One framing I keep coming back to is this: smart contract risk is the crypto version of operational risk — invisible until it destroys capital. What is happening: Code bugs, oracle manipulation, governance attacks and bridge exploits are the tail risks specific to DeFi. No audit eliminates them; it only reduces the probability. Why it matters: That matters because yield comparisons between CeFi and DeFi are incomplete without pricing in the probability of a smart contract failure. In practice: An unaudited protocol offering 50% yields might seem attractive until you realize that $200M in DeFi hacks happen annually from contract vulnerabilities. Watch for: The mistake is treating audited = safe. Audits are necessary but not sufficient; many exploited protocols had multiple audits. Useful lens: A useful review question is which funding, incentive or cash-flow channel is actually doing the work. The point is not to memorize the label. The point is to know what variable is actually doing the work.