Audits Aren’t Enough? $3.3B Lost in Audited DeFi Projects, Data Reveals

Audits matter, but they’re not a magic shield. That’s the blunt takeaway from a recent thread by blockchain data analysis platform Sentora, paired with a bar chart breaking down billions lost in DeFi hacks and exploits. The data covers 2020 through 2025 (excluding the Terra collapse) and makes a clear, uncomfortable point: even projects that paid for security reviews lost serious money.

“Audits are essential for DeFi, but not a guarantee,” Sentora wrote. “Audited projects saw $3.3B+ in losses between ’20–’25, driven by rugs, private key compromises and post-audit changes. DeFi audits are the baseline, but effective risk management still requires active monitoring of risk.”

The accompanying chart, which sorts losses by auditor, shows unaudited projects suffering the single-largest hit, roughly in the neighborhood of $5 billion, but it also shows that audited projects and well-known firms like Certik, NCC Group and Trail of Bits are far from immune.

A Layered Problem

Taken together, the visuals and Sentora’s summary sketch a layered problem. One part is the obvious: projects that skipped audits or cut corners paid for it. Another part, equally important, is that audits themselves are snapshots, often conducted before last-minute code edits, governance changes, or the introduction of new admin keys.

Those post-audit modifications, along with social-engineering attacks that capture private keys and malicious rug pulls by insiders, account for a large share of the $3.3 billion in losses Sentora flagged for audited projects. The chart also highlights a middle category, a long tail of smaller auditors grouped as “Other (68),” which together account for a substantial chunk of losses.

That suggests the issue isn’t just whether a project was audited, but the quality and comprehensiveness of the audit, the auditor’s scope, and what happens after the report is issued. An audit that misses critical design assumptions, or a team that ignores recommended mitigations, leaves the door open.

Security practitioners have been saying for years that a single audit should be treated as the start of a security program, not the finish line. Continuous monitoring, staged deployments, multisignature controls, timelocks on privileged functions, proactive bug-bounty programs, and insurance products are all part of a more resilient approach.

Sentora’s message reinforces that audits set a minimum standard, but teams and investors must layer protections and keep watching. For a DeFi ecosystem that prizes composability and rapid iteration, the tension is real. Developers want to ship features and pivot quickly; auditors need scope and time to be thorough; attackers look for the brief windows between them.

The upshot of the data is simple and uncomfortable; spending on audits will remain necessary, but the community also needs better post-audit discipline and operational safeguards if it wants to meaningfully cut losses.

Sentora’s thread and the chart are a reminder that security in DeFi is a process, not a certificate. Audits help find problems, but they don’t stop problems from happening. Until teams treat security as continuous work rather than a checkbox, the headline numbers are likely to keep growing.