a16z Crypto Warning: DeFi should move away from "code first" approach and prioritize regulation to address $649 million vulnerability risk

January 20 News, venture capital firm a16z Crypto released the latest security insights, calling for decentralized finance (DeFi) protocols to gradually abandon the long-held “Code is Law” philosophy and adopt a “Norms First” design principle to reduce the risk of frequent security vulnerabilities. Data shows that over the past year, the DeFi industry has suffered attack losses totaling $649 million due to code defects and contract vulnerabilities, and security issues are becoming a key bottleneck restricting industry maturity.

Daejun Park, senior security researcher at a16z Crypto, pointed out that current DeFi still largely relies on a “patch-after-the-fact” security model, which involves upgrading or remedying after vulnerabilities are exploited. This approach is no longer sustainable as the scale of funds continues to grow. He emphasized that protocols should introduce standardized, enforceable behavioral norms during the design phase, embedding security constraints directly into the system’s operational logic rather than relying entirely on code executing as planned.

The so-called “Norms First” focuses on limiting the scope of protocol actions through preset invariance checks and runtime constraints. If a transaction triggers an abnormal pattern or violates established rules, the system can automatically rollback or halt execution. Park stated that, based on past attack cases, most vulnerabilities deviate from normal behavior during execution, and if a mandatory norm enforcement mechanism exists, attacks could be blocked early on.

This discussion has been brought to the forefront again, related to multiple high-value security incidents. Even mature protocols that have been running for years have not been able to completely eliminate vulnerability risks, highlighting the structural flaws of relying solely on “code rules everything.” Meanwhile, as hackers begin to leverage artificial intelligence to scan for contract vulnerabilities, the security challenges facing DeFi are escalating.

However, industry insiders also point out that “Norms First” is not a panacea. Additional runtime checks may increase gas costs and impact the protocol’s competitiveness in low-fee environments. At the same time, not all attack vectors can be abstracted into rule constraints in advance; some complex or rare vulnerabilities may still bypass the checking mechanisms.

Nevertheless, more and more protocols are beginning to incorporate invariance checks and formal verification tools to enhance system robustness. Against the backdrop of industry growth, shifting from “Code is Law” to “Norms First” is seen as an important step for DeFi to mature and attract long-term capital.