More than half of all user-fund losses in Web3 since 2022 came from human-vector attacks: stolen private keys, phishing, supply-chain compromise, governance attacks. Not reentrancy. Not oracle manipulation. The kind of attack that walks straight past the audited code.
This isn’t an argument against audits. Code defects still cost the industry billions, and the audit is the foundation of any serious security setup. The point is narrower: an audit covers one of three threat surfaces, and the other two are where a lot of the money actually goes.
Where the failures actually happen
The same patterns keep showing up, in the incident data and in our own engagements.
Multisig setups that look fine until you poke at them: a threshold that doesn’t survive one compromised signer, every signer on the same laptop fleet, a signing ceremony done over a group chat with no out-of-band check.
Key management that quietly falls apart: the deployer key in a CI environment variable, a shared hot wallet nobody owns, a recovery phrase in someone’s cloud notes, and no plan for what happens when a contributor leaves.
Deployment mistakes: bytecode nobody verified, an upgrade path with no guard on it, a compromised CI job that turns a clean codebase into a malicious release.
Governance that can be pushed around: a quorum one actor can reach alone, a timelock that exists on paper but not on the path that matters, emergency powers that never expire.
And the gap that bites hardest, incident response: no runbook, nobody with the agreed authority to hit pause, and someone finding out at 2 a.m. that they can’t reach the second signer.
None of this shows up in a contract audit. A clean report says nothing about any of it.
What a review covers
Our Operational Security Review takes the TRACE methodology to the two pillars an audit doesn’t reach: systems and organisations. We go through multisig design and signing, key management, access control, governance and timelocks, deployment, validator infrastructure, and incident response. You get a prioritised risk register and a hardening roadmap you can actually work through, not a checklist someone ticked.
Code and operations are two different threat surfaces. If you’ve only audited the first, the data is pretty clear about where you’re most likely to lose funds. Talk to us about closing that gap.