Smart contract risk is the crypto version of operational risk — invisible until it destroys capital. What is happening: Code bugs, oracle manipulation, governance attacks and bridge exploits are the tail risks specific to DeFi. No audit eliminates them; it only reduces the probability. Why it matters: That matters because yield comparisons between CeFi and DeFi are incomplete without pricing in the probability of a smart contract failure. In practice: An unaudited protocol offering 50% yields might seem attractive until you realize that $200M in DeFi hacks happen annually from contract vulnerabilities. Watch for: The mistake is treating audited = safe. Audits are necessary but not sufficient; many exploited protocols had multiple audits. Useful lens: Before reacting, ask what mechanism would still matter here if the headline disappeared tomorrow. The point is not to memorize the label. The point is to know what variable is actually doing the work.