Smart Contract Risk for DeFi Users: What to Check Before You Deposit
Audits alone did not stop the two biggest Solana exploits of 2026. Here is the checklist that would have flagged both, and how to run it in five minutes before you deposit.
The $290M Lesson From April
Two Solana protocols got exploited in April 2026. Drift lost $285M through an oracle manipulation combined with a multisig bypass. Loopscale lost $5.8M two weeks after launch. Both had been audited. Both had real TVL and real users.
That is the uncomfortable core of smart contract risk: the standard signal everyone checks, "is it audited?", failed in both cases. Drift had multiple audits. Loopscale had completed an audit cycle days before going live.
Audits matter. They are necessary. They are nowhere near sufficient. Across the 132 Solana DeFi protocols we score, 58% have no public audits at all, and of the ones that do, the gap between "audited" and "safe" is where most of the money gets lost.
This guide covers what to check instead: a practical sequence you can run in five minutes before depositing into any protocol. It is the same logic behind our Security Score, compressed into something you can do by hand.
What Smart Contract Risk Actually Covers
Smart contract risk is not one risk. It is at least four, and they fail in different ways.
Code risk. A bug in the contract logic lets an attacker drain funds. This is what audits try to catch, with mixed results. Loopscale's exploit fell in this category.
Governance risk. The code is fine, but someone with admin keys can change it, pause it, or move funds. If a 2-of-3 multisig controls upgrades with no timelock, your deposit is one compromised key away from gone. The Drift exploit included a multisig bypass, which is why it ranks among the worst DeFi incidents of the cycle.
Oracle risk. The contract behaves exactly as written, but the price feed it trusts gets manipulated. Lending protocols are the main target: a fake price lets attackers borrow more than their collateral is worth. This remains the most common attack vector in DeFi lending.
Dependency risk. Your protocol is safe, but it composes with one that is not. A vault that loops through a lending market inherits that market's full risk profile. Aggregators and restaking products stack these exposures.
A deposit decision that only considers the first category misses three quarters of the threat model.
The Checklist: Six Questions Before You Deposit
1. Who can upgrade the contracts, and how fast?
This is the single highest-value question and almost nobody asks it. Find the upgrade authority. Is it a multisig? How many signers, and who are they? Is there a timelock between a proposed change and its execution?
A timelock is your exit window. If a malicious or compromised upgrade needs 12 hours to execute, you have 12 hours to withdraw. Without one, you find out after the fact. Among the top 10 Solana protocols by TVL, only Jupiter Lend documents a timelock publicly (12 hours). The rest either have none or do not disclose it. That asymmetry should factor into every deposit you make.
2. Who audited it, when, and what happened after?
Not "is it audited" but three sharper questions. First, who did the audit: OtterSec, Neodyme, Sec3, Kudelski and a handful of others have real Solana track records. An audit from a firm you cannot find prior work for is a logo, not a control. Second, when: an audit from 18 months and four upgrades ago covers code that may no longer exist. Third, what happened after: were the findings fixed and verified, or just acknowledged?
Jito carries 9+ audits across its stack and scores 83 on our scale. Loopscale was audited too, and scores 39 after its exploit. The count is not the signal. The depth and the follow-through are.
3. Has it survived a stress event?
Code maturity is earned, not claimed. Marinade has run for over three years without an exploit, through two full market cycles, and scores 84, the highest on our board. A protocol that launched last month has not yet been tested by a depeg, a liquidation cascade, or a serious attacker with time to study its code.
That does not make new protocols uninvestable. It makes them a different asset class. Loopscale's exploit two weeks after launch is the canonical case: brand-new code, audited, immediately probed, immediately broken.
4. Is the TVL deep, and has it been there a while?
TVL depth is one of the strongest single predictors of protocol stability we observe in the data. Deep TVL means more eyes on the code, bigger bug bounty incentives, and more at stake for the team. Protocols above $500M in TVL show materially lower exploit rates than small ones.
Check the trend too. TVL that arrived last week chasing a 300% emission is not the same as TVL that has sat through drawdowns. Kamino Lend holds roughly $1.5B and scores 79 with 9 audits and formal verification. That combination of depth, time, and verification is what a B grade looks like in practice.
5. Where does the yield come from?
This sounds like an economics question, but it is a security question. Yield paid from real activity (trading fees, borrow interest, staking rewards) is sustainable. Yield paid from token emissions is marketing spend, and protocols that need aggressive emissions to attract TVL are often the same ones cutting corners elsewhere.
If you cannot answer "who is paying this yield and why," you have not finished your diligence. Base versus reward yield is broken out on every pool in our yields dashboard, and the glossary covers the distinction in detail.
6. What does the protocol depend on?
List the dependencies: which oracle (Pyth with confidence intervals scores better than a single-source feed), which bridges if assets are wrapped, which underlying markets if it is a vault or aggregator. Bridges deserve special caution. They remain the most exploited category in DeFi, and our bridge category average score (48) is the lowest of any category we track.
What the Checklist Looks Like in Numbers
Running this logic across protocols produces a spread that APY alone never shows you:
| Protocol | Category | Score | Grade | Audits | Status |
|---|---|---|---|---|---|
| Marinade | Liquid Staking | 84 | B | 3+ | 3+ years, no incidents |
| Jito | Liquid Staking | 83 | B | 9+ | Deep TVL, MEV infra |
| Kamino Lend | Lending | 79 | B | 9 | Formal verification |
| Jupiter Lend | Lending | 75 | B | Yes | Only documented timelock in top 10 |
| Save | Lending | 67 | C | 2+ | Solid, smaller TVL |
| Loopscale | Lending | 39 | F | 2 | $5.8M exploit, Apr 2026 |
| Drift | Derivatives | 37 | F | Yes | $285M exploit, Apr 2026 |
Source: yieldwire Security Score dataset, 132 Solana DeFi protocols with TVL above $1M. Full rankings on the security page.
Two things stand out. First, no protocol scores an A. Solana DeFi is maturing, but nobody has yet combined deep audits, long track record, documented timelocks, and decentralized governance at the level an A requires. Second, both F-graded protocols in this table were audited. The grade collapsed on governance and incident factors, not on the absence of an audit PDF.
Position Sizing Is Part of Security
No checklist gets you to zero risk. The protocols above 80 on our scale still carry real exposure; the score measures relative safeguards, not immunity. That is why the last control is the one you apply to yourself: size positions to the score, not the APY.
A practical frame many experienced users apply: treat B-grade protocols as core positions, C-grade as satellite positions with strict caps, and anything below, or anything UNGRADEABLE (49 protocols in our universe have no public audits and under $50M TVL), as money you can afford to lose entirely. Our risk filter lets you set a minimum score, minimum TVL, and minimum APY, and only shows pools that clear all three.
The five minutes this checklist takes is the cheapest insurance in DeFi. The two April exploits cost users roughly $290M combined. Almost all of it was sitting in positions that question one or question three would have flagged.
This is not financial advice. DeFi carries real risk of loss, including total loss. Scores and data reflect our methodology as of June 5, 2026 and change as protocols evolve.
Track all Solana yields in real time
Compare APYs across lending, LP, and liquid staking protocols on the YieldWire dashboard.
Open Dashboard →