35K views
I started Chaos because I believed two things
the future of finance is onchain
there is no version of that future where onchain systems are allowed to be less secure than the systems they replace
Five years later, both are still true.
Chaos has worked towards this vision with Aave, Ethena, Kraken, PayPal, LayerZero, Jupiter, GMX, and others, processing trillions in cumulative volume with zero bad debt.
But building in this space for five years also means watching, up close, everything that keeps going wrong.
Every exploit follows the same script.
Something breaks, millions vanish, and Crypto Twitter is outraged.
Everyone agrees it was bad!
But then a few weeks pass, and we're onto the next drama. As attention scatters, nothing meaningful changes.
The temptation is to zoom in on a single team, a single bug, a single missed check. Sometimes that analysis matters; I've written many of them.
But after years of watching the same cycle, the pattern is clear. These aren't isolated failures.
Our industry is built to produce these outcomes.
Charlie Munger said, "Show me the incentives, and I'll show you the outcomes."
In traditional finance and Web2 security, once you touch customer money or critical systems, risk becomes non-discretionary. There are standards, audits, procurement requirements, insurers, and regulators. None of them is perfect, but collectively they form a baseline.
Crypto never built that layer.
So yes, crypto has a security problem.
But the security problem is downstream of a larger market incentive problem.
Without that structure, growth looks like progress, and risk looks like cost.
The rational decision and the right decision aren't the same thing yet, and they won't be until incentives change.
A cloud security company doing $5M in ARR, growing fast, in the right niche? Acquirers and investors will fight over it at 20x revenue.
Google acquired Wiz for $32 billion at north of 30x forward revenue.
Those valuations don't come from nowhere.
They exist because the buyers already exist, and the buyers exist because regulation created them.
If you handle payment data, PCI DSS tells you what you're accountable for.
If you're a public company, SEC rules require you to disclose material cyber incidents.
Once that accountability is defined, the budget, the procurement process, and the category follow.
Talented people who could build games, social apps, or B2B software choose to build security products because the economics reward it. Accountability creates demand, demand attracts talent, and talent is what actually makes systems safer.
An efficient market attracts the people the industry needs most.
Someone will say, "But crypto does have big security companies. What about Chainalysis and TRM?"
That's exactly the point. Look at why those businesses exist.
If you're a money services business in the U.S. (and most crypto firms are), you're subject to the Bank Secrecy Act, OFAC sanctions screening, and FinCEN's AML requirements.
DOJ fined OKX over $500 million for AML failures.
Bittrex paid $29 million for letting users evade sanctions in Syria, Iran, and Cuba.
And it's getting more enforceable, not less. The GENIUS Act brought payment stablecoins under the BSA, and FinCEN's new whistleblower framework means every departing employee is now financially incentivized to report compliance gaps.
Companies don't just buy one compliance solution. They buy two or three, because when the DOJ or FinCEN comes asking, the only question is whether you made a best effort.
It's CYA infrastructure.
The IRS began working with TRM soon after it launched, even though it had been using Chainalysis for years, specifically because it didn't want all its eggs in one basket. TRM reached a $1 billion valuation. Chainalysis peaked at $8.6 billion.
They exist for one reason: the buyer isn't contemplating whether the problem matters.
Now name what doesn't have that forcing function.
There is no BSA for a lending protocol holding $2 billion in user deposits.
No OFAC-style liability for a Perp DEX routing billions in order flow without stress-testing its liquidation engine.
No mandatory disclosure when governance parameters or multisigs change in ways that increase systemic risk.
No procurement requirement when a protocol launches a new vault strategy with user funds.
Chainalysis and TRM don't disprove the thesis. They are the thesis. Where enforceable regulation exists, markets get built. Where it doesn't, they don't.
If you told me in 2013, when I first got nerd sniped by the Bitcoin white paper, that I'd be writing this essay, I wouldn't have believed you.
I've been expelled from schools, dropped out of university, and never did well with rules. I worked for years at @Meta / @instagram, where we lived by the motto "Move Fast and Break Things".
So, I came into crypto deeply anti-authoritarian and convicted we could build something better without any central authority telling us how.
But, over a decade later, I've come to understand why standards and rules for protecting users exist. Not because they're perfect. They're obviously not.
But because left entirely to our own devices, we've demonstrated repeatedly what we actually prioritize.
We've had the freedom. We've had the time.
The industry today is the result of our choices, and the results speak for themselves.
Without a forcing function, the market inverts.
In a healthy market, the entities that most need safety controls are the ones most likely to adopt them, because they're required to.
In crypto, it's the opposite.
The best teams buy security/risk infrastructure early because they want to endure.
The weakest teams delay, under-scope, or shop on price until an incident makes the need undeniable. These are the teams most likely to blow up.
The category ends up shaped by adverse selection: the teams that most need protection are systematically the least likely to pay for it.
The core asymmetry is simple:
Growth shows up in dashboards and investor updates.
Security, when it's working, is the absence of a headline. In regulated markets, nothing still maps to compliance, audit readiness, board reporting, and insurer requirements. In crypto, the absence of a headline doesn't earn you much. It just looks like a line item that could be cut.
The rational buyer, operating inside those incentives, will always find a reason to defer.
You're selling the absence of disaster to buyers who are rewarded for growth.
The missing market structure doesn't just affect who buys. It affects what they buy and how much they buy.
Banks in the U.S. spend 6-10% of revenue on compliance alone.
Total financial crime compliance across U.S. and Canadian financial institutions exceeds $61 billion annually. That spending exists because the accountability behind it is non-negotiable.
Meanwhile, total bug bounty payouts across DeFi in 2025 totaled $112 million. That's one of the only measurable proxies for proactive security investment across the entire industry, and against $31 billion in protocol revenue, it works out to roughly 0.33%. And in the same year, the industry lost $3.4 billion to exploits.
The prevention budget was a rounding error next to the losses.
That gap is not an accident. In regulated industries, the security budget tracks obligation, not quarterly sentiment. It survives drawdowns because accountability does. In crypto, the spending is discretionary, so it's cyclical.
In downturns, they vanish.
The same protocol that will spend aggressively on incentives, listings, KOL campaigns, and conference sponsorships will rediscover frugality the moment the line item is for risk or security.
This has a compounding effect that most people don't think about.
The companies building risk and security infrastructure can't hire ahead of demand, can't sustain R&D through downturns, and can't compound the way they would if the revenue floor were durable.
Every cycle resets the category's ability to mature, meaning the industry's infrastructure is perpetually underbuilt relative to the scale it's supposed to protect.
An industry that secures $130 billion in user deposits is spending on risk/security as if it were optional.
Exploiters don't slow down in bear markets, but the risk and security budgets do.
After five years of building in this space, I know the difference between a category funded by conviction and one that generates demand.
If your application accepts user deposits, congratulations! You're in the risk business. Whether the protocol wants to frame itself as infrastructure or a yield platform or a decentralized whatever, the moment you custody value or offer leverage, risk management stops being optional.
This isn't a problem with any single actor.
It's a supply chain where every participant has a rational reason to treat risk as someone else's responsibility.
Investors evaluate growth. Auditors scope narrowly. Exchanges optimize for listings. Custodians don't mandate controls. Nobody is being irrational. That's the problem.
The system works exactly as the incentives predict, right up until an exploit reminds everyone that the risk was shared all along.
If the future of finance is onchain, the path there is building systems that deserve to custody global capital.
Not systems that ask users to tolerate more risk in exchange for better (??) economics.
The market will either build this layer or keep paying for its absence.
When an institution looks at DeFi and decides the risk model isn't mature enough to justify the exposure, that's not a hypothetical cost. It's a measurable one, and the industry pays it every cycle alongside the exploits and the preventable losses.
After five years of building in this space, one thing has become clear to me: you cannot rely on protocols to independently and consistently choose to invest in risk and security infrastructure when every other incentive in the market is pulling them in the opposite direction.
The voluntary model hit a ceiling. No amount of post-exploit conviction will permanently raise it. Asking individual founders and teams to be more responsible inside a system that rewards them for being less responsible is not a strategy.
But I think the conditions for something different are starting to emerge. Onchain finance and traditional finance are converging faster than most people realize. As the lines between them blur, regulatory gravity increases, whether crypto wants it or not. The institutions entering this space are bringing their compliance expectations, procurement processes, and risk frameworks.
The standards layer that crypto never built for itself may end up being imported by the people who can’t operate without one.
At the same time, something more fundamental is changing. For most of financial history, the best risk intelligence has been locked behind institutional budgets. AI is changing who can access it. It's becoming possible to put institutional-quality risk tools directly in the hands of users and investors, regardless of whether the applications they use have invested in risk and security.
But technology alone doesn't fix a market-structure problem.
The industry still has to decide what it actually values.
Every cycle we tell ourselves the last exploit was the wakeup call, that things will be different going forward.
Crypto has been extraordinary at inventing new financial primitives. Making them safe enough to deserve the trust people are placing in them is an engineering problem, and for the first time, I think the technology is there. But the engineering only matters if the industry decides that protection is a requirement, not a nice-to-have.
Show me the incentives, and I'll show you the outcomes.
Reactions and replies to this article.
J O H N P A L L Ξ R | pallΞr.Ξth (🦬,🦄)
@pallerjohn
Well said. Crypto has been too caught up in the freedom of onchain finance without taking time to understand why the existing system came to be in the first place. I too joined the industry over a decade ago as a rebel to the system. It’s not a great system but it shouldn’t be thrown out wholesale. Important realities exist there. It is true that incentives have created the crypto reality we have today. What we built was designed to be exploited, founders rugging, vesting exits, wild spending from treasuries not earned with sustainable revenues, etc. Essentially we found ways to defy gravity for a time. But gravity always wins. The tech isn’t going anywhere. But how we package it inside economic games will. Incentives must align for sustainability to exist. Traditional KPIs like revenue and profit will return to focus. It already is. I’m long term bullish on crypto tech, decentralization, the network state but we have to be better about systems design, economic incentives, and risk management. If we do, we win over legacy players’ corposlop. If we don’t, fintech gets cheaper rails to deepen extraction. Time to grow up.
Ben Reid
@reidbenj
Time horizon is important here. Projects that can think in terms of decades (even if they’re early stage and have limited runway) should assign greater weight to risk from the start, but high leverage to token prices for many creates the trap of falling into a bipolar mania of fuel on fire at highs and survival mode at lows. Fully agree that insto capital will drag the space into longer timelines and more consistent investment in risk management, but this does create a bit of an interesting chicken/egg.
Emmanuel D'maestro
@emmadmaestro
@omeragoldberg It is not just bugs or individual teams. It is a systemic incentive problem where security stays completely discretionary while growth gets rewarded every cycle, so risk budgets get cut and the weakest teams underinvest until the next exploit.
Emmanuel D'maestro
@emmadmaestro
@omeragoldberg Until protecting user funds becomes as non-discretionary as it is in TradFi, the same pattern will keep repeating.
Crypto Value Labs
@cryptovaluelabs
@omeragoldberg Part of growing up. Happens to everyone once you stop being a teenager and realize your actions have consequences for you and for others. Sometimes very bad ones. Literally story of every startup and industry
incorruptible trix
@brane_trix
@omeragoldberg How can AI help protocols lower the cost or increase the quality of their security?
Kevin Leuthardt
@kleuthardt
I guess we as an industry need to adjust to the security standards if we want to onboard institutions. No way they will be ok with lowering their standards. Great protocols also hire team members who can speak both languages to help build out the reqs. AI is then here to deliver this in a cost effective way.
Meltem Demirors • 213K views
Wintermute Ventures • 101K views
wishful_cynic • 475K views
nic carter • 378K views
_gabrielShapir0 • 81K views