A16Z’s call for security evolution
A16Z Crypto is pushing for what I think is a pretty significant change in how decentralized finance protocols approach security. They’re basically saying that the old “code is law” mentality isn’t cutting it anymore. Instead, they want developers to put operational norms and best practices on the same level as the actual code itself.
It makes sense when you look at the numbers. Throughout 2024, hackers have managed to drain over $649 million from DeFi protocols. That’s not small change, even in crypto terms. What’s really concerning is that many of these protocols had been audited by third parties before they went live. So the traditional approach—write code, get it audited, deploy—isn’t working as well as we’d hoped.
The problem with relying on code alone
Code, while important, can’t anticipate every possible vulnerability. That’s especially true as protocols become more sophisticated and complex. New attack vectors keep appearing, and by the time you patch one hole, attackers might have found three more.
A16Z is suggesting something more layered. They want protocols to adopt things like immutability checks, attack simulations, and standardized security sharing practices. These aren’t just technical fixes—they’re about creating a culture of security. Technical debt accumulates quickly in fast-moving projects, and without clear norms, accountability gets fuzzy in decentralized systems.
Perhaps the most interesting point is that norms can evolve faster than code patches or governance votes. When a new threat emerges, a community with established security practices can respond more quickly than one waiting for a formal code update.
2024’s sobering reality
This year has been particularly rough for DeFi security. Major protocols have been breached for millions, often due to overlooked permissions or logic errors that audits missed. It’s not that audits are useless—they’re just not sufficient on their own anymore.
I’ve noticed that the conversation around DeFi security has been shifting. People are starting to realize that you can’t just deploy smart contracts and assume they’ll be secure forever. The environment changes, attackers get smarter, and what worked yesterday might not work tomorrow.
Building a security culture
What A16Z seems to be advocating for is a shift toward continuous review and proactive risk mitigation. It’s about creating security standards that projects can adopt voluntarily, but that become expected norms within the ecosystem.
This collaborative approach could help reduce system-wide risks. When protocols share security practices and learn from each other’s mistakes, the whole ecosystem gets stronger. But it requires a mindset change—from seeing security as a one-time checklist item to treating it as an ongoing process.
The firm argues that ignoring these changing threats could lead to operational failures and loss of user confidence. And honestly, they’re probably right. After so many high-profile exploits, users are getting more cautious. Protocols that can demonstrate strong security practices might have a competitive advantage.
It’s not about abandoning code or smart contracts. It’s about recognizing their limitations and building additional layers of protection. Norms can provide that safety net when code falls short. They can adapt to new threats more quickly, and they can create shared expectations across different projects.
This feels like a maturing of the DeFi space. Early days were all about innovation and moving fast. Now, with real money at stake and growing regulatory attention, security needs to catch up. A16Z’s recommendations might not be perfect, but they’re pointing in a direction that makes sense for where DeFi needs to go next.
