Are We Securing the Wrong Layer? - Certora Livestream Reveals DeFi’s Biggest Security Blind Spot

Examining DeFi’s expanding attack surface and the limits of smart contract security.

Published:
Edited:

In the wake of the recent slew of DeFi hacks, leading blockchain security firm Certora hosted a livestream titled “Are We Securing the Wrong Layer?” on Thursday, April 30, that challenged a long-running assumption in DeFi. For years, the industry has focused heavily on smart contract audits as the primary line of defense. However, recent exploits suggest that attackers no longer rely solely on breaking contract logic. Instead, they increasingly target the surrounding systems that support protocols.

April 2026 underscores that shift in stark terms. The month recorded 29 separate hacks, an 81% increase from the previous high of 16 incidents in January, making it the worst month on record for crypto exploits.

The largest incidents included KelpDAO at $293M, Drift at $295M, and Rhea at $18M. These events did not share a single technical flaw. Instead, they reflected a broad expansion of attack vectors across the ecosystem.

Certora CEO Seth Hallem joined Michael Lewellen, Head of Solutions Engineering at Turnkey, to explore how the threat landscape has evolved and what protocol teams must do to adapt. The discussion highlighted a clear shift. Security risks now extend far beyond onchain code into offchain infrastructure, operational processes, and human behavior.

A Changing Threat Landscape

The conversation opened with a review of recent high-profile exploits. Lewellen pointed to a surge in attacks throughout April, including incidents affecting Drift Protocol, KelpDAO, and several projects within the Sui ecosystem. These attacks did not rely on traditional smart contract vulnerabilities. Instead, they exploited weaknesses in multisig setups, infrastructure, and operational practices.

In one example, attackers used social engineering to compromise multisig signers. In another, they embedded malicious code within the backend infrastructure and waited for the right moment to act. These approaches reflect a broader trend. Attackers now behave more like advanced persistent threats, investing time and resources into long-term infiltration rather than quick exploits.

Hallem noted that this shift represents a wake-up call for the industry. Early DeFi hacks often involved straightforward coding errors. Today’s attackers demonstrate patience, coordination, and a deep understanding of how protocols operate across multiple layers.

The Role of AI in Modern Attacks

Artificial intelligence has further accelerated this shift. Both Hallem and Lewellen emphasized that AI tools now allow attackers to analyze protocols at unprecedented speed. By scanning codebases, documentation, and public data, these tools can quickly identify weak points and generate potential attack strategies.

This reduced cost of discovery has lowered the threshold for exploitation. Smaller protocols with limited resources now face the same level of scrutiny that once applied only to larger platforms.

At the same time, AI also provides defensive advantages. Security teams can use similar tools to model threats, identify vulnerabilities, and test assumptions. However, this creates a race between attackers and defenders. Teams that fail to adopt these tools risk falling behind.

Immediate Security Steps for DeFi Teams

A central theme of the discussion focused on operational security. Lewellen highlighted the importance of endpoint protection, access control, and infrastructure hardening. Many teams still rely on personal devices, minimal monitoring, and loosely defined processes. These practices introduce significant risk.

He recommended several immediate steps. Protocols should:

Increase multisig thresholds for critical actions
Segment permissions based on risk
Adopt hardware-based authentication methods

Teams should also implement endpoint detection systems, enforce secure device usage, and maintain detailed logs for incident response.

Hallem added that protocols must align their operational processes with their risk profiles. Not all actions require the same level of security. Routine operations can remain flexible, but high-impact actions, such as contract upgrades, should be subject to stricter controls and longer approval timelines.

The Challenge of Balancing Security and Decentralization

The discussion also addressed a tension within Web3. Decentralization remains a core value, but achieving strong security often requires centralized coordination and significant resources. Small teams managing large amounts of capital face particular challenges in meeting these demands.

Hallem compared this dynamic to the evolution of cloud computing. Organizations initially resisted centralization due to security concerns, but eventually recognized that large providers could offer stronger protection through scale. A similar shift may occur in crypto infrastructure as protocols seek enterprise-grade security solutions.

Moving Toward Continuous Security

One of the clearest conclusions from the livestream involved the need for continuous security practices. Point-in-time audits cannot account for evolving threats, changing infrastructure, or new attack techniques. Instead, protocols must adopt ongoing monitoring, regular threat modeling, and continuous validation of their systems. This approach treats security as an operational function rather than a one-time checklist.

Lewellen emphasized that attackers will continue to adapt. If one layer becomes secure, they will target another. Protocols must therefore take a holistic view of their systems and eliminate single points of failure wherever possible.

A New Security Reality for DeFi

The Certora livestream underscored a fundamental shift in how DeFi security should be understood. Smart contracts remain critical, but they no longer represent the primary point of failure. The broader ecosystem, including infrastructure, governance, and human processes, now defines the true attack surface.

As protocols grow and attract more capital, they will face increasingly sophisticated adversaries. Addressing this challenge requires more than better code. It demands a comprehensive approach that integrates technology, operations, and human awareness into a unified security strategy.