DeFi Security Has a Human Problem

Digital asset markets continue to experience persistent and structurally recurring security failures, despite increased adoption, capital inflows, and growing institutional participation. The critical insight is that most losses do not originate from failures in audited smart contract code, but from weaknesses in surrounding systems, such as operational processes, infrastructure, and human behaviour.

During the first quarter of 2026, total web3 losses reached approximately $482.6 million across 44 separate incidents, with recent events in April reinforcing that these failures are neither isolated nor diminishing in frequency.

Two incidents in particular have defined the current risk environment: the Drift Protocol exploit, which resulted from social engineering and operational compromise, and the Hyperbridge exploit, which reminds us, yet again, of a critical flaw in cross-chain message validation.

The central question is no longer whether DeFi offers innovation, but whether its current security model justifies the level of risk it introduces. While audits remain a necessary baseline, they do not address where most real-world vulnerabilities now exist. Until security practices evolve beyond static reviews – into continuous, system-wide controls, the risk profile of DeFi is likely to remain structurally elevated.

Decentralised finance (DeFi) consists of financial applications built on blockchain networks that operate without centralised intermediaries such as banks. Instead of relying on institutions, these systems use smart contracts, which are self-executing pieces of code deployed on a blockchain, to manage assets and enforce financial logic.

A typical DeFi system is not limited to smart contracts alone. It includes user interfaces that enable interaction with the system, wallets that store private keys and authorise transactions, and off-chain infrastructure such as web interfaces, cloud services, APIs, and key management systems. In addition, many protocols rely on bridges, which allow assets to move between different blockchains. Each of these components introduces its own set of risks.

Unlike traditional financial systems where transactions can often be reversed or disputed, blockchain transactions are generally irreversible once executed. As a result, vulnerabilities in any part of the system, whether in code, infrastructure, or human processes, can lead to permanent loss of funds.

This structure raises a fundamental question for participants: when financial systems combine irreversible transactions with possibilities of failure across code, infrastructure, and human behavior, the threshold for acceptable risk becomes significantly higher than in traditional markets.

The distribution of losses year to date provides important insight into how attacks are evolving. Social engineering and phishing accounted for the majority of losses, totaling approximately $576 million while smart contract vulnerabilities contributed $86.2 million, and access control failures added another $72.1 million.

This distribution indicates that the dominant sources of risk are no longer purely technical. Instead, attackers increasingly exploit weaknesses in how systems are operated and how users interact with them. Security failures are now occurring across multiple layers simultaneously, including code, infrastructure, operational processes, and human behavior. This multi-layered risk model makes it difficult for any single control mechanism, including audits, to provide comprehensive protection.

The incidents listed below span a spectrum from sophisticated multi-month social engineering campaigns to basic infrastructure validation failures, illustrating the breadth of the current attack surface.

Table 1: Social Engineering Hacks Dominate Total Losses

Source: Hacken Q1 2026 Report, AMINA

Exploit: 1 April 2026, Solana, US $270 million

The attackers spent months building trust with protocol participants and obtained pre-authorised permissions that allowed them to move funds. Once access was secured, assets were drained through valid on-chain transactions, making the activity indistinguishable from legitimate operations at the execution layer.

The failure occurred entirely outside the codebase. Audits reviewed the contracts, but not the operational processes governing access. Multi-party authorisation, stricter permission controls, and isolated signing environments would have significantly reduced the attack surface.

Exploit: 13 April 2026, Ethereum, US $270K

The attacker submitted a forged cross-chain message that bypassed validation checks in the bridge’s Ethereum gateway. This allowed them to assume admin control of the bridged token contract and mint approximately 1 billion Polkadot ($DOT) tokens, which amounted to more than a billion USD in value. The attacker then attempted to liquidate the supply, but low liquidity in the Bridge limited extraction to roughly $237,000.

The failure was in cross-chain message validation, not token logic. Bridges hold privileged control over asset issuance, and a single validation flaw could enable unlimited minting. Hyperbridge should have implemented more rigorous security measures focusing on contract auditing and proactive testing.

Audit coverage in DeFi has increased materially, yet breach frequency has not declined. In Year to date, 7 out of 29 smart contract exploits impacted protocols that had already been audited, accounting for $37.9 million in losses. These incidents showed a higher average loss per exploit ($6M) compared to unaudited protocols, which averaged $4.3M per incident.

In the last one-year, smart contract-related losses rose 213% year-over-year, reaching $86.2 million, despite broader adoption of audits across the ecosystem. This indicates that audit coverage alone has not translated into reduced exploit severity or frequency.

The explanation lies in scope and incentives. Audits function as an entry-level control rather than a comprehensive defense. Without continuous testing, real-time monitoring, and expanded audit scope across infrastructure and cross-chain systems, vulnerabilities persist even in extensively reviewed protocols.

Across major financial centers globally, regulators have increasingly introduced baseline expectations for entities operating in digital assets. These typically include requirements around governance, custody standards, operational resilience, incident reporting, and ongoing monitoring. While the specifics vary by jurisdiction, the direction of travel is consistent: security and risk management are treated as continuous obligations rather than one-time checks.

Institutions are generally expected to maintain internal controls, undergo periodic assessments, and demonstrate the ability to detect, respond to, and recover from operational or security incidents. In many cases, these expectations are supported by formal supervision and enforceable compliance frameworks.

The question “Is DeFi worth the risk?” does not have a universal answer, but the current data provides a clear framework for evaluating it.

The ecosystem continues to deliver innovation, accessibility, and capital efficiency. At the same time, it operates with a security model that remains fragmented, reactive, and heavily dependent on assumptions that do not consistently hold under stress.

The incidents examined in this report show that losses are no longer driven primarily by obscure technical bugs, but by predictable failures across human behaviour, infrastructure, and system design. These are not edge cases, but recurring patterns.

Until DeFi adopts continuous security practices, stronger operational controls, and standards closer to those seen in traditional finance, the exposure DeFi carries is likely to be materially higher.

Disclaimer – Research and Educational Content

This document has been prepared by AMINA Bank AG (“AMINA”). AMINA is a Swiss licensed bank and securities dealer with its head office and legal domicile in Switzerland. It is authorised and regulated by the Swiss Financial Market Supervisory Authority (“FINMA”).

This document is published solely for educational purposes; it is not an advertisement nor a solicitation or an offer to buy or sell any financial investment or to participate in any particular investment strategy. This document is for publication only on AMINA website, blog, and AMINA social media accounts as permitted by applicable law. It is not directed to, or intended for distribution to or use by, any person or entity who is a citizen or resident of or located in any locality, state, country or other jurisdiction where such distribution, publication, availability or use would be contrary to law or regulation or would subject AMINA to any registration or licensing requirement within such jurisdiction.

Research will initiate, update and cease coverage solely at the discretion of AMINA. This document is based on various sources, incl. AMINA ones.  In preparing this document, AMINA may have made limited use of artificial intelligence–enabled tools to assist with research, summarisation, and drafting, with all content subject to human review and validation.

No representation or warranty, either express or implied, is provided in relation to the accuracy, completeness or reliability of the information contained in this document, except with respect to information concerning AMINA. The information is not intended to be a complete statement or summary of the subjects alluded to in the document, whereas general information, financial investments, markets or developments. AMINA does not undertake to update or keep current information. Any statements contained in this document attributed to a third party represent AMINA’s interpretation of the data, information and/or opinions provided by that third party either publicly or through a subscription service, and such use and interpretation have not been reviewed by the third party.

Any formulas, equations, or prices stated in this document are for informational or explanatory purposes only and do not represent valuations for individual investments. There is no representation that any transaction can or could have been affected at those formulas, equations, or prices, and any formula(s), equation(s), or price(s) do not necessarily reflect AMINA’s internal books and records or theoretical model-based valuations and may be based on certain assumptions. Different assumptions by AMINA or any other source may yield substantially different results.

Nothing in this document constitutes a representation that any investment strategy or investment is suitable or appropriate to an investor’s individual circumstances or otherwise constitutes a personal recommendation. Investments involve risks, and investors should exercise prudence and their own judgment in making their investment decisions. Financial investments described in the document may not be eligible for sale in all jurisdictions or to certain categories of investors. Certain services and products are subject to legal restrictions and cannot be offered on an unrestricted basis to certain investors. Recipients are therefore asked to consult the restrictions relating to investments, products or services for further information. Furthermore, recipients may consult their legal/tax advisors should they require any clarifications.

At any time, investment decisions (including, among others, deposit, buy, sell or hold investments) made by AMINA and its employees may differ from or be contrary to the opinions expressed in AMINA research publications.

This document may not be reproduced, or copies circulated without prior authority of AMINA. Unless otherwise agreed in writing, AMINA expressly prohibits the distribution and transfer of this document to third parties for any reason. AMINA accepts no liability whatsoever for any claims or lawsuits from any third parties arising from the use or distribution of this document.

©2026 AMINA, Kolinplatz 15, 6300 Zug