Continuous risk monitoring in Web3 can see the attack. It cannot say no

The TradFi world spent $32.25 billion on risk analytics in 2025. Almost none of that spend can refuse a transaction, halt an attack in progress, or contain a breach in real time. The models in use are retrospective: built from incidents that already happened and refreshed on reporting calendars, while attacks run on block times. These models are also advisory: a score can say "dangerous" and the drain completes anyway, because nothing connects the score to a control that could close the weakness behind it.

Crypto inherited both defects from TradFi and added a third of its own, the audit badge: a one-time photograph of the code, marketed as permanent protection. This piece separates two kinds of tooling the market sells under one name. One kind watches and one kind acts, and the difference decides whether a risk signal arrives before the loss or after it.

The vocabulary comes from software engineering. The read path is the route a question takes: you query a system, it returns information, and you decide what to do with it. Its counterpart, the write path, is the route a change takes: a transaction, a signature, or a permission update travels through the system on its way to becoming final. A control placed in the write path can stop the change before it commits; one placed in the read path can only describe it.

Dashboards are read-path instruments, and so are risk scores, audit reports, and alert feeds. A timelock that delays every admin transaction by 24 hours is a write-path instrument: the malicious change has to pass through it, visibly, before it can take effect.

Production fraud systems are built around exactly this split. The inline half evaluates each event as it happens, under a latency budget of about 50 milliseconds, and returns a verdict: allow, block, or challenge. The batch half runs after events complete and handles backtesting, audits, and policy reviews. Both halves matter, but the risk analytics market overwhelmingly sells the second one: retrospective analysis, compliance reporting, trend identification. All of it useful, none of it positioned to stop a malicious governance migration at the moment of signing.

Stripe Radar is the reference example of write-path risk at scale. Every transaction on Stripe's network is evaluated inline, inside the payment authorization flow, in under 100 milliseconds, across more than 1,000 signals. The verdict comes back before the payment completes. No analyst reads a Radar score and decides; the decision is the product.

Enforcement also compounds in a way that advice cannot. Around 90% of cards on Stripe's network have been seen at multiple merchants, so each transaction is checked against a global signal set. Because Radar makes the decision, it also observes the outcome of the decision: every block and every allow returns as labeled training data, chargebacks included. An advisory tool scores a transaction and never learns how it resolved, so its signal set never improves from the decisions it informed.

Web3 has native write-path controls. A governance timelock publishes every admin transaction on-chain for a fixed window, 24 or 48 hours, before execution, which gives the team time to cancel and users time to exit. Circuit breakers halt a contract function when volume crosses a threshold. Multisig thresholds can be enforced in code rather than by convention. None of these produce dashboards; they refuse transactions.

Drift Protocol is what their absence looks like. On April 1, 2026, a DPRK-linked group ended a six-month social engineering campaign by draining $285 million through a governance function no audit had covered. The single gate in that path, the timelock, had been removed four days earlier by a zero-timelock Security Council migration. From that moment Drift's safety tooling was purely observational: the team could have watched the malicious transaction confirm, block by block, with no mechanism anywhere in the stack to refuse it.

The pattern generalizes beyond one protocol. Risk analytics worldwide is projected to grow from $32.25 billion to $51.34 billion by 2030, and crypto's slice of that market ships the same deliverables as TradFi's: scores, dashboards, reports. The difference is that TradFi settles on rails with reversals, freezes, and chargebacks built in. Crypto settles with finality in seconds to minutes, making it the only financial system where a read-path-only risk stack is a ridiculous contradiction.

If the industry will not build enforcement, enforcement arrives from outside. The clearest example is DORA, the EU's Digital Operational Resilience Act, in application since January 17, 2025.

It requires EU financial entities to maintain a Register of Information covering every third-party technology provider they depend on. The register is a live instrument rather than an annual filing: supervisors can inspect it on demand, so it has to be correct on any given Tuesday. That requires automated ingestion, continuous monitoring, and onboarding gates rather than a spreadsheet compiled each December.

The penalty structure has teeth of its own: critical providers face fines of up to 1% of average daily worldwide turnover, charged per day, for up to six months. At the March 2026 filing deadline, an estimated 50% of financial institutions were fully compliant. The compliant half built infrastructure around the requirement, while the other half tried to file a document.

DORA also reaches into crypto directly: wallet infrastructure, staking-as-a-service, blockchain analytics, and KYC providers are all in scope. Nearly everything currently sold in those categories generates signals for analysts to review. A regulator with on-demand inspection rights and a per-day fine schedule is, in practice, ordering a read-path industry to build write-path controls.

Crypto due diligence runs on the same category error DORA was written to end: accepting a document about the past as evidence of control in the present.

Since 2020, DeFi alone has paid for nearly 10,000 smart contract audits, roughly half a billion dollars of security spend. Over the same period attackers extracted more than $10 billion, and around 75% of it left through doors no audit was scoped to check: key management, governance operations, dependencies, infrastructure. The audit badge on a project's site is accurate and beside the point. An audit is a point-in-time review of code. It expires the day the code changes, and it was never scoped to cover signer behavior, key rotation, or a governance migration approved at 2 a.m.

Honesty requires the same sentence about our own instrument. CORE3 is a read-path system, deliberately. A PoL score blocks nothing. What it reads, though, is the state of the write path: whether a counterparty has gates at all, timelocks, enforced signer thresholds, key rotation policy. It reads the history too: were the gates there last quarter, or were they removed four days ago. An audit is a photograph, taken once. Continuous risk monitoring re-scores a project as its on-chain and off-chain evidence changes, which is the difference between learning a timelock was removed this week and learning it from the post-mortem.

That gives the industry a three-rung ladder. Rung one is the point-in-time artifact: audits, annual reports, badges. The second rung is continuous, real-time risk monitoring: scores that move when the evidence moves. The third is enforcement: gates wired into the write path. Most of what is sold as crypto risk management today buys rung one. CORE3 operates on rung two, and its subject is rung three: a read path that reports on the write path. Almost nobody stands on rung three itself, and rung three is where every incident in this piece was decided.

The next decision facing any protocol, fund, or exchange is not which dashboard to buy. It is two questions about architecture. Does your risk signal update on the threat's clock or on a reporting calendar? When the signal fires, does anything act without waiting for a human to open a dashboard? Answer "calendar" and "no," and what you own is a record of your losses, not a defense against them.

The write path is where the next $285 million leaves, and the only open question is whether anything will be standing in it. You cannot install a timelock in someone else's protocol. You can know whether they did.

CORE3 is the read path on your counterparties' write path. Continuous, evidence-based Probability of Loss scoring across six risk domains tells you whether the gates were there before you signed, and whether they are still there now. core3.io