Analysis of $10.77 billion in application security breaches finds audits reduce losses dramatically, yet the audited protocols that do fail share a common cause: business logic was never evaluated.
SYDNEY, Feb. 27, 2026 /PRNewswire-PRWeb/ — SigIntZero, software security and assurance firm, has publihsed an analysis of the 100 largest security breaches in distributed software applications – totaling $10.77 billion in losses between 2014 and 2024 – found that only 20% of exploited applications had undergone a professional security audit, and audited applications accounted for just 10.8% of total value lost.
The data, drawn from Halborn’s Top 100 DeFi Hacks Report, demonstrates that security audits substantially reduce both the likelihood and severity of breaches. But a closer examination of the audited protocols that were still exploited reveals a consistent pattern: the audits reviewed code correctness while the exploits targeted business logic and operational processes.
“Euler Finance was reviewed by six firms across ten audit engagements before a $197 million exploit,” said Alex Rybalko, Co-Founder at SigIntZero. “The exploited function was only in scope for one of those engagements. That is not a failure of code review – it is a failure to understand how the system operates as a business. The function was syntactically correct. Its interaction with the lending mechanism was not.”
The report identifies a consistent pattern across post-audit breaches:
– Business logic exploitation. Euler Finance ($197 million, six auditors) was exploited through a flash loan attack targeting the interaction between ‘donateToReserves()’ and the lending mechanism – a business process flaw invisible to code-level review. CertiK-audited protocols Merlin DEX ($1.8 million), Swaprum ($3 million), and Arbix Finance ($10 million) were exploited through admin privilege abuse that audits flagged as informational findings rather than critical business risks.
– Operational attack surfaces beyond code scope. The $1.46 billion Bybit breach (February 2025, attributed to North Korea’s Lazarus Group by the FBI) exploited a compromised developer workstation that injected malicious code into a wallet signing interface. The $234.9 million WazirX breach exploited custody infrastructure manipulation. In both cases, the audited smart contracts were not the failure point.
– Post-audit changes. The $190 million Nomad Bridge exploit targeted a vulnerability in code deployed after the audit period. Only 18.6% of the critical contract matched what auditors had reviewed.
SigIntZero’s full analysis, including a six-firm comparison evaluating business process comprehension, architecture review capability, and post-engagement support, is published at https://sigintzero.com/blog/security-audit-firm-comparison
SigIntZero provides security audits, architecture reviews, technical due diligence, and compliance advisory for teams building distributed systems and decentralized applications worldwide. More information is available at https://sigintzero.com.
