Oak Security
2K posts
Oak Security
@SecurityOak
Book. Secure. Relax. Oak Security offers audits, penetration testing, training, and advisory.
Katılım Temmuz 2021
417 Takip Edilen2.8K Takipçiler
Nearly 50% of all crypto losses from 2022–Q1 2026 came from attacks that traditional smart contract audits rarely cover.
Our analysis of 23,818 audit findings and 218 exploit incidents ($7.76B in losses) found that:
• Private key compromise: 24.4% of losses
• Phishing & social engineering: 19.5% of losses
Together, they account for 43.9% of all losses.
The biggest risks in Web3 are increasingly operational, not contractual.
Security doesn't end when the audit is complete.
English
Crypto security has a blind spot.
The industry has tripled the number of audits since 2022, yet major exploits continue to drain billions.
Why? Because attackers aren't targeting code anymore. They're targeting people, keys, governance, infrastructure, and operational processes.
Audits are essential, but they only protect a fraction of today's attack surface.
The next phase of crypto security isn't more audits alone. It's defense-in-depth.
Read more: coindesk.com/opinion/2026/0…
English
A few days on, we're still reflecting on the conversations from the Institutional & Policy Forum, co-hosted with the @EuEthInstitute.
The discussions highlighted just how quickly the digital asset landscape is evolving, from quantum resilience and protocol security to institutional adoption, stablecoins, regulatory developments, and tokenised markets.
We're grateful to our sponsors, @arbitrum, @bermudabayzk , and @frankencoinzchf, and to all the speakers, moderators, and attendees who shared their expertise and perspectives throughout the day.
English
Many teams still underestimate the scale of today's threat actors.
On CypherTalk podcast, @iphelix discusses how sophisticated groups can run multiple campaigns in parallel and why defending against them requires a very different security mindset.
English
Oak Security retweetledi
The audit trap, exactly. A clean audit tells you what the code looked like at one moment. It says nothing about what runs after - the phish, the hijacked dependency, the key pulled from a live process. Point-in-time checks don't survive runtime. x.com/SecurityOak/st…
Oak Security@SecurityOak
Smart contract audits don't stop phishing attacks. They don't secure your laptops. They don't protect your hardware wallets. They don't prevent DNS hijacks. They don't fix poor key management. That's why we built the Oak Security OpSec Academy. 18 free operational security guides covering: • Device hardening • Wallets & key management • Multisig operations • CI/CD security • Authentication & phishing defense • Incident response • Physical security • Zero trust architecture Plus an AI-powered OpSec Agent trained on Oak's security knowledgebase. Because the next exploit may target your operations, not your code.
English
Smart contract audits don't stop phishing attacks.
They don't secure your laptops.
They don't protect your hardware wallets.
They don't prevent DNS hijacks.
They don't fix poor key management.
That's why we built the Oak Security OpSec Academy.
18 free operational security guides covering:
• Device hardening
• Wallets & key management
• Multisig operations
• CI/CD security
• Authentication & phishing defense
• Incident response
• Physical security
• Zero trust architecture
Plus an AI-powered OpSec Agent trained on Oak's security knowledgebase.
Because the next exploit may target your operations, not your code.
English
Oracle manipulation findings are rising fast.
In our analysis of 23,818 public audit findings, oracle and price manipulation issues grew from roughly 2% of findings in 2022 to 6–7% by 2025.
As DeFi becomes more interconnected, attackers are increasingly targeting assumptions about external data rather than contract logic itself.
The attack surface is evolving. Security programs need to evolve with it.
English
"I will share this finding with you that I otherwise could have kept for myself."
A reminder from Peter Kacherginsky @iphelix that every responsible disclosure is a choice.
Security researchers are partners in protecting the ecosystem, not adversaries.
English
8 incidents caused 50.6% of all crypto losses.
20 incidents caused 71.4%.
Our study of 218 exploits totaling $7.76B shows that crypto security risk is heavily concentrated in a small number of catastrophic events.
Security programs designed around average outcomes are planning for the wrong threat model.
English
Most crypto hacks don't start with a smart contract bug.
They start with compromised devices, poor key management, weak access controls, or social engineering.
We've launched the Oak OpSec Academy: free operational security guides for Web3 teams, plus an AI-powered OpSec Agent backed by Oak's security knowledge base.
English
ICYMI: The industry tripled its code audits since 2022. But now attackers are increasingly focusing on operational issues.
Our co-founder @StefanBeyer in @CoinDesk on why ordinary audits won't fix crypto's security nightmare and what defense-in-depth actually means.
coindesk.com/opinion/2026/0…
English
Every responsible disclosure is a choice.
On CypherTalk podcast, @iphelix discusses why security researchers deserve better treatment and why strong relationships between researchers and projects are critical for ecosystem security.
English
Security is evolving.
First audits. Then operational security. Next: architectural security.
On CypherTalk podcast, @iphelix explains why threat modeling and system design are becoming just as important as finding bugs.
English