Jack Paul 
Andre Cronje, the founder of Flying Tulip, has stirred debate by saying much of what is called decentralized finance today is no longer truly DeFi. In an interview with Cointelegraph, Cronje argued that many protocols are now “teams running for-profit businesses” rather than immutable public goods. He pointed to upgradeable contracts, offchain infrastructure, and operational controls as signs that the original vision of DeFi has shifted.
DeFi shifts away from immutability
Early DeFi protocols relied mostly on immutable smart contracts, according to Cronje. But newer systems often depend on proxy upgrades, multisigs, infrastructure providers, admin processes, and human response teams. “I think what we have today, Flying Tulip included, is no longer DeFi. It’s not decentralized finance. It’s not immutable code,” Cronje said. His comments come after April’s DeFi exploits pushed security narratives beyond smart contract audits and into questions of operational risk.
On April 23, Flying Tulip added a withdrawal circuit breaker designed to delay or queue withdrawals during abnormal outflows. This move followed major incidents involving decentralized exchange Drift Protocol and restaking platform Kelp, with estimated losses of about $280 million and $293 million, respectively.
Risks move beyond smart contracts
Cronje said the industry focuses heavily on audits, but many systems can be changed by developers or controlled through administrative processes. “The focus over all of the industry is still very much so on the contract side and not sort of the more TradFi side,” he told Cointelegraph. He added that many recent exploits have involved “traditional Web2 stuff” such as infrastructure access, compromises, and social engineering. Protocols with upgradeable contracts need traditional checks and balances, he said, around who can upgrade code, who approves changes, and whether there are proper timelocks and multisig controls.
Curve Finance and Yield Basis founder Michael Egorov shared a similar view. “The vast majority of the most recent DeFi exploits happened not due to errors in code,” Egorov told Cointelegraph. “They happened because of centralization risks — single points of failure which live off-chain.” He said Aave, Kelp, and LayerZero smart contracts were not hacked in the recent rsETH incident; instead, the compromise came from offchain infrastructure. Egorov argued that DeFi protocols can be exposed to “a whole tree of risks,” with the largest risks often tied to humans rather than code.
Circuit breakers divide opinion
Cronje said Flying Tulip’s circuit breaker is not designed to permanently block withdrawals but to create a response window when outflows exceed normal parameters. “Our circuit breaker isn’t actually designed so that we can stop or prevent anything from happening,” he said. “It’s to give us time to react.” The system gives the team about six hours, though Cronje said smaller or less geographically distributed teams may need 12 to 24 hours, or even longer. He said the tool makes sense for contracts holding user funds but should be viewed as one layer among audits, distributed multisigs, timelocks, and other controls. “Security is always a layered approach,” he added. “It’s never a ‘this is the one thing’ that makes you invulnerable.”
Egorov was more cautious. He said circuit breakers can make sense in theory but only if implemented in a way that does not create a new privileged attack surface. “The circuit breakers are controlled by humans, which means they could become a potential vulnerability themselves,” he said. He warned that if emergency controls allow signers to change contract code or block withdrawals, compromised signers could turn the safeguard into a drainer or a centralized freeze mechanism. In his view, the better long-term answer is to design systems that can keep running safely without manual intervention. “The goal of DeFi design should be to minimize human-centric points of failure, not add to them,” Egorov said. “DeFi needs to be safe, and safety comes from decentralization.”
Standard Chartered sees resilience
Standard Chartered framed the Kelp episode as a sign of DeFi’s growing pains rather than a fatal failure. In a research note seen by Cointelegraph, the bank said the April 18 theft exposed systemic risks after the impact spread to Aave but noted that the more than $300 million raised by the DeFi United coalition and structural changes such as Aave V4 and the Ethereum Economic Zone suggest the sector is developing stronger defenses. The bank said those upgrades could reduce reliance on bridges, which it described as a major attack vector in recent crypto hacks.