Tarun Chitra has seen every phase of DeFi security, from the ICO boom's simple re-entrancy bugs to managing nearly $2 billion in protocol risk today. His message is clear: the security model that got us here won't get us where we're going.

‍

‍

When Gauntlet started in 2018, DeFi barely existed. The biggest on-chain application was minting ERC-20 tokens. Security vulnerabilities were straightforward: pure code bugs where "one plus one equals three," as Tarun Chitra describes it. Fast forward to today, and Chitra's firm manages close to $2 billion in DeFi vaults while navigating a security landscape that has fundamentally transformed.

In a recent episode of The Security Table podcast, Chitra outlined how DeFi security has evolved through three distinct phases and why the industry's reliance on traditional audit models is becoming increasingly obsolete.

Phase One: When Code Audits Were Enough (2018-2020)

In crypto's early days, security was a binary proposition. Either your code had vulnerabilities or it didn't. Re-entrancy attacks, integer overflows, and similar exploits dominated the threat landscape. A thorough code audit could catch these issues before deployment.

"There were certainly many security vulnerabilities, but they were all pure code vulnerabilities," Chitra explains. "Like a re-entrancy where I put two coins in and I can take three coins out."

During this period, Gauntlet focused on bringing traditional finance tooling to crypto: simulation software, backtesting, and stress testing different agent models. The firm was essentially asking: how do you take risk assessment tools that worked in TradFi and adapt them for blockchain protocols?

Phase Two: Economic Security Emerges (2020-2024)

By 2020, everything changed. DeFi protocols weren't just code anymore. They were dynamic economic systems interacting with oracles, collateral types, and market conditions that shifted constantly.

"Just having a code audit was not sufficient because the type of collateral you use might change over time. The Oracle quality might change over time," Chitra notes. "You needed more of a hybrid approach where you had monitoring and continuous updates every week, every day, mixed in with continuous security assessments."

This era saw Gauntlet in the war rooms during major DeFi incidents, advising protocols on collateral factors, liquidation parameters, and risk management. The question was no longer "is the code secure?" but "how do we choose parameters so that people can't drain the protocol under changing market conditions?"

Phase Three: Portfolio-Level Risk (2024-Present)

Today's DeFi landscape introduces yet another paradigm shift. Protocols have moved from conservative, isolated risk models to competitive yields that rival centralized finance, but at the cost of increased protocol-level exposure.

"You now went from having a lot more isolated risk to a lot more protocol-level risk," Chitra explains. "You also have more of this duration management and liquidity risk."

Modern protocols like Morpho and Kamino feature complex permissioning systems with multiple actor types beyond the traditional borrower/lender/liquidator trinity. Each new role adds complexity, and with complexity comes new attack vectors.

The Oracle Problem Nobody's Solving

When asked about the most underappreciated risks in DeFi, Chitra doesn't hesitate: oracle quality.

"An Oracle for Ethereum or Bitcoin provided by a provider can be very different from an Oracle for a much lower liquidity asset provided by the same provider," he points out.

As the industry rushes to bring real-world assets on-chain (from tokenized equities to treasury bills), the oracle problem intensifies. Crypto assets benefit from high liquidity across multiple venues, making price manipulation difficult. Real-world assets lack this natural defense.

"The Oracle quality for real world assets, regardless of providers, is fundamentally just worse than crypto assets themselves," Chitra warns. "It's really hard to corner the market enough and manipulate the market enough to swing the Oracle for crypto assets. That's not true for RWAs."

This isn't a new risk category. Oracle manipulation has threatened DeFi from the beginning. But as protocols expand their asset coverage, they're applying risk assessments calibrated for highly liquid crypto assets to fundamentally different instruments.

The New User Problem

While crypto natives have "lived through a number of financial disasters and survived," Chitra sees a different challenge emerging: how to communicate complex risk to institutional users and newcomers whose first crypto experience might be a mobile wallet with delegated custody through an MPC service.

"Those users might not be familiar at all with any of these risks," he says. "Figuring out how to communicate the learnings of the past and why certain choices are made without overwhelming new users, that's actually where I see the biggest need in education."

The on-chain natives have self-selected for higher risk tolerance and learned painful lessons. Institutional treasurers dipping their toes into stablecoin yields haven't.

The Hot Take: AI Is Crossing the Rubicon

Perhaps Chitra's most provocative observation concerns the role of AI in security auditing, a topic that went from punchline to serious consideration in just six months.

"There was a quick move in the last six months where using AI tools for security was a joke or would be made fun of, whereas I think now there's definitely a lot of serious usage," Chitra observes.

He's careful to note that AI won't replace verification and deep testing tools entirely. But the notion that human auditors are "fundamentally necessary" for finding critical bugs?

"That is becoming less and less true," Chitra argues. "In crypto, there's been this kind of lone wolf human auditor needs to be around type of thing forever. Obviously, in the past it worked, but I think we might be crossing the Rubicon on that."

Outside of crypto, this isn't controversial. Inside the industry, it challenges a deeply held belief: that only battle-tested human auditors can catch the bugs that matter.

What This Means for DeFi Security

Chitra's perspective carries weight. Gauntlet didn't just theorize about DeFi risk. The firm has $2 billion on the line and has been present for the industry's major security incidents. The evolution from ratings agency to simulation platform to vault manager mirrors DeFi's own maturation.

The lesson isn't that code audits are useless. They're insufficient. Modern DeFi security requires:

Continuous monitoring rather than one-time assessments

Economic risk modeling alongside code analysis

Oracle quality management as protocols expand asset coverage

Portfolio-level thinking instead of isolated risk analysis

User education calibrated to experience level

Openness to AI augmentation of human expertise

The "lone wolf auditor" model served DeFi well when vulnerabilities were purely code-based. But as protocols become economic systems interacting with real-world assets, market conditions, and institutional capital, security must evolve to match.

The protocols that recognize this shift and adapt their security practices accordingly will be the ones still standing when the next crisis hits. Those clinging to audit-only models may find themselves learning the same lesson DeFi 1.0 protocols learned: in crypto, inflexibility is its own vulnerability.