Four Layers of DeFi Risk: A Security Framework for Financial Institutions

JPMorgan recently made headlines by citing persistent security flaws as a barrier to institutional DeFi participation, and the numbers behind that are hard to ignore: Bybit ($1.5 billion), KelpDAO ($292 million), Drift ($285 million), and Euler ($197 million).

The losses are real, and so is the underlying tradeoff. The same finality and settlement speed that make onchain finance compelling also mean that security incidents carry consequences that are immediate and, in most cases, irreversible. What makes the current moment particularly acute is that attackers have moved down the stack. The most significant losses of the past two years were the result of sophisticated social engineering, signing infrastructure compromise, and operational controls failures that most institutional security programs are not designed to catch. That is a solvable problem, but it requires a different approach.

OpenZeppelin has spent over a decade securing onchain financial infrastructure for institutions including DTCC, WisdomTree, and Fidelity Digital Assets. What we've learned is that DeFi risk is manageable, but it requires a different mental model than traditional financial risk, and a more proactive security posture than what most institutions currently have.

The Threat Landscape Has Shifted and Most Risk Registers Haven't Caught Up

The popular narrative frames DeFi losses as "smart contract hacks." That framing is increasingly outdated. Reviewing the major incidents of the last 36 months, the vast majority now originates from failures in the operational layer surrounding those protocols.

In the case of the Bybit breach, the exchange itself was never compromised. What happened was a supply-chain attack on the wallet provider's signing interface: attackers spent over two weeks infiltrating Safe{Wallet}'s infrastructure before injecting malicious JavaScript into the signing UI. Signers authorized transactions based on what the interface showed them, not what they were actually signing. The Drift exploit followed a similar pattern: a six-month social engineering campaign that culminated in Security Council members unknowingly pre-signing transactions that handed administrative control to the attackers.

These incidents point to a combination of operational controls failures and human error: gaps that most institutions' existing risk programs aren't designed to catch.

The major threat categories financial institutions should be tracking fall into four distinct layers:

1. Smart contract & protocol: The code that implements a protocol's core logic, the rules governing the financial protocols, plus the external data sources (oracles, price feeds) those contracts depend on.
2. Key management & custody: The private keys, signing devices, and wallet interfaces that control privileged access to onchain assets and administrative functions, and the operational procedures surrounding them.
3. Governance & upgrades: The mechanisms that allow a protocol to change over time: voting contracts, timelocks, upgrade proxies, and the deployment pipelines used to push new code.
4. Cross-chain & integration: The bridges, messaging layers, third-party libraries, and upstream protocol dependencies that connect protocols across chains or compose them with other onchain systems.

Most institutional risk registers address the first layer through point-in-time code audits. That's necessary, but insufficient. Without continuous security across all four layers, institutions are operating without visibility into the surface where most major losses now originate.

Monitoring Separates Incident Response from Incident Prevention

There is a compelling case that real-time monitoring changes the outcome of security events as they occur. In August 2022, an attacker submitted a fraudulent block to the Rainbow Bridge contract. An automated watchdog challenged it within 31 seconds, the block was rolled back, and no user funds were lost. In July 2023, an independent searcher back-ran the Vyper reentrancy attacker on Curve's CRV/ETH pool, extracted $5.4 million ahead of the exploiter, and returned the funds the same day. In August 2024, MEV searchers front-ran a vote-threshold bug exploit on Ronin Bridge, recovered approximately $14 million, and the bridge was paused within 40 minutes of the first suspicious onchain action.

In onchain finance, the attacker and the defender are operating in the same transparent environment. Institutions that instrument that environment well can detect, respond to, and in some cases reverse losses that would otherwise be unrecoverable.

A minimum-viable monitoring posture should map to each of these four layers:

1. At the smart contract and protocol layer: every privileged-function invocation such as pause, unpause, fee changes, and ownership transfers; oracle price deviations beyond defined thresholds; anomalous asset flows that deviate significantly from baseline; and flash loan interactions with critical protocol contracts.
2. At the key management and custody layer: every multisig signing event correlated with signer-device integrity; anomalous signing activity from unexpected locations or times; and any change to signer sets or access control configurations.
3. At the governance and upgrade layer: every upgrade transaction verified against the last audited bytecode; timelock queue changes; and any emergency-action invocation.
4. At the cross-chain and integration layer: every cross-chain mint verified against a corresponding burn on the source chain; and health factors across integrated protocol dependencies.

Alert routing matters as much as coverage. Informational events, anomalous events, and confirmed incident events each need a different responder and a different response time.

A Framework for Institutional DeFi Participation

Skepticism about DeFi security is healthy. But the right response to that skepticism is a structured approach to participation that matches the risk profile of the activity. Here's how we recommend institutions think about it:

• Start with a stack-wide risk assessment. Before deploying capital or integrating protocols, financial institutions need an independent view of the blockchain technology landscape and where their chosen stack sits within it. Think of it as the Gartner layer for onchain infrastructure: an authoritative, vendor-neutral evaluation of the protocols, vendors, and integrations your institution is considering, mapped against your current controls across contracts, key management, monitoring tooling, governance structure, and incident response readiness. OpenZeppelin's Technical Risk Assessment is designed exactly for this, providing the documented foundation institutions need to support regulatory submissions and internal governance. For institutions earlier in their security journey, the Blockchain Operational Security Assessment provides a structured evaluation of the off-chain surface, the layer where most institutional losses between 2024 and 2026 originated.
• Security extends well beyond code audits. The threat surface extends well beyond contract code into the operational infrastructure around it. An operational security assessment covering multisig configuration, key custody, deployment pipelines, and privileged-action monitoring is increasingly where institutions find the gaps that matter most. OpenZeppelin’s Blockchain Operational Security Assessment provides a structured evaluation of the off-chain surface, the layer where most institutional losses between 2024 and 2026 originated.
• Deploy continuous monitoring before you go live. Onchain activity is transparent and permanent. Waiting until post-incident to instrument your monitoring is not a risk management strategy. OpenZeppelin can deploy and manage customized continuous monitoring for your institution, built on battle-tested open source infrastructure and configured to your specific stack and risk parameters.
• Build your incident response playbook around DeFi-specific scenarios. Traditional IR playbooks don't map cleanly to onchain incidents. Who has pre-authorized pause authority? What's the communication plan for a public blockchain event that market participants can see in real time? What's the forensic capture protocol? These need to be answered before an incident and when addressing regulators. OpenZeppelin's Incident Response and Emergency Training works directly with your team to build and stress-test the playbooks, governance procedures, and communication protocols that onchain operations require.

The Opportunity Is Real and So Is the Window

Financial institutions will not earn customer trust or satisfy regulators until they can demonstrate that their onchain stack is continuously secure. The most significant losses of the past two years happened in code shipped between audits, or through operational failures that no audit would have caught. A point-in-time security posture is no longer sufficient.

The next era of global finance will be built on blockchain infrastructure. The institutions building the right security foundations now will be the ones their customers trust and their regulators approve. The OpenZeppelin Continuous Security Program is designed for exactly this: always-on coverage across the full security lifecycle, built to the institutional standards regulators and risk committees require.

If you're rethinking your security posture in light of recent incidents, get in touch.

FAQs

What are the biggest security risks for financial institutions participating in DeFi?

The four main risk categories are smart contract vulnerabilities; key management and signing infrastructure failures; governance and upgrade attacks; and cross-chain, integration, and dependency exploits. Most institutions focus on the first and second categories while significantly underweighting the other three, which have been the source of most large losses between 2024 and 2026.

How did the Bybit hack happen, and what does it mean for institutional security?

Attackers compromised Bybit's wallet signing interface through a supply-chain attack on Safe{Wallet}'s infrastructure, not a smart contract bug. Over two weeks, they infiltrated the infrastructure and injected malicious JavaScript into the signing UI, causing signers to authorize transactions they couldn't see accurately. It demonstrated that signing infrastructure and frontend integrity are as critical as code audits.

What is onchain monitoring and why do financial institutions need it?

Onchain monitoring tracks blockchain activity in real time, flagging privileged-function calls, upgrade transactions, oracle deviations, and anomalous signing behavior. Because blockchain activity is transparent, institutions that monitor well can detect attacks as they happen and, in documented cases, respond fast enough to prevent losses.

Is a smart contract audit enough to protect a financial institution in DeFi?

No. Audits are a necessary baseline but don't cover the operational infrastructure around a protocol: key custody, multisig configuration, signing interface integrity, or incident response. A mature security posture layers audits with continuous monitoring and operational security assessments.

What should an institutional DeFi risk register include?

At minimum: access control exploits, oracle manipulation, flash-loan attacks, signing infrastructure compromise, governance and upgrade risks, and bridge vulnerabilities. Each scenario should map to observable monitoring signals, a named responder, and a runbook, not just exist as a theoretical entry.

How does OpenZeppelin help financial institutions manage DeFi security risk?

OpenZeppelin provides full-stack security across all four risk layers: continuous security monitoring, risk assessments that map institutional controls against the complete threat landscape, operational security assessments covering key custody and signing infrastructure, and smart contract audits. OpenZeppelin has worked with institutions including DTCC, WisdomTree, and Fidelity on their onchain financial infrastructure security.