DeFi was hacked for 649 million last year. Why is a16z calling for abandoning "code is law"?

The DeFi industry faces an awkward reality: an increasing number of vulnerabilities are being exploited by hackers. According to the Slowmist report, in 2025, DeFi protocols lost over $649 million due to code vulnerabilities, even longstanding projects like Balancer, which have been operating stably since 2021, suffered a loss of $128 million in November 2025. Against this backdrop, Daejun Park, senior security researcher at a16z Crypto, recently published a call for a paradigm shift: moving from “code is law” to “standards are law,” by standardizing security norms to address increasingly complex security threats.

Deep-rooted Issues of the Security Crisis

The philosophy of “code is law” was once the core competitive advantage of DeFi, emphasizing complete decentralization and code transparency. However, the weaknesses of this concept are becoming increasingly apparent: code may contain vulnerabilities, which are often discovered only after deployment. Developers are concerned that hackers are increasingly using AI tools to find such vulnerabilities, making traditional security audits insufficient.

Data shows that the scale of the problem is significant. An annual loss of $649 million means that each attacked protocol faces substantial risks. The case of Balancer further illustrates that even well-verified code over many years can still harbor overlooked vulnerabilities.

The New Proposal from a16z

Daejun Park’s proposed solution is relatively concrete: using invariant checks to hard-code security guarantees. Simply put, this involves predefining certain unbreakable rules within smart contracts, which, when triggered during transaction execution, cause the system to automatically revert the transaction.

The advantages of this approach include:

• Real-time protection during execution, rather than relying solely on post-audit
• Almost all known DeFi vulnerabilities would trigger such checks
• Lower implementation costs compared to rewriting code entirely

Park points out that this method could potentially stop attacks at the moment they occur, fundamentally changing the security logic of DeFi.

Practical Challenges

However, the industry does not fully endorse this solution. According to the latest news, Immunefi’s security lead highlighted two practical issues: first, invariant checks would increase transaction gas costs, potentially leading to user attrition; second, this approach is not a panacea.

Co-founder of Asymmetric Research raised technical concerns: the complexity of many vulnerabilities makes it difficult to write invariant rules that effectively detect attacks without false positives. In other words, designing these rules is itself a challenging task.

Existing Attempts

It’s worth noting that this concept is not entirely new. According to relevant information, projects like Kamino and XRP Ledger have already begun adopting invariant checks. This indicates that, despite challenges, pioneers are exploring this path.

Summary

a16z’s call reflects an important shift in the DeFi industry: from an absolute pursuit of decentralization with “code is law” to a controllable security model with “standards are law.” In the face of $649 million in annual losses, this transition appears necessary and urgent.

However, implementing this solution is not without difficulties. Gas costs, the complexity of rule design, and other practical issues remain to be addressed. A deeper question is whether the DeFi industry is ready to make trade-offs between security and decentralization. This may be a core topic for ongoing industry discussions in the near future.