You're Monitoring Your Contracts. But Who's Watching Your Servers?

The DeFi security industry has spent five years getting very good at one thing: reading Solidity. Thousands of auditors, dozens of tools, hundreds of millions in audit fees all pointed at the smart contract layer.

And the attackers walked around it.

In February 2025, Bybit lost $1.5 billion. The exploit wasn't in their contracts. It was in a JavaScript file injected into an S3 bucket, planted through a developer's compromised MacBook. In April 2026, Drift lost $285 million to social engineering against its multisig signers. Kelp DAO lost $292 million to poisoned RPC nodes feeding false data to a single bridge verifier. Wasabi Protocol lost $5.9 million because one deployer wallet held sole ADMIN_ROLE with no multisig and no timelock.

The audit reports for all of these protocols were clean.

The attack surface wasn't.

This is the fundamental problem Web3 security has not solved: protocols are monitored at the contract layer, but attacked across their entire operational stack. Servers, RPC infrastructure, signing workflows, developer machines, cloud credentials, bridge verifier configuration none of these have the equivalent of the on-chain monitoring dashboard that every protocol team knows to deploy.

We have watchtowers pointing at the vault. We have nothing watching the roads leading to it.

What the Attackers Actually See

When Lazarus Group selects a target, they don't open the Solidity source code first. They map the full operational surface. They ask:

• Who controls the deployer wallet is it a single EOA or a multisig?
• Which RPC providers does the bridge verifier read from and what happens if those nodes go down?
• How does the signing workflow operate can the payload be modified between display and execution?
• Which developer has access to the cloud infrastructure and what does their LinkedIn say?
• What happens to the frontend if the CDN is compromised?

None of these are questions a smart contract audit answers. They are questions about operational infrastructure the Web2 layer that every DeFi protocol sits on top of and almost none actively watch.

The attacker has a unified picture of your system. You are looking at it through tools that were never designed to talk to each other.

Two Tool Ecosystems. One Unguarded Gap.

The honest state of the monitoring landscape today is this: both the Web2 monitoring world and the Web3 monitoring world are mature. The gap isn't tooling. It's connection.

The Web2 monitoring stack is well-built. SIEM platforms Splunk, Datadog, AWS CloudWatch aggregate logs from every server, cloud service, and API in your infrastructure. EDR tools like CrowdStrike and SentinelOne watch developer machines in real time: unusual processes, unexpected outbound connections, credential access attempts. CloudTrail records every IAM action across your AWS environment. Taken together, these tools produce a comprehensive, continuous picture of everything happening in your Web2 layer.

The Web3 monitoring stack is equally well-built. Platforms like Hypernative and Forta watch on-chain behavior continuously mempool anomalies, oracle deviations, unusual contract interactions, large unexpected outflows. Custom monitors fire the moment a suspicious transaction pattern appears. This layer has matured significantly and now covers most major chains with sub-second latency.

The problem is neither world knows the other exists.

Splunk cannot tell you that the S3 bucket modified at 2 AM by a suspicious IAM session is the same bucket serving the JavaScript for your signing interface and that a transaction signing request came through at 9 AM the next morning. CrowdStrike cannot tell you that the developer whose laptop is flagging unusual activity also controls a multisig signer key for your protocol's treasury. Hypernative cannot tell you that the RPC node your bridge verifier depends on just started returning different state data to different callers.

Each tool produces an alert. Nobody connects the alerts. And the attack lives in that gap sometimes for days, sometimes for weeks before anything fires on-chain.

The Bybit attacker operated in the Web2 layer for 17 days before the $1.5 billion drain registered as an on-chain event. Kelp DAO's attacker spent weeks mapping and compromising RPC infrastructure before a single unusual message reached the chain. Both attacks were invisible to every Web3 monitoring tool right up until the moment they were already over.

The Five Layers Nobody Is Watching Together

A production DeFi protocol operates across five distinct security layers simultaneously. Most have some tool coverage at each layer individually. None have a single function correlating signals across all five in real time.

Every major infrastructure hack of the past two years originated in Layers 1 through 4. Every monitoring tool the industry standardly recommends lives in Layer 5.

The Bybit attacker spent 17 days in Layers 1 and 2 before anything appeared at Layer 5. Drift's attack unfolded across Layers 3 and 4 for months before a 12-minute on-chain drain completed it. Kelp DAO's attacker spent weeks in Layer 4 mapping verifier infrastructure, preparing the DDoS before triggering the first on-chain event.

The attack is invisible until it isn't. And by then, it's over.

The Data Makes the Case

The share of total crypto losses attributed to infrastructure and OPSEC failures not smart contract bugs has climbed every year without exception:

The smart contract audit industry got better. The attackers noticed and moved. The monitoring tooling improved at Layer 5. The attackers moved to Layers 1 through 4 where nobody was watching.

Attackers are rational. They go where defenses are weakest. Right now that is everywhere except the contract.

What a Dedicated In-House Security Function Actually Does

The tools exist. Both stacks are mature. What is missing inside most protocols is the human function whose job it is to actively watch them together and connect what they show.

This is the model Web2 financial infrastructure has operated on for decades. Every bank, payment processor, and exchange managing significant financial flows runs a Security Operations Center a standing internal team whose job is not to deploy monitoring tools but to watch them actively, correlate their outputs across domains, and respond before an incident becomes a loss.

A SOC analyst at a payments company does not treat a suspicious login and an unusual outbound transfer as two separate tickets. They ask whether they are the same event seen from two angles. That cross-domain instinct built into a continuous, staffed function is what DeFi protocols are missing.

The equivalent function in a DeFi protocol watches three things simultaneously:

What changed in our infrastructure today? New IAM sessions, new SSH keys, unusual S3 writes, RPC endpoints returning different data than yesterday any of these in isolation might be routine. Tracked against a baseline and correlated with each other, they become detectable pre-attack signals.

Does any Web2 infrastructure event correlate with a pending signing action? This is the cross-domain link that no automated tool currently makes. A developer machine flagged by EDR, combined with an active signing request from that developer's associated key, is a completely different risk profile than either event alone. The Web2 stack sees the machine. The Web3 stack sees the transaction. The in-house team sees both at once.

Is on-chain behavior consistent with what the infrastructure shows? Bridge release amounts should match burn amounts on the source chain. Oracle prices should not deviate from independent sources. Deployer addresses should not be receiving new roles they did not hold yesterday. These are invariants. A team watching them break simultaneously across both stacks catches attacks that currently go undetected until the drain is already complete.

The cross-domain identity map is what makes this function effective. GitHub username links to company email links to ENS name links to signer address links to controlled wallets. IP address links to AWS session links to developer identity links to protocol access level. Without this map maintained internally, a server compromise and a signing anomaly reach two separate teams as two separate alerts. With it, they are one incident with a timeline and a window in which to respond.

Detection Is Not Enough, Response Has to Be Faster Than the Exploit

The fundamental advantage attackers have is speed. They plan for months and execute in minutes. Kelp's drain took 46 minutes before the emergency pause. Drift's took 12 minutes. Bybit was effectively instant once signing completed.

A monitoring function that only detects after execution has limited value. The goal is detection inside the pre-attack window the days or weeks of infrastructure activity that precede every major exploit and automated response that does not wait for a human to be awake and paying attention.

For cross-chain bridge infrastructure, this means continuous invariant monitoring: tokens released on the destination chain should mathematically match tokens burned on the source chain, checked block by block. Kelp's exploit broke this invariant the moment the forged message was accepted. A team watching this invariant fires an alert or triggers an automated pause before the second drain attempt, not after the first.

For signing workflows, this means a pre-signing verification step that reads transaction data from an independent source and compares it to what the interface is showing. Bybit's signers saw a legitimate transaction. The actual payload was different. An independent check at signing time catches this attack class entirely.

For cloud infrastructure, automated response means pre-configured credential rotation policies IAM configurations that revoke compromised keys and isolate affected services in a single API call, triggered automatically when thresholds are crossed, without waiting for a human decision at 3 AM.

None of this is theoretically new. PayPal has operated real-time fraud detection with automated response since the early 2000s. Traditional finance compliance has monitored Web2 infrastructure against transaction activity as a regulatory standard for years. The DeFi industry has not applied these patterns to its own stack.

The Standard the Industry Needs to Define

Protocols that lost the most in 2024 and 2025 were not negligent. Kelp ran regular audits. Bybit had cold wallet architecture considered industry best practice. Drift had a multisig. Every protocol that lost nine figures had done what the industry told them to do.

The industry was telling them to watch the wrong layer.

Growing DeFi past its current scale into something institutional capital genuinely trusts requires a security standard that matches how attacks actually work today not in 2020, when flash loan attacks and reentrancy bugs dominated the loss charts.

The attacks are now multi-stage, state-sponsored operations that spend months in Web2 infrastructure before appearing on-chain. The security function needs to match: watching both stacks, correlating across them, with a team actively connecting what both worlds are showing.

That means every serious protocol needs a dedicated internal security function sitting at the intersection of the Web2 monitoring stack and the Web3 monitoring stack. Not five separate dashboards nobody is actively watching. Not an automated alert firing into a Slack channel and waiting for someone to notice.

A team. Watching. All the time.

The Web2 tools are ready. The Web3 tools are ready. The attack window before execution is always longer than 12 minutes. What is missing is the function inside protocols that connects what both stacks see and responds before the drain, not after it.

One unified view. One active team. Before the attackers get there first.

Conclusion

The industry spent years hardening smart contracts while attackers quietly shifted toward infrastructure, identity, and operational weaknesses. Audits alone are no longer enough when exploits now begin weeks before a malicious transaction ever touches the chain. The next generation of DeFi security will not be built by choosing between Web2 or Web3 monitoring it will come from unifying both into a single operational defense layer. Protocols that survive the next wave of attacks will be the ones watching the entire stack, not just the contracts at the bottom of it.