You Can't Code Your Way Out of Risk | Amor Sexton | Blockdaemon [EP. 314]

(0:00) Pete Townsend: This isn't a case of someone please call security. It's a case of someone please call the risk committee. Some of these organizations don't have risk committees.

(0:07) Amor Sexton: You can't just code your way out of some of this as well. The trust in the technology and the ability for the technology to mitigate some risks, for example, through decentralization is definitely there, but you still have to make the right decisions.

(0:21) Pete Townsend : Welcome to Money Never Sleeps. Sharp riffs, big ideas, and real insights from smart people. I'm Pete Townsend, GP at Norio Ventures. Let's go. So my guest today is Amor Sexton, chief operating officer at Blockdaemon.

(0:38) Pete Townsend : She was last on the show in October 2022, way back on episode one ninety three, and we were talking about how institutional client expectations of resilient processes were going to drive blockchain adoption. Amor, welcome back to Money Never Sleeps.

(0:55) Amor Sexton: Thank you. Good to be back.

[00:00:57] Pete Townsend: Wonderful. [00:01:00] So, in the last few weeks, Amor, you're familiar with Drift and Kelp, DeFi protocols, platforms that lost $577 million between them. Neither one of them was down to a code exploit. They were actually operational and governance failures. How does it feel to be three and a half years early on the exact thesis the industry just got an extremely expensive lesson on ?

[00:01:28] Amor Sexton: Yeah, well, to be honest, not great. I don't think it feels good when you're predicting a situation where anyone suffers loss. Yeah, I'd, I'd much rather be able to predict the price of crypto . I think that would be, that would be something I'd be, I'd be more proud of. But you know, again, I think it's something that is underplayed as an industry.

[00:01:48] Amor Sexton: I said it three and a half years ago, and I'm still saying it now. As an industry, we don't talk enough about risk management. We spend a lot of time talking about compliance . But risk is really, and the ability to [00:02:00] calculate risk is really what determines capital investment into an economy. And you know, I was just telling you earlier before we started, I remembered I'd read this book, "Against the Gods" by Peter Bernstein, and he argues that the ability to actually recognize that the future's not just a whim of the gods.

[00:02:20] Amor Sexton: You know, in ancient times, economic catastrophic loss was just divine will or, or, or misfortune. But once people actually understood that you could calculate risk, you could calculate probability, you could model it, you could price uncertainty in, and all of a sudden it changed the way that economies worked, and it brought about the modern economy.

[00:02:39] Amor Sexton: You know, everything from insurance against risk, the ability to hedge it and transfer it. if markets can't calculate and mitigate risk, they won't grow. And I think that's, again, coming back to this concept that governance and risk management is so important for institutional adoption in, in, you know, whether it's, it's DeFi or just crypto more broadly.[00:03:00]

[00:03:00] Amor Sexton: I think taking some lessons and looking back at how the concept of risk mitigation has evolved

[00:03:05] Amor Sexton: will be really helpful for the industry.

[00:03:07] Pete Townsend: Yeah, absolutely. This isn't a case of someone please call security. It's a case of someone please call the risk committee. And some these, some of these, organizations don't have risk committees.

[00:03:17] Amor Sexton: They don't. I mean, I think even just the concept of, or the terminology and the nomenclature can be a little bit confusing in the industry. So people talk about compliance, and they think that's everything that you need to know. But, you know, compliance is a subset of risk.

[00:03:34] Amor Sexton: Managing a company and managing risks is so much bigger than that. It's, it's about governance, so the decision-making architecture that you have to be able to manage risk. It's about, you know, technology risk. It's about product risk, market risk, counterparty risk as we, as we saw with, you know, the whole FTX incident as well.

[00:03:53] Amor Sexton: So I think we just need to mature the conversations in the industry and, acknowledge that you, [00:04:00] you can't just code your way out of some of this as well. The trust in the technology and the ability for the technology to mitigate some risks, for example, through decentralization, is definitely there, but you still have to make the right decisions.

[00:04:14] Amor Sexton: And we just need to mature the conversation as an industry, stop talking about compliance at every single panel that I get asked on, um, and talk a little bit more about how we bring some of the useful things that the TradFi industry has developed over the years into, into this new industry as well.

[00:04:33] Pete Townsend: Definitely. When I had Alejandro Gutierrez, our friend, on the show a couple of weeks ago We both landed on the same two words, and you're saying one of them governance, the other one is guardrails.

[00:04:43] Pete Townsend: What he suggested was that no institutional player managing even a quarter of that money, say 150 million, would've run with the operational framework that Drift or Kelp had. What is that gap?

[00:04:57] Amor Sexton: It's not just about the technology and the [00:05:00] Web3 layer, it's looking at the attack surface more broadly . Or the vulnerabilities, I guess, because it's not just about attack, although in these two instances it was.

[00:05:08] Amor Sexton: In both of these cases, what I found really interesting is that it was the, the Web2 or the human layer that was compromised, but then the compromise was of a very legitimate specific Web3 feature, in both cases.

[00:05:25] Amor Sexton: I think it's about recognition that making decisions beyond just the technology itself and looking at the people, the processes, and looking at it as an entire framework. I think that's the main difference that people need to make. You, you can't just rely on, you know, you can't just rely on a governance forum through governance tokens.

[00:05:51] Amor Sexton: You actually have to have more of a process around it. And humans are the ones that make decisions at the end of the day, even when it comes to setting up technology. [00:06:00] So looking at governance of humans and, and the role that humans play in the process, I think is really important and For me, sometimes in this industry, there's such a focus on trusting the technology without the recognition that humans are the one that-- humans are the ones that are controlling the technology at the end of the day.

[00:06:17] Amor Sexton: And so do you actually have that culture in your company amongst your people as well? I think that's a really important part of risk management, that's underplayed. It's not just ticking the boxes.

[00:06:27] Pete Townsend: Yeah, definitely , i was listening to the "On the Brink" podcast that Castle Island Ventures does, yesterday. And last week they had on a guy called Pluto, and he's a veteran of DeFi cross-chain systems.

[00:06:39] Pete Townsend: And he said this, to quote him: "Everything that TradFi has built in terms of the circuit breakers, we're just speed running, relearning those things in crypto."

[00:06:51] Pete Townsend: What does that actually look like for taking these 40, 50 years worth of TradFi operatives that are leaning on [00:07:00] a security-guided operating model to crypto natives who understand things like validator networks and cross-chain messaging? How do you get these people into a room talking to each other ?

[00:07:11] Amor Sexton: It's about making sure that the leadership of any initiative, whether it's a company or it's a, a DeFi initiative or a partnership, that you have both of those skill sets there. Because I think it's also about iteration. So for example, multi-party computation actually addresses specific risks that the TradFi industry has found different ways of addressing through more, kind of operational processes and procedures.

[00:07:38] Amor Sexton: But multi-party computation actually delivers a technological solution to that.

[00:07:43] Amor Sexton: But then at the same time, as we saw with Drift, it doesn't bring the whole solution. You still need to have that governance framework around it.

[00:07:49] Amor Sexton: So I think it's about not just a once-off knowledge sharing type situation, but a genuine ongoing collaboration between two different types of experts with iterative [00:08:00] learning, where everybody understands the value that each is bringing to the table.

[00:08:04] Amor Sexton: I think it's unfortunate that in DeFi we've seen a number of breaches or a number of issues where it's happening, but I'm definitely seeing more security experts, more risk experts, more, even more dialogue coming into this space.

[00:08:21] Amor Sexton: I, I just think it's, it's maybe, to the point that Pluto makes, the industry is moving quicker than the dialogue is moving in the maturation of the governance framework.

[00:08:31] Pete Townsend: There's enough of us in this industry now, Amor, as you know, that have one foot on each side of the river between TradFi and DeFi, and that these are the folks that can help.

[00:08:42] Pete Townsend: And it will take a good six months to really, truly identify every hole.

[00:08:47] Amor Sexton: but I think it comes down to culture again, and and a recognition that this is really important. Because, you know, with the Kelp vulnerability, what's interesting about that it is it was a known vulnerability.

[00:08:59] Amor Sexton: [00:09:00] From what I heard, it was actually posted, I think it was January 2025.

[00:09:06] Amor Sexton: So people knew what the exploit was, but still I think it was something like 47% of, of operators chose that single configuration. So again,

[00:09:15] Amor Sexton: in that situation, it wasn't that it was an unknown, risk It was a known risk and people just chose... Either, either chose not to assess it and, and, you know, built, built the mitigation into their architecture, or just accepted it and moved forward and, and didn't think it was important enough, to address

[00:09:36] Amor Sexton: And it, it's not that the single DVN architecture is a bad one. I mean, it's legitimate in that it, you know, it, it can bring some benefits, but for large flows, it wasn't the best architecture to choose. And it kinda doesn't make sense as well when you're talking about a technology that uses distributed consensus to bring security and resilience.

[00:09:58] Amor Sexton: So it wasn't really utilizing the [00:10:00] technology to its full extent. But that's where I mean, like culture, the culture amongst the people is so important, and that's what needs to change. So it's not just a knowledge transfer, but it actually needs to be a, cultural shift.

[00:10:12] Pete Townsend: Definitely, if you were running a DeFi protocol today or if you're a LP about to deploy capital into one, what are the two or three governance questions that you should be asking that almost nobody is asking right now?

[00:10:28] Amor Sexton: I don't know if almost nobody's asking them, but I definitely want to get an inventory of all decisions that can be made unilaterally by the protocol and looking at their, their independent oversight structure. So not just you, do you have a governance token and how does that operate?

[00:10:47] Amor Sexton: Because I think those decisions are different to what we're talking about here. But really digging into the role of the humans, to my point earlier my-- the role of the humans who hold the keys, who controls the multi-sig thresholds. [00:11:00] what is the accountability structure around all of them, and, how have you assessed the risk that's inherent in that framework?

[00:11:06] Amor Sexton: So I think definitely looking at who can make decisions other than just the, you know, the DAO structure, but actually who can make decisions. And I think that's really important to ask, and I'm not sure if enough questions are asked around that. Definitely I think building on from that, do you have a process of having named individuals making decisions as well and signing off on the risk assessment?

[00:11:34] Amor Sexton: So that's, for example, we talked about the DVN architecture That was either a, an actual decision that was made or it was a choice not to make a decision and, and to, to, you know, just, just build the architecture without actually doing the risk assessment. That's a failure in the process, and you need to make sure that you're asking about these decisions and remembering that the decisions and the technology, as I mentioned earlier, are still [00:12:00] humans at the end of the day.

[00:12:00] Amor Sexton: So for-- And, and especially digging in on has anyone identified the single point of failure in the architecture as well, and really honing in on, on the governance process around that.

[00:12:12] Amor Sexton: And then I think the last one would come down to what I've said a few times about the culture of risk assessment in the company. The, you know, not just an approach to tick the box exercises, but actually do you have a strong culture of continuous monitoring, of vigilance, of, building a framework that can withstand a sophisticated attacker that could take months, to exploit your vulnerabilities.

[00:12:40] Amor Sexton: And I think that that's probably the third one, really just understanding that it's about the culture.

[00:12:44] Amor Sexton: What I'm saying here is that that culture of risk assessment, that, that existence of a holistic governance framework within this, you know, the DeFi initiative, that will determine, whether or not your concerns can, [00:13:00] can, can be met and how, how, you know, secure it is for, for capital investment.

[00:13:05] Pete Townsend: It's amazing that with all of this technology, it comes back to people

[00:13:09] Amor Sexton: It does. It always, it always does. I think, it comes back to, it comes back to people, it comes back to culture and it comes back to making sure that you're not just moving really fast and evolving the technology itself, but that you're evolving your structure

[00:13:32] Amor Sexton: from a company perspective as well.

[00:13:34] Pete Townsend: Absolutely. Amor, this has been brilliant. It's exactly the conversation that the industry needs right now. Totally.

[00:13:40] Pete Townsend: Thank you so much for coming back onto the show. Always a pleasure riffing on these things

[00:13:44] Pete Townsend: with you .

[00:13:45] Amor Sexton: Thanks. It's been great to be here.

[00:13:46] Pete Townsend: And to all of you, thanks for watching and listening, and don't forget to follow or subscribe wherever you get your podcasts. It helps others to find the show, and it means a heck of a lot to me. Till next time. See ya.

​[00:14:00]