Crypto’s obsession with on-chain security lets off-chain mistakes cost billions, analysts warn

Hacken analysts say many crypto firms fail to meet even the baseline of the cryptocurrency security standard, leaving billions exposed to insider threats and credential leaks.

In crypto, one quiet smart contract update can undo months of security work. And yet, according to analysts at blockchain forensic firm Hacken, the industry still treats audits like branding tools, not like the breathing checkpoints they ought to be.

Audits “shouldn’t be treated as a checkbox or a logo on your homepage,” Dyma Budorin, CEO of Hacken in said in an exclusive interview with crypto.news. In his view, too many projects rely on a static snapshot of their code and call it a day. But once that code changes — and it often does — the audit’s relevance can evaporate. “Every audit becomes outdated the moment a contract is changed,” he warned.

The issue isn’t just the lack of audits, but the lack of systems that monitor code after deployment. Hacken argues that without continuous validation and re-audits, teams might be lulled into a false sense of security.

“A single overlooked function can open the door to disaster. The real issue isn’t just audit coverage, it’s audit relevance. We need systems that track every change, revalidate assumptions, and trigger re-audits when needed. Otherwise, all it takes is one silent update to break everything you thought was secure.”

Dyma Budorin

The team suggests a shift toward more standardized and automated checks. Things like symbolic execution, fuzzing, and formal verification should be part of the launch checklist — not optional extras. No smart contract, they say, should go live without first passing a baseline set of automated tests.

But even that isn’t enough. Contract ecosystems change. Upgrades happen. And sometimes, they don’t — even when they should. Hacken wants to see better controls around upgradability. Protocols should encourage patching or even deactivate legacy contracts when risks are discovered. As the Hacken team noted, “too often, patching is left to chance — or worse, to the hackers’ mercy.”

In the end, the message is simple: if crypto wants to grow up into an infrastructure layer — something foundational, not just speculative — then security can’t be an afterthought.

Multisig is not enough

Code isn’t always the problem though. In some of the biggest crypto breaches, it’s the off-chain stuff that breaks first. Take Bybit, for example. The exchange lost nearly $1.5 billion due to a compromised multisig setup. Not because of a bug in the code, but because of what looks like poor operational security.

“Many crypto platforms neglect fundamental off-chain security principles, secure operational practices, and specific requirements outlined in the Cryptocurrency Security Standard, leaving themselves vulnerable to similar threats.”

Dmytro Yasmanovych, head of compliance at Hacken

Yasmanovych said the team recommends crypto firms urgently implement or strengthen several practical security controls in line with the CCSS. For instance, these include deploying multi-factor authentication using secure, hardware-backed methods — such as biometric solutions or physical tokens — across all critical off-chain operations to defend against credential-based attacks.

He also emphasized the need for clear transaction authorization policies, with documented roles, approval thresholds, and procedures to prevent unauthorized activity. In addition, Yasmanovych advised firms to define and enforce secure, encrypted communication channels for sensitive operations, including transaction requests and approvals.

Exit liquidity dressed as innovation

But perhaps the most controversial insight from Hacken was reserved for the LIBRA token, a politically hyped memecoin that ended in a textbook rug pull. According to the Hacken team, insiders might have walked away with over $300 million by selling into market hype.

The LIBRA token had claimed to introduce “concentrated liquidity,” but to Hacken’s CEO, that’s not what it was.

“For newcomers, it sounds like they were strengthening the market or adding value to the token, but in reality, it was just a sophisticated way to place large sell orders at specific price points. When the price spiked due to hype, those orders converted tokens into cash instantly letting insiders exit with massive profits. It’s not innovation, it’s exit liquidity. Never invest in anything like that. This kills trust in the space and turns the industry into a circus.”

Dyma Budorin

Hacken believes that crypto can — and should — borrow some ideas from traditional finance to avoid this kind of thing. In regulated markets, insiders must disclose major holdings and planned sales. Maybe crypto projects should start doing the same. Disclosure of tokenomics, vesting schedules, and team allocations should be the norm, not the exception.

And while full-on regulation is still a matter of debate, Hacken suggests the space at least needs oversight mechanisms. Think third-party monitoring platforms, public rating systems, or watchdogs that can flag strange token behavior or unusual liquidity events before it’s too late. Until then, trust will remain shaky. And every exit scam or stealth mint will only drag crypto further away from public legitimacy.