Our audit blindspot: Web3’s future depends on rethinking security | Opinion

For much of 2024, I felt like I was living in the future. Google unveiled a quantum computing chip that can easily perform calculations that would take a traditional computer longer than the universe has existed. Waymo’s autonomous vehicles transported over 150,000 people weekly. AI models like AlphaFold continued unraveling complex biological challenges with precision.

Despite massive technological strides elsewhere, parts of our own industry felt like they stood still, especially when it comes to security. While advanced technologies are transforming nearly every sector, web3 security remains frustratingly broken. 

The shift from web2’s centralized model to web3’s decentralized architecture has dramatically expanded the attack surface. While decentralization is the backbone of web3’s innovation, it created an inherent security paradox: the same open, distributed nature that gives users freedom also creates an expansive, permanently exposed attack surface. With hundreds of billions of transactions volume annually, the stakes for getting security right have never been higher. 

Yet despite the seismic growth in attack surface and billions flowing through protocols, our industry clings to reactive, manual audits as its security foundation. This approach––once regarded as the gold standard of web3 security––has proven wildly insufficient and outdated. And the data confirms this reality; 90% of exploited contracts have undergone audits. 

Just as web2 software development evolved far beyond manual testing to include a number of tools and techniques—continuous integration, automated testing, runtime monitoring, to name a few—web3 now requires a similar transformation in how we approach development and ultimately deploy to the masses. 

Web3’s unique challenges 

The state of smart contract security practices is especially alarming when put up against the risk level of a web3 security breach. There are three key reasons for this: 

1. Immutability: When you deploy a smart contract, its code becomes permanent—immutability is a core feature, not a bug. This means that, unlike web2 applications, where developers can quickly patch vulnerabilities, fixing smart contract flaws requires complex coordination across the entire protocol. 
2. Visibility: Compounding this challenge is the public nature of blockchain code, where potential attackers have visibility into the source code. If vulnerabilities exist, bad actors can (and will) find them.
3. Direct control over assets:  Most critically, web3 vulnerabilities put actual assets at immediate risk. While web2 attacks typically target data, smart contract exploits result in direct, often irreversible, financial losses.

What makes web3 revolutionary—its immutability, transparency, and direct control of assets—is exactly what requires us to rethink security from the ground up.

Why audits alone fall short 

Let me be clear: I’m not arguing against audits. They play an essential role in deploying secure smart contracts, but they shouldn’t be our first and only line of defense. When audits are all we’ve got, users’ assets are left exposed. Take the Euler Finance hack in 2023 as an example; losses exceeded $200M, despite the protocol having undergone ten different audits. 

The most fundamental issue with relying on manual audits is that even the most advanced auditors can’t catch everything; humans are fallible. Smart contracts are becoming increasingly complex, and each new feature multiplies the potential attack vectors exponentially, making it virtually impossible for any manual review to identify every potential weakness. The fact that a project can undergo ten different audits and still get hacked proves this point––it’s not about the skill of the individual auditors but rather the inherent limitations of manual review. 

The case for proactive security

In short, our industry’s reliance on audits has created what I believe to be an irresponsible status quo for web3 security—one where proactively securing smart contracts is the exception rather than the rule. The realization that web3 had innovated while security was left in the past is exactly what led me to start Olympix, a dev-first web3 security platform that empowers developers to secure code as they write it, in 2022. 

Our goal is to automate as much of the audit process as possible, currently catching 20-50% of vulnerabilities before the project even reaches its first audit. This allows security experts to focus their time on finding the most high-impact and novel vulnerabilities instead of routine issues. And it’s working; an internal analysis showed that in Q3 ‘24 alone, $60M in exploited,  previously audited contracts would have been prevented had the teams used our tools.  This includes high-profile hacks like Pendle ($6.5M) and LIFI ($600K). However, like audits, advanced tools like Olympix aren’t a complete solution. Web3’s unique challenges demand a sophisticated, multi-layered approach that combines proactive, developer-first tools together with traditional audits, bug bounty programs, and on-chain monitoring to create multiple layers of protection. 

The path forward: From reactive to proactive

Take a look at your approach to security today. Does it rely on one-time audits? Does the sophistication of your security practices match the complexity and risk level of the project you’ve deployed? I’d guess that for a vast majority, the security gap remains dangerously wide. 

The reality is that in 2025, we have everything we need to transform web3 security. The technology to safely deploy smart contracts is here, and the tools exist–Olympix being one of them. 

I firmly believe the future of our industry will be determined by trust, starting with our ability to protect the assets our peers entrust us with. Yes, web3 is transformative, but it’s also unforgiving. With billions at stake, the robustness and longevity of web3 are on our shoulders. Let’s secure our future proactively. 

This article first appeared at crypto.news