DeFi's attack surface hasn't shrunk — it's shifted. Looking at major incidents from Q1 2026, the pattern is clear: while reentrancy and integer overflow still appear, the largest losses are coming from protocols where the code executes exactly as written, but the logic itself is wrong. Business logic flaws have moved from a footnote in audit reports to the primary cause of material losses.
Two Q1 2026 Cases Worth Understanding
AlkemiEarn — 43.45 ETH Drained (March 2026)
The AlkemiEarn exploit was a textbook business logic failure. The protocol's lending logic contained a flaw in how collateral value was calculated: under specific conditions, attackers could borrow significantly more than their actual collateral supported. The contract executed without error. The code did exactly what it said. The problem was that what it said was wrong.
This is the distinguishing characteristic of business logic bugs — they don't trip invariants the compiler or static analyzer can see. They violate protocol-level invariants that only exist in documentation, if they exist at all.
SynapLogic — Permission Bypass (January 2026)
SynapLogic was compromised through a logical path where permission checks could be bypassed under certain conditions, allowing attackers to reach core system settings. Again: no obvious code defect, no overflow, no missing modifier on a single function. The vulnerability lived in the interaction between functions and the assumptions each made about the state the other had already validated.
Why Static Analysis Misses These
Tools like Slither and Semgrep are excellent at what they do: they find code that matches known-bad patterns. Unprotected external calls, missing access modifiers, unsafe arithmetic — all well within their capability. But they work at the syntactic and control-flow level. They cannot answer: "Is it correct for this variable to change this way after this sequence of calls?"
Business logic flaws fail for three reasons that rule-based tools can't address:
- Context dependency: every protocol has unique invariants. You can't write a general Slither detector for "borrow limit is correctly enforced" because the definition of correct is specific to each protocol.
- State complexity: the vulnerability often only manifests through a sequence of function calls, each individually valid.
- Permission logic gaps: the more complex the access control model — roles, conditions, delegated authorities — the more likely that edge cases go untested and unreviewed.
How to Catch These Before Deployment
Symbolic Execution
Mythril explores execution paths mathematically rather than pattern-matching source. It can find logical paths that lead to abnormal states even when no individual line of code looks wrong. It's not perfect — large contracts time out — but for targeted analysis of core business logic it catches things static tools miss.
AI-Based Code Reasoning
The most useful capability here isn't AI as a vulnerability classifier — it's AI as a protocol reviewer. Given enough context (function signatures, state variables, intended invariants), a well-prompted LLM can identify logical contradictions: "this path allows a user to withdraw before their lockup expires," "this price calculation assumes reserve0 is always non-zero, but that's not enforced." ContractScan's AI engine does this, and when it finds a pattern resembling a known incident from the threat intelligence database, it cites the reference.
Real-World Case Mapping
Over 680 indexed DeFi incidents give concrete pattern templates. When code structure resembles the AlkemiEarn collateral calculation, that similarity is a signal worth investigating even if no individual line trips a static detector.
What Developers Should Do
Define invariants explicitly. Before writing a function, write down what must always be true about the system state. "Total borrowed must never exceed collateral value multiplied by the collateralization ratio" is an invariant. If you can't state it, you can't test it. Tools like Echidna and Foundry's invariant testing can verify these automatically.
Principle of least privilege. Every function that changes state should have the smallest possible access surface. If a function only needs to be called by the liquidator role, it should only be callable by the liquidator role — full stop.
Don't rely on one tool. Combine static analysis, symbolic execution, and AI-based review. Each catches a different class of problem. Business logic flaws specifically require the semantic layer that only AI and human review provide.
Scan Your Contract Now
ContractScan runs Slither, Mythril, Aderyn, Semgrep, and AI engines in parallel, completing an in-depth analysis in under five minutes.
Important Notes
This post is for educational and informational purposes only and does not constitute financial or legal advice. ContractScan is a tool to reduce security risks and does not guarantee discovery of all vulnerabilities. Manual audit by a professional security firm is strongly recommended before deploying high-value contracts. We assume no legal liability for losses incurred through use of this service.