A smart contract is self-executing code deployed on-chain. When it works, it moves value with no intermediary. When it fails, an attacker can drain a protocol's entire treasury or its users' deposited funds in a single transaction — and because settlement is final, there is no chargeback, no reversal, and no bank to claw it back. Cumulative industry losses to exploits run into the billions of dollars. This is the signature web3 exposure, and it is the hardest crypto risk to insure.
The Main Types of Smart Contract Exploit
Exploits cluster into a handful of recurring patterns. Understanding them is the first step to underwriting against them.
- Reentrancy — an attacker calls back into a vulnerable function before the contract has updated its internal state, repeatedly withdrawing funds that should already be gone. One of the oldest and most damaging classes of bug.
- Integer overflow and underflow — arithmetic that wraps around its limits, letting balances or token supplies be manipulated into impossible values.
- Access-control flaws — privileged functions left unprotected, allowing anyone to mint tokens, drain reserves, or seize ownership of the contract.
- Economic and flash-loan attacks — manipulating protocol math using enormous borrowed capital within a single block, distorting prices or liquidity to extract value before repaying the loan in the same transaction.
- Oracle manipulation — feeding a protocol a manipulated price so it mis-prices collateral, mints excess tokens, or triggers wrongful liquidations.
What unites them is finality. On-chain, there is no undo button. The loss is realized the moment the exploit transaction confirms.
Why Standard Policies Exclude This Entirely
Conventional commercial insurance does not contemplate this risk. General liability, standard property, and standard crime forms either explicitly carry a digital-asset exclusion or were never written to cover the loss of programmable, on-chain value. A protocol that loses funds to a reentrancy bug will find nothing in a standard policy that responds.
Coverage exists only in specialty markets — Lloyd's of London syndicates, specialty managing general agents, and a small set of dedicated digital-asset carriers. Because these markets price for high-severity, irreversible losses, smart-contract coverage sits at the demanding end of an already hard insurance market.
What Smart Contract Liability Actually Covers
Smart Contract Liability is built around the exposure directly. Depending on how the program is structured, it can respond to:
- Losses arising from exploits of bugs or vulnerabilities in the insured's deployed smart contracts
- Economic and flash-loan attacks that manipulate protocol mechanics to extract value
- Oracle manipulation causing mispricing, over-minting, or wrongful liquidations
- Third-party liability to users and depositors for fund loss attributable to covered contract defects
- Defense and investigation costs, including forensic on-chain tracing of stolen funds
Like other liability lines in this space, it is written on a claims-made basis with a defined retroactive date, so continuity of coverage over time matters.
What It Does Not Cover
A critical boundary: this coverage responds to genuine exploits of legitimate, audited protocols — not founder misconduct. Rug pulls, insider theft, and intentional fraud are excluded as dishonest or criminal acts. The defense of allegations against founders is handled, from the company's side, under D&O. And theft of assets through private-key compromise rather than a code exploit is a Crime & Custody exposure. Many protocols carry all three lines because they address genuinely different failure modes.
Audits and Bug Bounties Are Underwriting Requirements
This is where the insurance and the engineering meet. Underwriters do not simply price the risk — they require you to reduce it first. In nearly all cases you will need:
- One or more recent independent smart-contract audits from a recognized firm
- A formal vulnerability-disclosure or bug-bounty program
- Time-locks and multisig on upgradeable contracts
- On-chain monitoring for anomalous activity
- A documented remediation history
Unaudited or freshly forked code is commonly declined or excluded outright. The practical takeaway is that strong security is not just good engineering — it is the precondition for being insurable at all, and it directly widens terms and lowers premium when coverage is offered.
The Bottom Line
Smart-contract risk is the exposure most web3 clients ask about and the one standard insurance flatly refuses. Transferring it to a specialty market is valuable precisely because the loss is otherwise total and irreversible. Get the code audited, run a bug bounty, lock down upgrade controls, and place the coverage through markets that understand what they are insuring.