Chaos Labs Founder: The Never-Established Line of Defense in the Crypto Market

Written by: Omer Goldberg , Founder of Chaos Labs

Compiled and edited by: BitpushNews

I founded Chaos because I believe in two things:

The future of finance is on the blockchain.
In that future, no version would allow on-chain systems to be less secure than the systems they replace.

Five years later, these two points remain true.

Chaos, together with partners such as Aave, Ethena, Kraken, PayPal, LayerZero, Jupiter, and GMX, is working toward this vision, processing trillions of dollars in cumulative transaction volume with zero bad debts.

Every security incident follows the same script.

But five years of dedicated work in this field also means being able to observe closely everything that keeps going wrong.

Every exploit follows the same script.

A breakdown in certain links has resulted in the loss of millions of dollars, sparking outrage on Crypto Twitter.

Everyone agrees this is terrible!

But after a few weeks, we moved on to the next farce. As attention waned, nothing substantial changed.

The temptation is that people tend to zoom in on a single team, a single vulnerability, or a single missed checkpoint. Sometimes this kind of analysis really does matter; I've written many articles on this topic.

But after observing the same cycle for years, the pattern has become clear. These are not isolated failures.

Our industry structure is built to produce these results.

excitation

Charlie Munger once said, "Tell me about your incentives, and I can tell you the results."

In traditional finance and Web2 security, risk management becomes **non-discretionary (mandatory)** once you access customer funds or critical systems. There are standards, audits, procurement requirements, insurance companies, and regulatory agencies. None of them are perfect, but collectively they form the bottom line.

Cryptocurrencies have never built that layer.

So yes, cryptocurrencies have a security issue.

However, this safety issue is a downstream product, while its upstream is a larger market incentive issue.

Without that structure, growth looks like progress, while risk looks like cost.

A rational decision and a correct decision are not the same thing, and they will not be the same thing until the incentive mechanism changes.

How markets are established

If a cloud security company has an annual revenue (ARR) of $5 million and is growing rapidly in the right niche market, acquirers and investors will compete for it at a valuation of 20 times its revenue.

Google acquired Wiz for $32 billion at a valuation of more than 30 times its forward revenue.

These valuations did not come out of thin air.

They exist because buyers already exist; and buyers exist because regulation created them.

If you are handling payment data, PCI DSS will tell you what responsibilities you will bear.

If you are a publicly traded company, SEC (Securities and Exchange Commission) rules require you to disclose significant cybersecurity incidents.

Once this accountability mechanism is defined, budgets, procurement processes, and industry categories will follow.

Those geniuses who could have developed games, social applications, or B2B software chose to build security products because of the high financial rewards. Accountability creates demand, demand attracts talent, and talent is the true core of making systems more secure.

An efficient market will attract the people the industry needs most.

The evidence is in the compliance stack.

Some might say, "But cryptocurrencies do have large security companies. What about Chainalysis and TRM?"

This precisely proves my point. Consider the reasons these businesses exist:

If you are a money services business in the United States (and most crypto companies are), you must comply with the Bank Secrecy Act (BSA), OFAC sanctions screening, and FinCEN's anti-money laundering requirements.

The Department of Justice (DOJ) previously fined OKX more than $500 million for failing to combat money laundering.
Bittrex paid $29 million to allow users to circumvent sanctions in Syria, Iran, and Cuba.

Moreover, this enforcement is becoming stronger, not weaker. The GENIUS Act brings payment-related stablecoins under the BSA's purview, and FinCEN's new whistleblowing framework means that every former employee now has an economic incentive to report compliance breaches.

Companies don't just buy one compliance solution. They buy two or three because when the Department of Justice or FinCEN comes to hold them accountable, the only question is whether you've made the "best effort."

This is the infrastructure for "Cybersecurity Aid" (CYA).

The IRS began working with TRM shortly after its launch, even though it had been using Chainalysis for years, precisely because it didn't want to put all its eggs in one basket. TRM was valued at $1 billion. Chainalysis peaked at $8.6 billion.

They exist for only one reason: buyers don't need to think about whether this issue is important.

Where is the gap?

Now, let's specifically look at which areas lack that forcing function:

There is no such thing as a Bank Secrecy Act for a lending agreement that holds $2 billion in user deposits.
For a perpetual contract DEX (Perp DEX) that handles billions of order flows but does not stress test its liquidation engine, there is no accountability mechanism similar to OFAC.
There are no mandatory disclosure requirements when governance parameters or multiple signatures change and increase systemic risk.
There are no procurement requirements when the agreement uses user funds to launch new vault strategies.

Chainalysis and TRM do not refute my argument. They are the argument itself. Where there is mandatory regulation, a market will form. Where there is no regulation, a market is absent.

I'm not here to defend regulation.

If you had told me back in 2013, when I was first captivated by the Bitcoin white paper (Nerd sniped), that I would one day write an article like this, I wouldn't have believed you.

I was expelled from school and dropped out of college; I've never been one to follow instructions. I worked for Meta/Instagram for many years, where the motto is "Move Fast and Break Things."

Therefore, I entered the crypto space with a deep anti-authoritarian mindset, firmly believing that we can build better things without any centralized authority telling us what to do.

But more than a decade later, I finally understood why standards and rules for protecting users exist. Not because they are perfect. They are clearly not perfect.

Rather, it's because, once we are completely left to do as we please, we repeatedly demonstrate what our true priorities are.

We have gained freedom. We have gained time.

The current state of the industry is a result of our choices, and the consequences are self-evident.

adverse selection

Without coercive measures, the market would reverse.

In a healthy market, the entities that need security controls the most are most likely to adopt them, because it is essential.

In the crypto space, however, the situation is quite the opposite:

The best teams will purchase security/risk infrastructure early on because they want to survive in the long run.
The weakest teams will procrastinate, narrow down their focus, or compare prices until an incident occurs that makes the demand undeniable. And these are the teams most likely to fail.

This category was ultimately shaped by adverse selection: the teams that need the most protection are, from a systemic perspective, precisely the ones least likely to pay for it.

The core asymmetry is quite simple:

Growth will be reflected in dashboards and investor updates.

Security in action manifests as "no news." In regulated markets, "nothing happening" still equates to compliance, audit preparation, board reports, and insurance company requirements. But in the cryptocurrency space, "no news" doesn't win you anything. It simply appears to be a cost item that can be cut.

Rational buyers, operating within these incentive mechanisms, can always find reasons to postpone their investment.

You are marketing "the absence of disaster" to buyers who are rewarded for growth.

The missing market structure not only affects "who buys," but also "what to buy" and "how much to buy."

Bank of America spends 6-10% of its revenue on compliance.

U.S. and Canadian financial institutions spend more than $61 billion annually on financial crime compliance. This expenditure exists because the underlying liability is non-negotiable.

Meanwhile, total bug bounty spending across the DeFi space in 2025 amounted to $112 million. This is one of the few quantifiable metrics for measuring the industry's proactive security investments, representing only about 0.33% of protocol revenue of $31 billion. In the same year, the industry lost $3.4 billion due to exploitation.

When faced with losses, the prevention budget is merely a rounding error.

This disparity is no accident. In regulated industries, security budgets track obligations, not quarterly sentiment. They withstand market downturns because the sense of responsibility remains constant. But in the crypto space, spending is discretionary, making it cyclical.

They disappeared during the downward cycle.

The same protocol may invest heavily in incentives, token listings, KOL promotions, and conference sponsorships, but become frugal again when it comes to projects involving risk or security.

This creates a compounding effect that most people didn't expect.

Companies that build risk and security infrastructure cannot hire in advance based on demand, cannot maintain R&D during downturns, and cannot generate compound interest like companies with a stable revenue floor.

Each cycle resets the maturity of the product category, meaning that the industry's security infrastructure is always underdeveloped relative to the scale it protects.

An industry that safeguards $130 billion in user deposits is investing in risk/security as if it were buying optional add-ons.

Attackers won't slow down in a bear market, but risk and security budgets will.

After five years of working in this field, I know the difference between categories funded by beliefs and categories driven by real needs.

You don't need regulators to tell you this.

If your app accepts user deposits, congratulations! You've entered the risk business. Whether the protocol tries to frame itself as infrastructure, a yield platform, or something decentralized, risk management becomes optional the moment you start hosting value or providing leverage.

This is not just a problem of a single participant.

This is a supply chain in which each participant has a rational reason to view the risk as the responsibility of others.

Investors assess growth. Auditors narrow their audit scope. Exchanges optimize listings. Custodians don't impose rigid control requirements. Nobody's irrational. That's the problem.

The system operated exactly as the incentive mechanism predicted, until a vulnerability exploit reminded everyone that the risk was always shared by everyone.

If the future of finance is on-chain, then the path to that is to build systems worthy of hosting global capital.

Rather than systems that require users to tolerate more risks for better (??) economic benefits.

Motivation and Results

The market either builds this layer or continues to pay for its absence.

When an institution examines DeFi and determines that its risk model is not mature enough to justify its risk exposure, it is not a hypothetical cost. It is a measurable cost that the industry pays for in every cycle, along with exploits and preventable losses.

After five years of working in this field, I've come to realize one thing: you can't expect protocols to remain independent and consistent in choosing to invest in risk and security infrastructure when all other incentives in the market are pulling them in the opposite direction.

The voluntary model has reached its ceiling. No amount of post-incident conviction can permanently raise this limit. Demanding that individual founders and teams become more responsible within a system that rewards irresponsibility is hardly a strategy.

However, I believe that a different set of conditions is beginning to emerge. The convergence of on-chain finance and traditional finance is happening faster than most people imagined. As the lines between the two blur, regulatory gravity is increasing, whether cryptocurrencies like it or not. Institutions entering this space are bringing their compliance expectations, procurement processes, and risk frameworks.

Cryptocurrencies have never established a standard layer for themselves and may ultimately be imported by those who cannot function without standards.

At the same time, something more fundamental is changing. For most of financial history, top-tier risk intelligence has been locked behind institutional budgets. AI is changing who can access it. Now, it's becoming possible to provide institutional-grade risk tools directly to users and investors, regardless of whether the applications they use have invested in risk and security.

However, technology alone cannot solve market structure problems.

The industry still needs to determine its true value.

In each cycle, we tell ourselves that the last exploit was a wake-up call, and things will be different in the future.

The crypto world has excelled at inventing new financial primitives. But making them secure enough to justify the trust people place in them is an engineering problem—and I believe the technology is in place for the first time. But engineering only makes sense when the industry decides that "security" is a necessity, not just a bonus.

Show me the incentives, and I'll show you the results.