A useful way to think about this: smart contract risk is the crypto version of operational risk — invisible until it destroys capital. Desk note: Code bugs, oracle manipulation, governance attacks and bridge exploits are the tail risks specific to DeFi. No audit eliminates them; it only reduces the probability. Why investors care: That matters because yield comparisons between CeFi and DeFi are incomplete without pricing in the probability of a smart contract failure. Translate it into behavior: An unaudited protocol offering 50% yields might seem attractive until you realize that $200M in DeFi hacks happen annually from contract vulnerabilities. Where people usually get tripped up: The mistake is treating audited = safe. Audits are necessary but not sufficient; many exploited protocols had multiple audits. Keep this nearby on the next review: A useful review question is which funding, incentive or cash-flow channel is actually doing the work. That is the kind of small conceptual habit that compounds into better decisions over time.