G GOPNIK ACADEMY
DeFi 101 — Initiate · Lesson 5 of 5

Smart-contract risk + how to read an audit

5 min · read

Back to course

DeFi is software running on a public chain. The software has bugs. The bugs are exploited. Roughly $7 billion has been lost to DeFi exploits since 2020 (DefiLlama hack tracker). Treat smart-contract risk as your default assumption.

The risk taxonomy

Five categories of DeFi-protocol failure:

  1. Smart-contract bug. Reentrancy, integer overflow, missing access control, etc. The 2016 DAO hack, the 2022 Wormhole hack, the 2023 Euler Finance hack.
  2. Economic exploit. Flash-loan attacks, oracle manipulation. The code does what it's supposed to; the math creates an attack surface.
  3. Governance attack. Buy enough governance tokens, vote to upgrade the protocol to send funds to your address. Beanstalk 2022.
  4. Frontend / supply chain. The protocol contract is fine but the website serves a malicious wallet popup. SushiSwap mid-2023.
  5. Rug pull. The deployer was malicious; the "DeFi protocol" was always going to drain. Most low-cap DeFi, frequently.

The wallet's DeFi surface only integrates protocols that have survived all five categories for at least 18 months. That excludes most of DeFi.

What an audit actually does

A smart-contract audit is a code review by a security firm. The result is a report with severity-classified findings (critical, high, medium, low, informational) plus the team's responses.

Reputable audit firms (in 2026 ranking): Trail of Bits, OpenZeppelin, Spearbit, Certora, Code4rena (crowdsourced), Halborn.

An audit report tells you:

  • Scope: which contracts were audited (often a subset of the protocol)
  • Findings: what the auditors flagged
  • Resolutions: which findings the team fixed
  • Limitations: what the auditors didn't check

What an audit DOESN'T do

  • Cover code added after the audit (post-audit deployments)
  • Cover economic / game-theoretic risk (only code-level)
  • Cover oracle behaviour in adversarial conditions
  • Cover off-chain components (frontend, RPC providers, indexer)
  • Guarantee the auditors found everything

A code audit is necessary but not sufficient. Multiple audits + bug bounties + battle-tested time + formal verification + documented incident-response are the actual stack you want.

Reading a real audit

When you encounter an audit report, look for:

  1. Date. Old audits don't cover new code. Check git log for the protocol's contracts vs the audit date.
  2. Scope. Did the audit cover the contracts you'll be interacting with? Many protocols audit "v1" then ship "v1.1" with critical changes.
  3. Critical / high findings. Were they all fixed before mainnet? "Acknowledged, will not fix" is a yellow flag.
  4. Auditor responses to fixes. Did the auditor re-verify the fix?
  5. Coverage statement. What percentage of the codebase was reviewed?
  6. Limitations. Does the auditor explicitly disclaim oracle / economic / front-end risk?

The wallet's "Audited" badge

Frontier Vault shows an "Audited by [firm]" badge on each lending/AMM pool integration. Clicking it links to the actual report. We don't show the badge unless:

  • The audit is < 24 months old AND
  • The audit covered the exact contract addresses we integrate AND
  • The protocol has been in production > 12 months without a critical incident

If any of those fail, we show "Audit info" with the caveats spelled out.

The actual decision

When you're considering using a DeFi protocol:

  1. Skim the audit. 30 minutes; look for criticals + how they were handled.
  2. Check DefiLlama TVL. Big-TVL = bigger target but more eyes on it.
  3. Check the bug bounty. $1M+ on Immunefi = serious skin in the game.
  4. Check the incident history. Has the protocol been hacked? How did they handle it (refund users? socialise the loss?).
  5. Start small. Put 1% of your portfolio in for 60 days. If nothing weird happens, scale up.

Skipping any of these for a "yield farm" promising 200% APR is how you lose your savings.

End of course

You now understand:

  • What DeFi is, what it isn't, and what Gopnik exposes
  • How AMMs work, with the constant-product math + slippage + MEV
  • Lending mechanics — collateral, LTV, liquidation, health factor
  • LP math + impermanent-loss formula + when LP makes sense
  • Smart-contract risk taxonomy + how to read an audit critically

This unlocks defi.201 (yield strategies + risk pricing) and eventually defi.401 (Frontier Vault deep-dive). Without 101, those higher tiers are locked.

The exam is 28 of 35 questions; pass at 78%. Good luck.