h hoge.gg
Subscribe
BTC$67,432.18+2.34%ETH$3,521.44+1.08%SOL$178.62-0.62%BNB$612.30+0.41%XRP$0.6234-0.18%ADA$0.4521+3.12%DOGE$0.1623+1.86%AVAX$38.71-1.24%LINK$17.84+0.92%HOGE$0.00004120+4.21%
BTC$67,432.18+2.34%ETH$3,521.44+1.08%SOL$178.62-0.62%BNB$612.30+0.41%XRP$0.6234-0.18%ADA$0.4521+3.12%DOGE$0.1623+1.86%AVAX$38.71-1.24%LINK$17.84+0.92%HOGE$0.00004120+4.21%
● Security & Exploits

Audit Firm Reviews: Who Really Secures DeFi in 2026

Security audits are everywhere in 2026, yet on-chain hacks hit a record count. We review the firms that guard DeFi, what a clean report buys, and where it stops.

The security audit has become crypto’s most requested badge. Almost every serious DeFi protocol now ships with a row of auditor logos, and depositors have learned to look for them before sending funds. Yet the first half of 2026 set a record for the number of on-chain breaches even as total dollar losses fell. That gap, more attacks landing on more audited code, is why choosing an audit firm has become a real research task rather than a box to tick. This is a look at who does the work, what their reports actually cover, and where a clean report stops protecting you.

A record year for breaches, a quiet year for losses

TRM Labs counted about $972 million stolen across 207 incidents in the first half of 2026, a record number of hacks but less than half the roughly $2.3 billion lost in the same period a year earlier. The split inside those numbers is the part every protocol founder should read twice. Infrastructure and operational compromise, chiefly stolen private keys and seed phrases, drove around 76% of the losses while making up only about 15% of incidents. Smart contract exploits were the mirror image: most of the incident count, a small slice of the money. Put plainly, a code audit addresses the most common attack vector, not the most expensive one. Chainalysis put full-year 2025 theft at $3.4 billion, with the top three hacks alone responsible for 69% of losses. Concentration, not frequency, does the damage.

What a smart contract audit actually reviews

A modern audit is a time-boxed review of a specific commit of code, usually run over two to four weeks by a small team. The strongest engagements combine three techniques. Manual review puts senior engineers line by line through the economic and access-control logic. Fuzzing and property testing throw millions of random inputs at the contracts to break their invariants. Formal verification proves the code against a written mathematical specification. Each method catches a different class of bug, and none of them catches everything. An audit is a snapshot: it certifies that one version of the code, under a defined scope, passed review on a given date. Change a line, add a dependency, or ship an upgrade, and the certificate no longer describes what is deployed.

The firms that dominate the 2026 market

The market has settled around a handful of names, each with a recognisable specialty. Sherlock’s 2026 ranking and the independent buyer guides tend to agree on the leaders, even when the ordering shifts. The short version is that you hire by stack and threat model, not by brand.

FirmSpecialtyTrack record
OpenZeppelinEVM contracts, monitoringActive since 2015; its open-source Solidity library is the most deployed contract code in crypto, with over $50B secured
Trail of BitsCryptography, zero-knowledgeFounded 2012; builds the Slither, Echidna and Medusa tools
HalbornOffensive testing, incident responseMiami, 2019; multi-chain audits plus red-team work and public post-mortems
CertoraFormal verificationThe Certora Prover checks code against a written specification
ZellicSolana and RustAuditor of choice for major Solana protocols, including Drift, Mango and Phoenix
CertiKHigh-volume audits, monitoringThousands of audits and Skynet on-chain monitoring; also the subject of the Kraken dispute below
Consensys DiligenceEVM DeFiBacked by Consensys; MythX and Scribble tooling

These are not interchangeable. A Solana perpetuals exchange wants Rust specialists; a protocol built on novel maths wants formal verification; a bridge or wallet wants an offensive team willing to try to break it the way an attacker would.

Contests, bounties and a wave of consolidation

Alongside the retainer firms sits a second model: competitive audits and bug bounties, where independent researchers hunt for flaws and split a prize pool. That corner consolidated sharply in 2026. Code4rena, the platform that popularised warden-style contests, announced it was winding down in May 2026, with Immunefi absorbing its bounty clients and researcher community. Code4rena had been bought by the auditor Zellic in 2024 and raised $6 million from Paradigm in 2023, so the closure said less about the model than about a shrinking pool of money: DeFi total value locked fell from roughly $160 billion in October to about $83 billion, and thinner treasuries mean thinner security budgets. Sherlock now pairs contests with insurance-backed coverage, Cantina runs Spearbit’s public marketplace, and Immunefi remains the largest bounty venue, with top payouts reaching into the millions. On price, a top-tier firm charges roughly $80,000 to $350,000 for a serious engagement, mid-tier shops $25,000 to $80,000, and boutiques $8,000 to $25,000.

When a clean report is not enough

The uncomfortable case studies are the protocols that did everything right and still lost nine figures. On November 3, 2025, an attacker drained $128.64 million from Balancer V2 in under thirty minutes, exploiting a rounding error in the _upscaleArray function that compounded across 65 operations inside a single batchSwap transaction. Balancer is one of DeFi’s oldest automated market makers and had been audited more than ten times by top firms including OpenZeppelin, Trail of Bits and Certora; the bug shipped anyway. Six months earlier, Cetus, the largest DEX on Sui, lost $223 million to an integer-overflow flaw whose root cause sat in a third-party maths library called integer-mate, not in Cetus’s own audited contracts. Both cases make the same point: an audit covers a scope, and precision bugs, economic edge cases and dependencies just outside that scope are exactly where value leaks.

ProtocolDateLoss (USD)What slipped through
Balancer V2Nov 2025$128.6MRounding error in _upscaleArray, compounded 65 times in one batchSwap
Cetus (Sui)May 2025$223MOverflow bug inside a third-party library the team did not write
Drift (Solana)Apr 2026$285MSigners socially engineered; no contract bug involved

The CertiK affair and the trust problem

If reputation is the only thing grading auditors, reputation fights matter. The sharpest of the decade came in June 2024, when CertiK researchers found and exploited a roughly $3 million bug in Kraken’s deposit system, then, according to the exchange, declined to return the funds until they were shown a bounty figure. Kraken security chief Nick Percoco called it “extortion” rather than white-hat research. On-chain records showed CertiK-linked addresses had routed funds through the sanctioned mixer Tornado Cash; the firm later blamed an unauthorised employee and, in an August statement, admitted “errors in judgment” and poor communication. The money came back, minus fees. The lasting lesson is that the firms selling security are themselves unregulated actors whose incentives do not always line up with the clients paying them.

The lesson from Drift: the code was fine

The largest single DeFi loss of the first half of 2026 was KelpDAO in April, at about $292 million. The second, Drift, is the more instructive, because its code was never the problem. On April 1, attackers drained about $285 million from Drift, the biggest perpetuals exchange on Solana, in roughly twelve minutes, the second-largest exploit in Solana’s history after the 2022 Wormhole bridge. Drift’s contracts had been audited by strong Rust specialists. What failed was people. Investigators tie the attack to a North Korean crew that spent six months socially engineering multisig signers into pre-signing hidden authorisations, then used a zero-timelock migration to strip out the protocol’s last safeguard. North Korea accounted for roughly $643 million, about 66% of all H1 2026 losses. No Solidity review stops a signer being tricked, and this operational vector, where TRM shows the real money goes, sits almost entirely outside an auditor’s scope.

No regulator grades the graders

Here is the structural gap. No US regulator mandates a smart contract audit or accredits the firms that perform them. There is no PCAOB for Solidity, no licensing exam, no standard report format with legal weight. Under chair Paul Atkins, the SEC’s Crypto Task Force and its Project Crypto initiative have concentrated on how tokens are classified and how on-chain markets should register, not on code-review standards. One written submission to the Task Force put the core problem plainly: trust in a deployed contract rests on the off-chain reputation of whoever deployed it and its voluntary conformance to a published standard, neither of which is structurally guaranteed. The market polices audit quality with reputation alone. That works until it does not, which is why the post-mortem, the public forensic write-up a firm publishes after a hack, has quietly become a better proof of competence than any pre-hack certificate.

How to read an audit before you deposit

A clean logo is a starting point, not a verdict. A few checks separate real assurance from theatre.

  • Match the scope to the deployment. Confirm the audited commit is what is actually live on-chain, and that any upgrade since then was reviewed again.
  • Read the findings and the fixes, not just the summary. A report with zero critical issues can mean a shallow review; look at how problems were resolved.
  • Prefer several independent audits plus a live bug bounty over a single stamp. Balancer carried more than ten audits and still shipped a bug.
  • Check the dependencies. Cetus fell to a library it did not write, so ask whether third-party code was in scope.
  • Weigh operations, not only code. Multisig thresholds, timelocks and signer hygiene stopped being theory and started costing hundreds of millions this year.

The honest summary of any 2026 audit firm review is that the leading shops are very good at what they do, and what they do is necessary without being close to sufficient. Treat the badge as one input, read the report, and assume the attacker will look precisely where the audit stopped.

By the HOGE Wire security desk, covering DeFi exploits, audits and on-chain forensics.

Share 𝕏 Post Telegram