Research note

DeFi Hacks Are Built in Slow Motion, Then Executed in One Block

Most DeFi hacks start before the exploit transaction, when a protocol quietly accepts a false assumption about price, governance, or solvency.

Published
2026-04-23
Author
ChainShield
← Back to Blog

DeFi Hacks Are Built in Slow Motion, Then Executed in One Block

Most DeFi hacks start before the exploit transaction, when a protocol quietly accepts a false assumption about price, governance, or solvency.

By the time the attacker hits execute, the hard part is usually over. The path has already been rehearsed, the capital has already been sourced, and the exit route has already been mapped. That matters to founders and investors because the loss event is not random bad luck. It is the market discovering that the protocol's security model was weaker than its growth model. It matters even more to CTOs and Solidity developers because most catastrophic hacks are not caused by one obviously stupid line. They are caused by state transitions that look locally valid and globally fatal.

Establish the problem with technical depth

Beanstalk is the clean example of how quickly a bad assumption becomes a treasury event. In its April 19, 2022 disclosure, Beanstalk said the protocol had been attacked on April 17 and that roughly $77 million in non-Beanstalk user assets were stolen. The attacker used a flash loan to exploit governance and route funds to a wallet they controlled. The critical mistake was not "using DeFi." It was allowing borrowed balance to count as legitimate political power fast enough that temporary ownership became permanent control.

Euler is the more uncomfortable example because the fatal path was obscure. Euler's own 2024 retrospective says the March 13, 2023 exploit was caused by a single missing line of code in an obscure donateToReserves path. The result was roughly $197 million in assets stolen at the time of the attack. The vulnerable path was not the obvious borrower flow everyone stares at during a demo. It was edge-case logic introduced to solve another bug. That is how real failures usually look. They hide in maintenance paths, upgrade patches, governance shortcuts, wrapper math, and "this can only be called in rare situations" functions.

The blast radius is also bigger than founders like to admit. Euler's retrospective notes that the impact extended beyond Euler users themselves, with integrated protocols and treasuries taking meaningful losses. That is the commercial reality of composability. A bug in your state machine does not stay in your state machine once other protocols have built on top of it.

For investors, that means security is not a line item you buy once. It is a live property of a protocol that other balance sheets are already depending on. For engineers, it means the right unit of analysis is not the function. It is the invariant across the whole transaction graph.

The mechanism, the mistake, the misunderstanding

The anatomy of a DeFi hack is usually more systematic than dramatic.

  1. Discovery. The attacker looks for a place where the protocol can be made temporarily false. That might be a price check that trusts same-transaction state, a governance rule that reads current balances instead of historical voting power, or a reserve or accounting path that can push an account into a profitable but invalid state.
  2. Rehearsal. The exploit is simulated on a fork until it stops being a theory. Attackers do not need to hope the chain behaves a certain way. They can test calldata, routing, slippage, liquidation order, gas costs, and repayment logic in advance.
  3. Capitalization. If the exploit needs scale, the attacker sources it. Sometimes that means a flash loan. Sometimes it means a whale account, cross-protocol leverage, or private inventory. What matters is that DeFi lets the attacker compose capital and code in one transaction.
  4. Execution. The live exploit is usually atomic because atomicity removes partial failure risk. If one leg of the path fails, the transaction reverts. If every leg succeeds, the protocol pays the attacker before governance, offchain monitoring, or human operators can react.
  5. Drain and exit. Once value is out, the attacker fragments it, swaps it, bridges it, mixes it, or otherwise routes it away from the original blast zone. Recovery becomes an incident response problem, not a smart contract problem.

The mistake teams make is focusing on the visible tool rather than the broken assumption. Beanstalk was described as a flash-loan governance exploit. That is true, but incomplete. The real failure was treating momentary token control as credible governance authority. Euler was described as a lending exploit. Also true, also incomplete. The deeper failure was letting an account move through a code path that broke its health assumptions and then monetizing the broken state through liquidation mechanics.

In simplified form, the dangerous pattern looks like this:

function donateToReserves(uint256 amount) external {
    collateral[msg.sender] -= amount;
    reserves += amount;

    // Missing: verify the account is still healthy
    // before any downstream liquidation or accounting path can use it.
}

That snippet is not Euler's code verbatim. It illustrates the class of mistake. A function that seems operational or secondary becomes critical the moment it can mutate solvency without immediately re-establishing the protocol's invariant. Once that happens, the rest of DeFi becomes a toolkit for converting broken accounting into cash.

The misunderstanding is that many teams still model attackers as end users with realistic capital constraints and normal product behavior. Attackers are better modeled as hostile integrators. They will chain contracts, route through callbacks, borrow scale, stress every edge case, and monetize any gap between your local checks and your global truth.

What good looks like

Good security starts by defining what must never become false. Founders should be able to ask their engineering team simple questions and get exact answers: What proves the protocol is solvent? What makes governance legitimate? What state transitions can move value before accounting settles? If those answers are fuzzy, the protocol is not ready.

On the governance side, OpenZeppelin's governance docs point to two controls that matter more than most teams admit: historical voting power and a timelock before execution. If a proposal can be created, approved, and executed off current balances with no meaningful delay, borrowed capital can become borrowed control. Historical checkpoints and queue delays are not bureaucracy. They are exploit surface reduction.

On the contract side, Solidity's own security guidance still holds: restore effects before interactions, apply checks-effects-interactions consistently, and include a fail-safe mode. The point is not to memorize a slogan. The point is to ensure the protocol never hands control away while its internal accounting is still in dispute. Pauses, caps, isolated markets, and delayed upgrades are not signs of weak decentralization. They are how you stop one broken invariant from becoming an existential event.

Testing also has to get more adversarial. Foundry's invariant-testing guide is useful because it makes the protocol defend itself against randomized sequences of calls, not just tidy unit tests. That is the right direction. A serious lending or governance system should be tested with handlers that simulate hostile sequences across deposit, borrow, liquidate, redeem, vote, queue, and upgrade paths. If the only thing you know is that happy-path deposits work, you do not know much.

The practical checklist is not glamorous. Review weird functions harder than common ones. Model cross-contract state, not just single-function safety. Test forked attack paths before mainnet does. Add circuit breakers around the highest blast-radius operations. Treat bug bounties and monitoring as part of the control plane, not marketing garnish. The teams that survive usually assume the attacker will be patient before they are fast.

ChainShield's angle

ChainShield's view is blunt: a hack is rarely a one-transaction miracle. It is usually an under-modeled system revealing itself under adversarial pressure.

That changes what a serious security process should optimize for. A point-in-time audit PDF can still miss the problem if the review is organized around files instead of invariants. Static analysis can flag bad patterns, but it cannot tell you whether your governance, accounting, pricing, and liquidation logic remain coherent once an attacker composes them against each other. That requires adversarial simulation, repeated review, and a security posture that assumes the other side of the call stack is trying to get paid.

The right question for founders is not "Did we get audited?" It is "What assumptions in this protocol become false if an attacker can borrow scale, route through integrations, and execute faster than we can respond?" The right question for engineers is not "Which exploit label fits this?" It is "Which invariant did we leave undefended?"

DeFi hacks look sudden on social media because the final transaction is visible. But the real exploit is built much earlier, in every shortcut a team leaves unchallenged. Protocols that understand that do not merely react faster after a loss. They design so the profitable path never exists in the first place.

Need this level of scrutiny on your protocol?

ChainShield Discovery Runs are designed to identify high-risk issues quickly, validate what matters, and give engineering teams a faster path to remediation.

Request Security Quote