I've seen it happen too many times. A DeFi protocol gets hacked and exploited, and billions are lost. Without demonstrating any compassion, the community rushes to play the blame game, looking for someone to punish. The hack of Voltage Finance, and the fallout that immediately followed it, is a perfect illustration. It’s easy to point the finger at the code. As we’ll see below, it was ERC677 tokens’ somewhat obscure “built-in callback function” that made the widely documented 2022 reentrancy attack possible. After the March 2024 Simple Staking pool exploit, it was much easier to turn against the developer. He had his access revoked and is now facing police reports. But is that really the whole story? Are we as a field fighting the wrong battle?

Is Code the Only Culprit?

We like to throw around this idea of “trustless” systems in DeFi. We make grand claims about the unchangeability of code, the openness of the blockchain. However, behind every line of code is a human being. Human beings make mistakes. Human beings are fallible. In the process, sometimes human beings are taken advantage of, much like the Voltage Finance protocol was.

The recent news is a punch in the gut. The hacker behind the 2022 Voltage Finance exploitation just funneled 100 ETH through Tornado Cash. A stagnant address just came back to life after being dormant for 166 days. It’s a sobering reminder that as we’re all glued to our IDEs patching code and reporting exploits, actual human lives are at stake. Thousands of ordinary folks around the world poured their savings into these platforms, motivated by their shared faith in the potential of DeFi. Now, they’re the ones stuck holding the bag.

Think about this: Voltage Finance offered a $50,000 bounty after the March 2024 exploit. They reported the attack on the attacker’s address after the 2022 hack attempt and attempted to settle. What about the victims? What concrete supports were provided above and beyond the nebulous expectation that the protocol would bounce back.

Developers Need Support, Not Scapegoats

The story of the developer subsequently investigated after the staking pool exploit is what really gets to me. I'm not saying they're innocent or guilty. What I’m getting at here is that the default reaction can’t be with suspicion and punishment. Instead, we need to ask: What kind of support system exists for developers in the DeFi space? Are they given adequate resources? Have they undergone the right education to follow secure coding practices? Are they incentivized by being rushed to ship code, sometimes having security short-circuited?

And I can’t help but draw the parallel to the traditional finance world. When a bank is robbed, do they first fire the teller? No. But then they do the hard work of looking deeper at these protocols, the training, and the very system itself. We need to use the same reasoning when it comes to regulation of DeFi. Scapegoating one developer seems like a ploy to ignore more troubling, systemic problems.

I think we owe the developer that worked on the staking pools a due process investigation, not a cyber public trial. It’s tempting to point the finger. It’s a lot harder to address the uncomfortable truth of the culture they were in.

DeFi's Moral Compass Is Broken

The crypto space usually loves to tout itself on innovation and disruption. At other times, it seems as if we have lost all sense of right and wrong. The increase in crypto losses, as magnified by April’s shocking 1,163% jump, is deeply concerning. Even if we ignore the jaw dropping $330.7 million Bitcoin scam that preyed on seniors, things are still bad. This $34 million in added losses represents an incredible 21% increase since March.

We celebrate the successful recovery of funds in cases like the KiloEx exploit ($7.5 million returned!) and the ZKsync airdrop incident ($5 million recovered!). These are great stories. Let’s not kid ourselves, millions are still being lost. Millions of others are just as hungry and the pain goes well beyond the shelves of a grocery store.

The reality is, securing DeFi is more than just writing code. It's about people. It’s not just the sign-ups. It’s about creating a culture of empathy, accountability, and support. We are deeply committed to creating a culture where developers thrive. They need to be empowered to build robust security systems—not incentivized to cut corners and go fast. It’s about understanding that under every transaction, every smart contract, every exploit, are real human lives and livelihoods.

Let's stop the victim blaming. Together, we can begin to create a more human-centered DeFi ecosystem. And really, it’s the only way we’re going to build something that lasts.