Venture capital giant Andreessen Horowitz's crypto arm, A16Z Crypto, has issued a stark warning and a strategic recommendation to the decentralized finance (DeFi) sector, urging a fundamental shift in security philosophy. The firm argues that the long-held principle of "code is law" is no longer sufficient to protect increasingly complex on-chain financial systems.
The call to action comes in response to a devastating year for DeFi security. Throughout 2024, hackers exploited vulnerabilities to drain over $649 million from various protocols. Notably, many of the breached protocols had undergone third-party audits prior to launch, highlighting a critical flaw in the traditional security model that relies solely on code review and static audits.
A16Z advocates for a new, layered defense model where operational norms, best practices, and community standards are elevated to the same level of importance as the underlying smart contract code. The firm contends that while code is essential, it cannot foresee all potential vulnerabilities, especially as protocols grow more sophisticated and new attack vectors emerge regularly.
The proposed framework includes adopting standardized practices such as immutability checks, attack simulations, and security information sharing among projects. This approach aims to foster a proactive culture of continuous review and risk mitigation, reducing technical debt and creating clearer accountability within decentralized systems. A key advantage highlighted is that community norms and security practices can evolve and adapt to new threats much faster than formal code patches or lengthy governance votes.
A16Z warns that ignoring these evolving threats risks further operational failures and a severe erosion of user confidence. The firm positions this collaborative, norm-based security culture as a critical step for the DeFi ecosystem's maturation and long-term resilience.
