While decentralized finance emphasized the “code is law” approach for years, it was thought that smart contracts would eliminate human errors. However, the KelpDAO attack last month, which caused a loss of $ 293 million, revealed a new reality for crypto infrastructure developers: The biggest risks in the industry often arise not from smart contract errors, but from complex human and system errors around the technological infrastructure.
Critical risks: Bridges and management systems
The KelpDAO attack was carried out by exploiting the vulnerability of a LayerZero-based bridge. The incident turned the attention of DeFi protocols and security researchers to weak links in the infrastructure rather than code bugs. Many new losses are now caused not directly from the code; It seems to arise from bridges, management systems, cloud services and inter-team connections.
Speaking to CoinDesk about the attack, Lido Labs Foundation technical lead Eugene Mamin said that most contracts work as their programmers intended; However, he stated that the system remains vulnerable when the people concerned are actually unauthorized people.
“In most cases, the contracts did exactly what their programmers did. But the programmers were not actual officials.”
Phoenix Labs CEO Sam MacPherson pointed out that the biggest losses are now due to gaps in operational security.
“For a long time, all attacks have been due to poor operational security,” he said.
New threats posed by growing infrastructure
As the DeFi ecosystem grows, the interdependence between protocols increases. Protocols rely on bridges, bridges rely on verifiers and transmission systems, and governance mechanisms rely on multi-signature infrastructure and cloud systems. Each new layer creates a potential risk point.
Mamin stated that when another infrastructure is used, the risks of that system are automatically taken over. The KelpDAO attack showed that a vulnerability in the shared bridge infrastructure also damaged other protocols and applications running on this infrastructure.
“Concentration in the market can turn into a systemic risk after a point. If too many actors become dependent on the same infrastructure, problems begin to spread instead of remaining isolated.”
These losses, which have increased rapidly in recent years, revealed that complexity in the industry has turned into a security threat.
User preferences and new security concept
These developments are also reflected in investor preferences. According to Mamin, large capitals are now turning to protocols that have been stable and predictable for a long time. MacPherson said that systems that emphasize risk management are now rewarded in the market; He stated that users are switching to protocols that offer conservative lending and simpler collateral structures.
The KelpDAO incident also revealed that many attack vectors in DeFi now resemble traditional cybersecurity issues. Serious security vulnerabilities can occur in computers, SaaS platforms and key management systems used in the infrastructure.
“Instead of shrinking, the attack surface has returned to the roots of the internet,” Mamin said.
This situation makes it difficult and closed to externally audit the infrastructure, despite on-chain transparency.
Regardless, industry leaders believe that what is happening does not indicate the complete dysfunction of DeFi. On the contrary, transparency and clear visibility of risks are cited as one of the distinguishing aspects of DeFi. Manager Sam MacPherson pointed out that real-time liquidity and collateral can be monitored on-chain, and argued that the real problem is combining this transparency with mature risk management.
