Mitchell Amador, CEO of Immunefi, explains what security firms are racing to prevent the next billion-dollar exploit in stablecoins. š
What can you tell me about the current state of security when it comes to stablecoins?
Mitchell Amador: Weāre in a kind of brave new world (if youāre a masochist). Weāre only now beginning to find out whether the security measures weāve used over the past few years have really worked. š
On one hand, we havenāt seen a major stablecoin hack in quite a while. You can look back at incidents like the early DeFi hacks, or issues like the depegging of USDC during the Silicon Valley Bank collapse – those were serious events, but we havenāt had anything of that size since. š¤Æ
So people are feeling pretty good about stablecoin security. But the truth is: we donāt really know if things are secure. To give you a comparison, think about how long it took to feel confident in something like MakerDAO, Aave, or Compound. Itās taken years for users to build that trust. Stablecoins, especially decentralized ones, are still less mature than those protocols. š§
Weāre about to add another trillion dollars in stablecoin liquidity to the system in the next few years. The real question is: are we ready to absorb that much value without a catastrophic failure? I donāt think we know the answer to that yet – and we may find out the hard way. ā ļø
CN: What about hacking risks specifically?
MA: Thatās the one risk Iām most concerned about. Weāve seen financial destabilization events – depeggings, leverage unwinds, even bailouts – and we know how to manage those. But with hacks, thereās always a black swan factor. š§
A massive hack targeting stablecoins could delegitimize all of crypto. Imagine a smart contract vulnerability affecting several hundred billion dollars – or a bug in a core stablecoin asset that powers other protocols. Thatās not science fiction. Itās possible. š§Ŗ
From Immunefiās perspective, over 90% of projects we audit have critical vulnerabilities – including stablecoin systems. The good news is that weāve made a lot of progress. A few years ago, nearly every project we worked with would experience a breach within a few years. Today, thatās less than half – still high, but an improvement. š
Still, weāre essentially betting the entire ecosystem on code that may not be ready. And we wonāt really know until itās tested under pressure. I think of it like a countdown clock. From the moment a stablecoin like USDC or USDT is deployed, the risk of a critical exploit begins ticking down. ā³
As the contract becomes more complex and gains more features, the risk increases. Meanwhile, on the other side of the clock, weāre racing to improve security infrastructure – bug bounties, firewalls, AI-based vulnerability scanners, blacklisting tools. These are helping to āadd timeā to that countdown. š§
The race is: can we secure these systems fast enough before a catastrophic hack occurs? š
Right now, weāre in the middle of that race – and we might make it. Thereās a chance we get secure enough that a massive failure never happens. But weāre not sure yet. The next two years will be critical. š¤
CN: What are the biggest sources of smart contract vulnerabilities in stablecoins?
MA: The risks are similar to most DeFi apps – with a few differences. Most stablecoins arenāt decentralized, so you donāt usually have governance-related issues. But you do have two major vulnerability classes:
Code risk – Smart contracts can be written in ways that leave them open to manipulation. Weāve seen math errors, flawed redemption logic, oracles being misused – all of which can lead to large exploits. This is how some of the early stablecoin hacks occurred. š§®
Access control – Many stablecoins are centralized, which means there are privileged functions – like minting or redeeming – that are controlled by the issuer. If someone compromises those controls, the whole system could collapse. You might remember the PayPal issue where someone accidentally minted $300 trillion in PYUSD. That was a harmless fat finger – but it shows whatās possible. š
Financial risk is real. We saw it with Circle during the SVB crisis – not because of bad collateral, but because of liquidity pressure. A flood of redemptions can create a ārun on the bankā scenario, even if the assets are technically there. š¦
Legal risk is also increasing. Governments can and will intervene. But these arenāt really āsecurityā issues in the smart contract sense – theyāre broader safety concerns. You need a whole different toolset to manage those. š§°
CN: Do you think institutions and banks understand the risks youāre describing?
Amador: Not really. They understand financial and legal risks – thatās their world. But when it comes to code risk, theyāre mostly just afraid. š¤Æ
They know theyāre out of their depth. Theyāre trying to learn, theyāre hiring crypto-native teams, theyāre buying infrastructure startups like Privy and Bridge. But most still donāt feel safe. They see smart contract exploits as a foreign problem theyāre not equipped to solve – and theyāre right. š§
Theyāre more comfortable with key management and access control – that fits their legacy processes. But once you go deeper into the crypto stack, it becomes alien territory for them. š
CN: What would convince them to move faster?
MA: FOMO. Thatās it. They need a business case – a major opportunity they donāt want to miss. Then theyāll invest in understanding the risks. Thatās where we come in at Immunefi: helping these institutions figure out how to secure themselves. š
CN: What should crypto projects actually be doing today to manage smart contract risk?
MA: We need to aim for āsafe by defaultā. Thatās the goal. We have powerful tools now – fuzzing, formal verification, AI-powered static analysis – many of which weāve pioneered at Immunefi. But adoption is still too low. Most teams still treat audits and bug bounties as one-and-done checklists. Thatās not enough. š§Ŗ
Hereās what every serious project should be doing:
AI vulnerability detection (PR reviews): Automated + human scanning of every line of new code before itās merged. š¤
Audits: Both traditional audits and audit competitions with dozens or hundreds of hackers reviewing code. š
Bug bounties: With meaningful rewards tied to how much money is at risk. šø
Monitoring solutions: Real-time threat detection post-deployment. šØ
Firewalls: Contract-level ābouncersā that block malicious transactions before they execute. š”ļø
If you run this full stack, you give yourself five distinct chances to catch exploits before they cause damage. Yet, less than 1% of projects use firewalls, and under 10% use AI vulnerability tools. Thatās a massive gap – and a solvable one. š§©
CN: Are there other factors – like language design or architecture – that make contracts more secure?
MA: Yes, but it depends on the app. Simpler contracts are always safer. Thatās why ERC-20 contracts almost never get hacked – theyāre small, tight, and well-tested. The more complex your logic, the more risk you take on. š§
Upgradability is another big factor. It adds UX flexibility, but it introduces a backdoor. Ideally, only you use it – but weāve seen many cases where itās abused. Still, most projects today choose upgradability because the tradeoff is worth it for adoption. š
CN: Final thoughts – whatās one important issue no oneās talking about enough?
MA: Definitely. One of the biggest blind spots is around protocol liability. As more money flows into on-chain systems, the legal landscape is going to shift fast. At some point, someoneās going to ask: Whoās responsible when something breaks? We donāt have a clear answer to that yet – but itās coming, and itās going to reshape how protocols are built and governed. š§©
Another thing I think about is how much the culture of crypto is changing. Itās becoming finance. You can feel it. The early builders were ideologues – true believers in decentralization and open systems. Now weāre seeing a wave of finance professionals who approach this space very differently. Thatās not necessarily bad, but it is changing the ethos, and we donāt yet know what the long-term consequences of that shift will be. š¦
And then thereās the question of reversibility. As institutions move on-chain theyāll start demanding features that donāt currently exist on most public chains. One of those is the ability to reverse transactions. š
I think weāre going to see more chains, maybe even major ones, start offering that capability, especially in permissioned or semi-permissioned environments. That creates a new class of blockchain infrastructure that behaves more like traditional finance – walled gardens with bridges into the open world. š°
All of this ties into something I think people are missing: crypto security is about to have its moment. Itās still underappreciated today, but itās becoming clear that every major player – from funds to DAOs to banks – will eventually rely on on-chain rails. šļø
And that means theyāll all need serious protection. I think weāre just at the beginning of a major explosion in security infrastructure, and no oneās really ready for what that will look like. šØ
Read More
- ETC PREDICTION. ETC cryptocurrency
- AAVE PREDICTION. AAVE cryptocurrency
- SKY PREDICTION. SKY cryptocurrency
- CNY JPY PREDICTION
- USD CAD PREDICTION
- EUR GBP PREDICTION
- GBP CHF PREDICTION
- QNT PREDICTION. QNT cryptocurrency
- SOL PREDICTION. SOL cryptocurrency
- ETH PREDICTION. ETH cryptocurrency
2025-10-31 00:33