The Market Crypto Never Built

I started Chaos because I believed two things

• the future of finance is onchain
• there is no version of that future where onchain systems are allowed to be less secure than the systems they replace

Five years later, both are still true. Chaos has worked towards this vision with Aave, Ethena, Kraken, LayerZero, Jupiter Exchange, GMX, and others, processing trillions in cumulative volume with zero bad debt. But building in this space for five years also means watching, up close, everything that keeps going wrong.

Every exploit follows the same script.

Something breaks, millions vanish, and Crypto Twitter is outraged.

Everyone agrees it was bad!

But then a few weeks pass, and we're onto the next drama. As attention diverts, nothing meaningful changes.

The temptation is to zoom in on a single team, a single bug, a single missed check. Sometimes that analysis matters; I've written many of them.

But after years of watching the same cycle, the pattern is clear. These aren't isolated failures.

Our industry is built to produce these outcomes.

Charlie Munger said, "Show me the incentives, and I'll show you the outcomes."

In traditional finance and Web2 security, once you touch customer money or critical systems, risk becomes non-discretionary. There are standards, audits, procurement requirements, insurers, and regulators. None of them is perfect, but collectively they form a baseline.

Crypto never built that layer.

So yes, crypto has a security problem.

But the security problem is downstream of a larger market incentive problem.

Without that structure, growth looks like progress, and risk looks like cost.

The rational decision and the right decision aren't the same thing yet, and they won't be until incentives change.

How Markets Get Built

A cloud security company doing $5M in ARR, growing fast, in the right niche? Acquirers and investors will fight over it at 20x revenue.

Google acquired Wiz for $32 billion at north of 30x forward revenue.

Those valuations don't come from nowhere.

They exist because the buyers already exist, and the buyers exist because regulation created them.

If you handle payment data, PCI DSS tells you what you're accountable for.

If you're a public company, SEC rules require you to disclose material cyber incidents.

Once that accountability is defined, the budget, the procurement process, and the category follow.

Talented people who could build games, social apps, or B2B software choose to build security products because the economics reward it. Accountability creates demand, demand attracts talent, and talent is what actually makes systems safer.

An efficient market attracts the people the industry needs most.

The Proof Is in the Compliance Stack

Someone will say, "But crypto does have big security companies. What about Chainalysis and TRM?"

That's exactly the point. Look at why those businesses exist.

If you're a money services business in the U.S. (and most crypto firms are), you're subject to the Bank Secrecy Act, OFAC sanctions screening, and FinCEN's AML requirements.

DOJ fined OKX over $500 million for AML failures.

Bittrex paid $29 million for letting users evade sanctions in Syria, Iran, and Cuba.

And it's getting more enforceable, not less. The GENIUS Act brought payment stablecoins under the BSA, and FinCEN's new whistleblower framework means every departing employee is now financially incentivized to report compliance gaps.

Companies don't just buy one compliance solution. They buy two or three, because when the DOJ or FinCEN comes asking, the only question is whether you made a best effort.

It's CYA infrastructure.

The IRS began working with TRM soon after it launched, even though it had been using Chainalysis for years, specifically because it didn't want all its eggs in one basket. TRM reached a $1 billion valuation. Chainalysis peaked at $8.6 billion.

They exist for one reason: the buyer isn't contemplating whether the problem matters.

The Gap

Now name what doesn't have that forcing function.

There is no BSA for a lending protocol holding $2 billion in user deposits.

No OFAC-style liability for a Perp DEX routing billions in order flow without stress-testing its liquidation engine.

No mandatory disclosure when governance parameters or multisigs change in ways that increase systemic risk.

No procurement requirement when a protocol launches a new vault strategy with user funds.

Chainalysis and TRM don't disprove the thesis. They are the thesis. Where enforceable regulation exists, markets get built. Where it doesn't, they don't.

I didn’t come here to argue for regulation

If you told me in 2013, when I first got orange-pilled by the Bitcoin white paper, that I'd be writing this essay, I wouldn't have believed you.

I've been expelled from schools, dropped out of university, and was sentenced to military prison for insubordination.

I came into crypto convicted we could build something better without any central authority telling us how.

Over a decade later, I've come to understand why standards and rules for protecting users exist. Not because they're perfect. They're obviously not.

But because left entirely to our own devices, we've demonstrated repeatedly what we actually prioritize.

We've had the freedom. We've had the time.

The industry today is the result of our choices, and the results speak for themselves.

Adverse Selection

Without a forcing function, the market inverts.

In a healthy market, the entities that most need safety controls are the ones most likely to adopt them, because they're required to.

In crypto, it's the opposite.

The best teams buy security/risk infrastructure early because they want to endure.

The weakest teams delay, under-scope, or shop on price until an incident makes the need undeniable. These are the teams most likely to blow up.

The category ends up shaped by adverse selection: the teams that most need protection are systematically the least likely to pay for it.

The core asymmetry is simple:

Growth shows up in dashboards and investor updates.

Security, when it's working, is the absence of a headline. In regulated markets, nothing still maps to compliance, audit readiness, board reporting, and insurer requirements. In crypto, the absence of a headline doesn't earn you much. It just looks like a line item that could be cut.

The rational buyer, operating inside those incentives, will always find a reason to defer.

You're selling the absence of disaster to buyers who are rewarded for growth.

Discretionary Budgets, Non-Discretionary Problems

The missing market structure doesn't just affect who buys. It affects what they buy and how much they buy.

Banks in the U.S. spend 6-10% of revenue on compliance alone.

Total financial crime compliance across U.S. and Canadian financial institutions exceeds $61 billion annually. That spending exists because the accountability behind it is non-negotiable.

Meanwhile, total bug bounty payouts across DeFi in 2025 totaled $112 million. That's one of the only measurable proxies for proactive security investment across the entire industry, and against $31 billion in protocol revenue, it works out to roughly 0.33%. And in the same year, the industry lost $3.4 billion to exploits. The prevention budget was a rounding error next to the losses.

That gap is not an accident. In regulated industries, the security budget tracks obligation, not quarterly sentiment. It survives drawdowns because accountability does.

In crypto, your customer base is cyclical, treasury-driven, governance-heavy, and weakly constrained by procurement norms. In bull markets, budgets materialize.

In downturns, they vanish.

The same protocol that will spend aggressively on incentives, listings, KOL campaigns, and conference sponsorships will rediscover frugality the moment the line item is for risk or security.

This has a compounding effect that most people don't think about.

The companies building risk and security infrastructure can't hire ahead of demand, can't sustain R&D through downturns, and can't compound the way they would if the revenue floor were durable.

Every cycle resets the category's ability to mature, meaning the industry's infrastructure is perpetually underbuilt relative to the scale it's supposed to protect.

An industry that secures $130 billion in user deposits is spending on risk/security as if it were optional.

Exploiters don't slow down in bear markets, but the risk and security budgets do.

After five years of building in this space, I know the difference between a category funded by conviction and one that generates demand.

You Don't Need a Regulator to Tell You This

If your application accepts user deposits, you're in the risk business whether you like it or not. Whether the protocol wants to frame itself as infrastructure or a yield platform or a decentralized whatever, the moment you custody value or offer leverage, risk management stops being optional.

This isn't a problem with any single actor.

It's a supply chain where every participant has a rational reason to treat risk as someone else's responsibility.

Investors evaluate growth. Auditors scope narrowly. Exchanges optimize for listings. Custodians don't mandate controls. Nobody is being irrational. That's the problem.

The system works exactly as the incentives predict, right up until an exploit reminds everyone that the risk was shared all along.

If the future of finance is onchain, the path there is building systems that deserve to custody global capital.

Not systems that ask users to tolerate more risk in exchange for better (??) economics.

Incentives and Outcomes

The market will either build this layer or keep paying for its absence.

When an institution looks at DeFi and decides the risk model isn't mature enough to justify the exposure, that's not a hypothetical cost. It's a measurable one, and the industry pays it every cycle alongside the exploits and the preventable losses.

After five years of building in this space, one thing has become clear to me: you cannot rely on protocols to independently and consistently choose to invest in risk and security infrastructure when every other incentive in the market is pulling them in the opposite direction.

The voluntary model hit a ceiling. No amount of post-exploit conviction will permanently raise it. Asking individual founders to be more responsible inside a system that rewards them for being less responsible is not a strategy. It’s a hope.

But I think the conditions for something different are starting to emerge. Onchain finance and traditional finance are converging faster than most people realize. As the lines between them blur, regulatory gravity increases, whether crypto wants it or not. The institutions entering this space are bringing their compliance expectations, procurement processes, and risk frameworks.

The standards layer that crypto never built for itself may end up being imported by the people who can’t operate without one.

At the same time, something more fundamental is changing. For most of financial history, the best risk intelligence has been locked behind institutional budgets. AI is changing who can access it. It's becoming possible to put institutional-quality risk tools directly in the hands of users and investors, regardless of whether the applications they use have invested in risk and security.

But technology alone doesn't fix a market-structure problem.

The industry still has to decide what it actually values.

Every cycle we tell ourselves the last exploit was the wakeup call, that things will be different going forward.

Crypto has been extraordinary at inventing new financial primitives. Making them safe enough to deserve the trust people are placing in them is an engineering problem, and for the first time, I think the technology is there. But the engineering only matters if the industry decides that protection is a requirement, not a nice-to-have.

Show me the incentives, and I'll show you the outcomes.