
Why do projects that have passed audits still suffer from hacker attacks?
TechFlow Selected TechFlow Selected

Why do projects that have passed audits still suffer from hacker attacks?
Despite an increasing number of projects undergoing audits, hacking incidents and rug pulls still occur frequently.
Author: Stacy Muur
Translation: TechFlow
Security has always been a major concern in the industry. Despite an increasing number of projects undergoing audits, hacks and rug pulls still occur regularly, leading people to question whether audits can truly guarantee the security of smart contracts.
In this article, researcher Stacy Muur will explore the role of audits in the crypto world, analyze past hacking incidents, and evaluate the success rates of audit firms, aiming to provide deeper insight into the security of crypto assets.
Following the attack on Merlin, a decentralized exchange built on zkSync that lost over $1.1 million, questions have emerged. The exchange was certified by CertiK, which oversees nearly 70% of all audits. This raises a critical question: Can we trust audits?
Now let's examine cases where protocols that underwent audits were still hacked, to assess whether security is truly guaranteed.

CertiK accounts for approximately 70% of all Web3 audits. According to the REKT database—which contains records of over 3,000 hacks—33 companies that suffered negative incidents were audited by them.
Additionally, they audited DEX Merlin, which has not yet been added to the database, making it the 34th entry on their list of audit failures.

In this reverse incident ranking, PeckShield Inc. ranks second after CertiK, with records of 18 attacks and rug pulls.

Third on the list is DeFi Safety, which experienced 12 hacking incidents. Notably, since 2021, they have not audited any project that was later hacked.

Moreover, I attempted to compile a list of top security firms based on audit-to-hack ratios. To build this list, I used CoinGecko’s ratings of leading audit firms along with the aforementioned REKT database.
Here is the ranking:

*Note: This table is compiled solely by the author. There is currently no official industry-wide ranking.
It should be emphasized that each hacking incident must be evaluated on its own merits, and the above table should not be regarded as a reliable source of information on audit firm success rates, as it is overly generalized.
Here is my simple conclusion from this research: Audits do not guarantee security.
Throughout my career in cryptocurrency, I have worked with dozens of companies that all underwent security audits. In most cases, critical vulnerabilities were discovered by internal developers.
Typically, audits are conducted using generic scripts for identifying potential vulnerabilities. However, each company has unique code and architecture that requires customized analysis. Is it feasible to conduct a thorough deep audit within one month? Honestly, I doubt it.
Generally speaking, audits can increase the probability of fund safety within a contract. Projects without any audits are more vulnerable to hacks and rugs. However, remember that no one can guarantee 100% security.
Join TechFlow official community to stay tuned
Telegram:https://t.me/TechFlowDaily
X (Twitter):https://x.com/TechFlowPost
X (Twitter) EN:https://x.com/BlockFlow_News














