For years, decentralized finance (DeFi) has championed the “code is law” philosophy, trusting that smart contracts could eliminate human error. However, last month’s KelpDAO hack, which resulted in losses totaling $293 million, has forced crypto infrastructure developers to confront a new reality: The sector’s biggest threats increasingly stem not from coding flaws in smart contracts, but from complex human and systemic errors surrounding the technological infrastructure.
Critical risks: Bridges and governance systems
The KelpDAO breach exploited a vulnerability in a LayerZero-based bridge. This incident has shifted the focus of DeFi protocols and security researchers away from mere code bugs to the weak links within core infrastructure. A growing number of recent losses arise not directly from code but from failures in bridges, governance systems, cloud services, and inter-team connections.
Lido Labs Foundation’s Chief Technology Officer, Eugene Mamin, told CoinDesk that while most contracts operate precisely as designed by their programmers, vulnerabilities emerge when unauthorized individuals become involved in critical roles.
“In most cases, contracts did exactly what the programmers coded. The problem was, the programmers weren’t actually the legitimate authorities.”
Phoenix Labs CEO Sam MacPherson also highlighted that the largest recent losses are now due to gaps in operational security rather than code vulnerabilities.
“For a long time now, virtually all attacks have come from poor operational security,” explained MacPherson.
New threats from expanding infrastructure
As the DeFi ecosystem grows, protocols are becoming increasingly interdependent. Protocols rely on bridges, which in turn depend on validators and relay systems, while governance mechanisms hinge on multisignature frameworks and cloud services. Each new layer introduces a potential new risk point.
Mamin observed that when an external infrastructure is integrated, its risks are inherited as well. The KelpDAO attack made it clear that a vulnerability in a shared bridge can impact every protocol and app built on that infrastructure.
“Market concentration can become a systemic risk. If too many actors depend on the same infrastructure, issues no longer stay isolated but start to spread,” explained Mamin.
The sharp increase in these kinds of losses in recent years has revealed that complexity itself has become a security threat within the industry.
User priorities and a new security approach
These developments are now shaping investor preferences as well. Mamin believes that large capital is gravitating toward protocols that have demonstrated long-term stability and predictability. MacPherson noted a market shift, with risk-management-first systems gaining favor, and users seeking out protocols offering conservative lending and simpler collateral models.
The KelpDAO incident has underscored that many DeFi attack vectors now resemble those in traditional cybersecurity. Core infrastructure, including cloud servers, SaaS platforms, and key management systems, can all harbor significant vulnerabilities.
“The attack surface has actually reverted back to the core foundations of the internet, rather than shrinking,” commented Mamin.
Despite the on-chain transparency touted by DeFi, this environment also means that external audits of infrastructure are difficult and often remain opaque.
Nevertheless, sector leaders believe these setbacks do not spell the end of DeFi. On the contrary, DeFi’s transparent nature and open risk visibility are cited as distinctive strengths. Sam MacPherson pointed out that real-time liquidity and collateral are clearly observable on-chain; for him, the real challenge lies in combining this transparency with mature risk management.
