Bridge, and a $3.2M drain of 86 Safe wallets through a third-party module. Not one of them needed a bug in the core contract, and each walked in through a module, a key, or a config.

You can read more about those issues below

Burn Notice #3

Adrian ⛩️ Hetman

·

Jun 3

Three of this week’s losses share a shape worth sitting with. The smart contracts behaved exactly as written and the money still left, because the authorisation wrapped around those contracts is where the real control lived. A signature checker in a Safe module, a deployer key that still held cross-chain config rights, and…

Read full story

None of this gets reviewed because none of it looks like attack surface. A module looks like plumbing, a deployer key like a leftover from launch, a peer config like a setting you touched once and forgot. An audit scopes the contract because the contract is the thing an audit knows how to price. The module added three sprints later to ship a feature, the key that was supposed to be temporary, the bridge signer quietly holding the authority to move everything, all of it arrives after the audit and outside it. That is the gap the whole industry is underpricing.

And the infrastructure and opsec layer is where recovery goes to die. Out of that $68M in May, only about $9.4M came back. A contract bug can sometimes be paused or patched or white-hatted before the funds are gone. A signing key that sends money to an attacker and then on through a mixer leaves nothing to claw back. Gone is gone. The failures that cost the most are the ones you almost never get to undo.

So if you run anything that holds value, do the one exercise an audit will never do for you. Write down every address, key, module, and config that can move your funds without touching the contracts you already paid to have reviewed. Then count them, name who holds each one, and ask when any of it last got looked at by someone whose job was to break it. The contract layer has earned its scrutiny. What sits above it has been running on trust and luck, and the bill keeps arriving in eight and nine figures.

How long is your list, and when did you last make it shorter?

— Adrian