Andre Cronje says much of what now runs in decentralized finance no longer fits the original, code‑first DeFi model, prompting renewed debate over whether emergency controls like circuit breakers are necessary to protect users.
Cronje, founder of Flying Tulip, told Cointelegraph that many modern protocols behave like for‑profit businesses: they use upgradeable contracts, rely on off‑chain infrastructure and maintain operational controls. That evolution shifts the security focus away from immutable smart contracts toward governance, infrastructure access and human processes. Early DeFi emphasized immutability; newer systems often depend on proxy upgrades, multisigs, timelocks and operational teams.
April’s string of high‑profile incidents — including major problems at Drift Protocol and restaking platform Kelp, with estimated losses around $280 million and $293 million respectively — pushed builders to address operational risk as well as code vulnerabilities. In response, Flying Tulip introduced a withdrawal circuit breaker intended to delay or queue withdrawals during unusually large outflows, giving the team time to react.
Cronje says the circuit breaker is not meant to permanently stop withdrawals but to create a response window. In Flying Tulip’s case the mechanism can provide roughly six hours to investigate and respond; other teams, especially smaller or less geographically distributed ones, may need 12–24 hours. He describes the breaker as one layer among audits, distributed multisigs, timelocks and other controls: “Security is always a layered approach.”
Others warn such measures carry trade‑offs. Curve Finance and Yield Basis founder Michael Egorov argues that many recent failures trace to centralization and off‑chain dependencies rather than smart contract bugs. He notes incidents where the exploited component was infrastructure or administrative access, not the on‑chain code itself, and cautions that circuit breakers controlled by humans could themselves become attack vectors. If emergency signers have power to change code or freeze funds, a compromised signer could turn safeguards into drains or centralized freeze tools. Egorov says the long‑term aim should be systems that run safely without manual intervention, minimizing human‑centric single points of failure.
For upgradeable protocols, experts emphasize governance safeguards: clear rules about who can upgrade, proper approval processes, robust timelocks and distributed multisignature controls are essential to reduce centralization risk.
Institutional observers see signs of maturation. Standard Chartered characterized the Kelp episode as a growing pain that revealed systemic risks but also spurred defensive moves: the DeFi United coalition raised more than $300 million, and projects are advancing upgrades such as Aave V4 and the Ethereum Economic Zone, which could reduce dependence on bridges — a frequent attack vector.
As DeFi architectures evolve beyond strictly immutable code, the community faces a balancing act: add operational controls to limit fast, catastrophic losses, while avoiding concentrated privileges that introduce new vulnerabilities. Readers are encouraged to verify developments independently as teams and protocols adapt their security models.