On January 11, Daejun Park of a16z Crypto argued that DeFi protocols must hard-code safety guarantees to reduce hacks. He said standardized specifications should automatically revert transactions that violate protocol assumptions.
Park wrote that many attacks would have been stopped by such checks. “Almost every exploit to date would have tripped one of these checks during execution, potentially halting the hack,” he added and argued that “So the once-popular idea of ‘code is law’ evolves into ‘spec is law.’” (See the full post here.)
Interest in runtime enforcement has risen as exploits continue. A report by Slowmist reported hackers swiped over $649 million through code exploits last year (Ed. note: the total highlights recurring security gaps).
Even established projects proved vulnerable. The protocol Balancer lost about $128 million in November despite code running on Ethereum since 2021.
Security experts note trade-offs. Gonçalo Magalhães of Immunefi said, “It’s not the silver bullet.” He warned that extra checks raise gas costs and may hurt competitiveness.
Researchers also stress limits to invariants. Felix Wilhelm of Asymmetric Research said, “For many vulnerabilities and real-life hacks, it is difficult or even impossible to write an invariant that detects the hack without also triggering under normal circumstances.”
Some projects already use invariant checks. Kamino began such checks with Certora Prover (details), and the XRP Ledger implemented invariant checking with safeguards described here.
