arrow back

Why Audits Don’t Save Web3: AI Is Amplifying Hacks

03 Jul 2026

Audits do not guarantee Web3 security, while AI makes DeFi hacks easier. Learn why this hits traders and token holders, and what to do.

In April 2026, DeFi hacks happened almost every day, and CertiK’s business development director Jason Jiang explained why even several audits do not guarantee the security of a Web3 project. This matters for traders, long-term token holders, and teams that keep millions of dollars in smart contracts.

According to Jiang, the April surge in attacks was driven by several factors at once: rising asset prices, a rapid influx of capital into DeFi, and AI-based tools that made complex exploits easier for less skilled hackers. He separately mentioned systemic weaknesses in bridges and oracles, as well as attacks by pro-state groups, including those linked to North Korea. And this is not just a market feeling. According to a major exchange, the second quarter of 2026 became a record quarter for the number of incidents, with 83 hacks and about $755.3 million in losses.

Why don’t multiple audits provide full protection?

Jiang says it plainly: an audit catches part of the problems, but it does not cover everything. The reason is simple. The security team has to be right all the time, while the attacker only needs to succeed once. One missed scenario, one weak integration, one bad bridge between services, and the money is already gone.

That is why even projects with several checks still fail on basic things. The source separately mentions bridges and oracles, where an error quickly creates a cascading effect. For Ukrainian users, the takeaway is practical: if you keep assets in DeFi, look not only at the auditors’ names, but also at how often the code is updated, whether permissions are restricted, and whether the sources of instructions are verified.

Market reaction: AI helps both attack and defense

CertiK emphasizes that AI works both ways. On one hand, it helps find vulnerabilities faster, automatically generate exploits, and scale phishing and social engineering. On the other hand, the same models already help defense when it comes to processing large volumes of code, spotting anomalies on the blockchain in real time, and noticing small details in audits.

“The key role here is asymmetry: the attacker only needs to succeed once, while the security team has to be effective all the time,” Jason Jiang explains in a conversation with a major exchange.

This imbalance is also clearly visible in CertiK’s numbers. In the Hack3D report for 2025, Web3 projects lost $3.352 billion versus $2.446 billion a year earlier, or 37.06% more. The average loss per incident rose to $5.32 million, while the median was only $103,996. This means most attacks are not loud, but a few large hacks push the statistics higher. That is exactly what hackers focus on.

  • In April 2026, DeFi hacks happened almost every day.

  • CertiK links part of the surge to AI and weaknesses in bridges and oracles.

  • AI speeds up phishing, social engineering, and vulnerability discovery.

  • The same tools help detect anomalies and analyze code.

  • In 2025, Web3 lost $3.352 billion, which is 37.06% more than in 2024.

  • The average loss per incident in CertiK’s report reached $5.32 million.

What does the risk of AI agents mean for crypto holders?

A separate part of the interview focuses on AI agents. These are programs that can carry out actions on their own toward a given goal, which is exactly why attackers like them. In March, CertiK already warned about the security risks of the OpenClaw AI agent, which had about 2 million active users. If the system weakly verifies the source of instructions, a malicious command can quietly change the agent’s behavior.

The simplest attack method here is called prompt injection. The attacker embeds malicious instructions directly into the data the agent processes, and it executes something it should not. In the worst-case scenario, the agent can transfer funds to the attacker’s wallet on its own. This is no longer an abstract problem for developers. If AI has too many permissions, the risk increases many times over. For the user, this means one simple thing: do not give a service more access than it needs, and do not connect your wallet to everything in sight.

Another important context. In 2025, according to a major exchange, Americans filed 181,565 crypto-related complaints, and losses exceeded $11 billion. Separately, the report highlighted 22,364 AI-related complaints totaling nearly $893 million. This shows that fraud has long since stopped being limited to code. It enters through trust, haste, and automation. And this is exactly where AI becomes a convenient tool for both sides.

Frequently asked questions

Why doesn’t an audit guarantee the security of a Web3 project?

Because an audit checks what is visible at the time of review, while attacks often target adjacent areas: bridges, oracles, access rights, signers, and the human factor. The study The Audit Gap in Blockchain Security showed that 48% of incidents involved projects that already had at least one public audit, and they accounted for about 55% of losses.

How exactly does AI help hackers in crypto?

Through phishing, social engineering, faster vulnerability discovery, and automatic exploit generation. In more complex cases, the attack goes through AI agents, where malicious instructions are inserted into the data the agent reads and executes.

What should an ordinary user do to reduce the risk?

Do not keep all assets in one place, carefully check permissions, do not connect your wallet to unverified services, and do not give AI agents extra rights. If you need to quickly convert part of your coins into fiat, you can sell Bitcoin on Monobank without extra steps and distribute the risk more conveniently.

The conclusion here is straightforward: in 2026, Web3 security depends not only on code, but also on who controls access, data, and automation, and how. An audit is necessary, but by itself it does not save you. If you work with crypto assets, it is worth looking at security as carefully as you look at price and liquidity.

This material is not financial advice. Cryptocurrency trading involves significant risks. Part of this text was prepared with the help of artificial intelligence based on public sources and reviewed by our editorial team.