JPMorgan recently highlighted persistent security flaws as a major barrier to institutional DeFi participation, citing massive losses including Bybit ($1.5B), KelpDAO ($292M), Drift ($285M), and Euler ($197M). The article by OpenZeppelin argues that the threat landscape has shifted from smart contract exploits to operational layer failures, such as social engineering and signing infrastructure compromises. Major incidents like Bybit (supply-chain attack on Safe{Wallet}) and Drift (six-month social engineering campaign) demonstrate that most institutional security programs are ill-equipped to detect these threats. The article proposes a four-layer risk framework: smart contracts & protocol, key management & custody, governance & upgrades, and cross-chain & integration. It emphasizes the importance of real-time monitoring, citing examples where automated systems reversed losses in minutes. A minimum-viable monitoring posture should cover privileged function calls, multisig signing activity, upgrade transactions verified against audited bytecode, and cross-chain mint verification. OpenZeppelin recommends a stack-wide risk assessment, operational security evaluation, continuous monitoring deployment before going live, and DeFi-specific incident response playbooks.

Key facts

• JPMorgan cites DeFi security flaws as barrier; losses include Bybit ($1.5B), KelpDAO ($292M), Drift ($285M), Euler ($197M).
• Threats shift from smart contract hacks to operational failures: social engineering and signing infrastructure compromises.
• Real-time monitoring reversed losses in minutes (Rainbow Bridge, Curve, Ronin Bridge examples).
• Four-layer risk framework: smart contracts, key management, governance, cross-chain integration.
• OpenZeppelin recommends stack-wide risk assessment, operational security evaluation, continuous monitoring, and DeFi-specific incident response.