Firepan, an AI-powered smart contract security platform, today released a new industry report, The $3.3B Blind Spot: Why Web3 Security Is Broken (and Why AI Is About to Fix It), examining the growing disconnect between traditional security practices and the evolving threat landscape in Web3.
The report finds that Web3 protocols lost an estimated $3.3 billion to exploits in 2025, underscoring systemic challenges in how smart contract security is approached. Notably, nearly half of the exploited protocols had previously undergone security audits, raising concerns about the effectiveness of audits as a primary line of defense.
The full report is available at:
https://drive.google.com/file/d/1S88E1ao6mrzwH6BvSrJLMfpY1mFRvz-a/view
In addition, the report estimates that more than 80% of deployed smart contracts have never been audited, leaving a significant portion of the ecosystem exposed to vulnerabilities.
“Web3 didn’t fail because of bad code – it failed because of a broken security model,” said Ian Kane, Co-Founder of Firepan. “Smart contracts are dynamic systems, but audits are static. That mismatch is being exploited at scale.”
Key Findings
- $3.3 billion lost to Web3 exploits in 2025
- 80%+ of smart contracts have never been audited
- Nearly 50% of exploited protocols had previously undergone audits
- Rapid growth in AI-assisted attack methodologies
Audits and the Rise of AI-Driven Attacks
According to the report, the industry’s reliance on point-in-time audits is increasingly misaligned with how modern attacks are executed. While audits provide valuable insights at a specific moment, smart contracts continue to evolve after deployment, creating new potential vulnerabilities.
At the same time, attackers are leveraging automation and AI to identify and exploit weaknesses more quickly and at greater scale than ever before.
“Attackers are already using AI to identify vulnerabilities in minutes,” Co-founder Gerrit Hall added. “Meanwhile, most teams rely on audits that were completed weeks or months earlier.”
Proprietary Analysis Highlights Persistent Risk
The report also includes findings from Firepan’s internal analysis using its HOUND scanning engine.
In a sample of previously audited smart contracts, Firepan identified 17 exploitable vulnerabilities in contracts labeled as “safe” by third-party auditors. In several cases, these contracts had undergone multiple audits prior to analysis.
These findings suggest that while audits remain an important component of security, they may be insufficient as a standalone solution in rapidly changing environments.
Toward Continuous, AI-Driven Security
Firepan’s report concludes that Web3 security must evolve from static assessments to continuous monitoring and detection.
Rather than replacing audits, the report recommends supplementing them with systems that:
- Continuously scan codebases and deployed contracts
- Integrate directly into developer workflows
- Detect vulnerabilities prior to deployment
- Adapt to emerging attack patterns in real time
“Audits are not going away,” said Gerrit Hall. “But treating them as the primary layer of defense is no longer sufficient in an environment where threats are continuous.”
