You Can't Code Your Way Out of Risk | Amor Sexton | Blockdaemon [EP. 314]

In the last few weeks, Drift Protocol and Kelp DAO lost $577 million between them. Neither one was a code exploit. Both were operational and governance failures.

That's the conversation Pete sits down with Amor Sexton to have on EP 314 of MoneyNeverSleeps — and it's the conversation the industry isn't having loudly enough.

Amor is Chief Operating Officer at Blockdaemon, one of the world's leading institutional-grade blockchain infrastructure providers. She was last on the show in October 2022 (EP 193), back when she was Head of International Operations at Blockdaemon, talking about how institutional client expectations of resilient processes were going to drive blockchain adoption. Three and a half years later, the industry just got an extremely expensive lesson in exactly that thesis.

The reframe: this isn't security, it's governance

The headlines on Drift and Kelp called them hacks. But neither attack involved breaking the code. Drift was social engineering — months of attackers posing as a quantitative trading firm, building trust with Drift contributors at conferences, eventually getting Security Council members to pre-sign transactions that handed over admin control. Kelp was an infrastructure configuration choice — a 1-of-1 LayerZero verifier that LayerZero itself had publicly recommended against, exploited via RPC node compromise and a DDoS to force failover.

In both cases, the smart contracts did exactly what they were told to do. The compromise happened at the human and operational layer.

As Amor puts it on the episode: "You can't just code your way out of some of this. The technology can mitigate some risks through decentralization, but you still have to make the right decisions."

What the industry isn't talking about

Amor's central argument is that the conversation in DeFi has stalled at compliance. And compliance is just one slice of risk — a specific question about what happens if you don't follow a particular rule. Real risk management is bigger: governance, technology risk, product risk, market risk, counterparty risk. The kind of decision-making architecture that institutional players take for granted, and that DeFi protocols are still piecing together in public, with real money on the line.

She references Peter Bernstein's Against the Gods — the book about how the modern economy was built on humanity's ability to calculate, model, and price risk rather than treating loss as the will of the gods. Markets that can't calculate and mitigate risk don't grow. That's the foundation Amor is asking DeFi to build on, before the next $300 million event.

Speedrunning the guardrails

Pete brings in two voices to test Amor's framing.

The first is Alejandro Gutierrez of Solana Superteam Ireland, who Pete had on the show two weeks earlier. Pete and Alejandro landed on the same two words for what's missing: governance and guardrails. Alejandro made the point that no institutional player managing even a quarter of that money — say $150 million — would have run with the operational framework Drift or Kelp had.

The second is Pluto, a veteran of THORChain and AirSwap now building Harbor (a native asset DEX), who appeared on Castle Island Ventures' On the Brink podcast with Nic Carter. Pluto's line: "Everything that TradFi has built in terms of the circuit breakers, we're just speed running, relearning those things in crypto."

Amor agrees — and pushes the point further. The temptation, she says, is to hire a few TradFi CISOs and call the problem solved. But TradFi-level security people don't have a clue what they're getting themselves into. The actual answer is collaboration: ongoing, iterative, with both skill sets in the room — people who've operated guardrails for forty years, and crypto natives who understand validator networks, MPC, and cross-chain messaging.

The detail that stops you cold

The most arresting moment in the episode is when Amor turns to the Kelp configuration. The vulnerability wasn't unknown. It had been publicly documented since January 2025. And yet — by Amor's read of the data — something like 47% of operators chose that single-verifier configuration anyway.

It wasn't ignorance. It was a choice. Either operators didn't assess the risk, or they assessed it and decided it wasn't important enough to address. That's not a technology problem. That's a culture problem.

The takeaway: three governance questions

Pete closes with the question every founder, operator, and LP should be sitting with: what are the two or three governance questions almost nobody is asking right now?

Amor's answer:

1. Who actually makes decisions? Get an inventory of all decisions that can be made unilaterally by the protocol. Look beyond the governance token and the DAO structure to the humans who hold the keys, who control the multi-sig thresholds, and what the accountability framework around them actually looks like.
2. Are named individuals signing off on risk assessments? When a configuration decision like Kelp's gets made, was it an actual decision someone owned — or was it a decision-by-default, where no risk assessment ever happened? Single points of failure should be identified and signed off, not stumbled into.
3. Is there a culture of risk assessment? Not a tick-box exercise. A genuine, continuous-monitoring, vigilance-first culture that can withstand a sophisticated attacker willing to spend months exploiting your vulnerabilities. Because that's what happened at Drift.

It's not a sexy answer. Risk committees aren't sexy. Named decision-makers and continuous monitoring frameworks aren't sexy. But they're what stops the next $300 million event.

As Pete puts it near the end of the conversation: "It's amazing that with all of this technology, it comes back to people."

Amor's response: "It always does."

In this episode

• Why Drift and Kelp weren't really hacks — and what that distinction matters for
• Compliance as a subset of risk, not a substitute for it
• Against the Gods and what modern economies were built on
• The Web2/human layer compromise that exploits a legitimate Web3 feature
• Why Alejandro Gutierrez and Pete agree it comes down to governance and guardrails
• Pluto on Castle Island: speedrunning the circuit breakers TradFi already built
• Multi-party computation as a technical solution that still needs governance around it
• The Kelp vulnerability that 47% of operators chose anyway
• Three governance questions every DeFi protocol and LP should be asking right now
• Why it always comes back to people, not code

About Amor Sexton

Amor Sexton is Chief Operating Officer at Blockdaemon, the leading institutional-grade blockchain infrastructure platform. Amor was previously Head of International Operations at Blockdaemon and has held senior operational and risk-focused roles across the digital asset industry over more than a decade.

Connect with Amor: LinkedIn: linkedin.com/in/amor-sexton

About MoneyNeverSleeps

MoneyNeverSleeps is hosted by Pete Townsend, GP at Norio Ventures. Sharp riffs, big ideas, and real insights from smart people in crypto, fintech, AI, and onchain finance.

Connect with Pete:

LinkedIn: https://www.linkedin.com/in/petetownsendnv/

X: @petetownsendnyc

Norio Ventures: https://www.norioventures.com

Subscribe to MoneyNeverSleeps: YouTube · Spotify · Apple Podcasts

Referenced in this episode

• EP 193: Amor Sexton on Blockdaemon and Web3 infrastructure (October 2022)
• EP 312: Alejandro Gutierrez of Solana Superteam Ireland
• On the Brink with Castle Island Ventures, Nic Carter in conversation with Pluto (Harbor)
• Against the Gods: The Remarkable Story of Risk by Peter Bernstein

Chapters

00:00 Cold open

00:24 Welcome back to MoneyNeverSleeps

00:55 $577M, 18 days, no code exploit

02:00 Compliance is a subset of risk

03:15 Guardrails and governance

04:30 The Web2 layer compromise

05:45 Speedrunning what TradFi already built

07:30 Why 47% chose the risky configuration

09:00 Three governance questions every protocol should answer

12:30 It always comes back to people

13:30 Sign off

#MoneyNeverSleeps #Blockdaemon #DeFi #Crypto #AmorSexton #Governance #RiskManagement