The man who invented yield farming just said the quiet part out loud. DeFi is not decentralised. Not anymore.
“I think what we have today, Flying Tulip included, is no longer DeFi,” Andre Cronje told Cointelegraph this week. “It’s not decentralised finance. It’s not immutable code. It’s teams running for-profit businesses.”
Cronje created Yearn Finance. He pioneered the strategies that turned DeFi from a niche experiment into a $200 billion industry. When he says the thing he helped build is no longer what it was supposed to be, the industry should listen. But the debate that followed his comments reveals something deeper: DeFi builders are genuinely split on what to do about it.
What Made Cronje Say This?
April 2026. The worst month for DeFi hacks in over a year. Drift Protocol lost $285 million. Kelp DAO lost $292 million. Aave hit 100% utilisation and trapped billions in stablecoins. Wasabi Protocol lost $4.5 million to a compromised admin key. Combined losses crossed $600 million.
And here is the part that bothers Cronje: none of the major exploits were caused by smart contract bugs. Drift was social engineering. Kelp was compromised infrastructure. Wasabi was a leaked deployer key with no timelock. The code was fine. The humans running the code were the problem.
“The focus over all of the industry is still very much on the contract side and not the more TradFi side,” Cronje said. The industry spends millions on smart contract audits while the real vulnerabilities are Web2 problems: compromised servers, phished team members, leaked admin keys, and single points of failure that live off-chain.
Curve Finance founder Michael Egorov agreed: “The vast majority of the most recent DeFi exploits happened not due to errors in code. They happened because of centralisation risks, single points of failure which live off-chain.”
What Are Circuit Breakers and Why Do They Matter?
In response to the hack wave, Cronje’s own protocol Flying Tulip added a withdrawal circuit breaker last week. It works like a stock exchange halt. When withdrawals exceed normal parameters, the system automatically slows or queues them, giving the team a window to investigate before the pools drain completely.
Flying Tulip’s circuit breaker gives the team about six hours. Cronje said smaller teams with fewer developers across fewer time zones might need 12 to 24 hours.
“Our circuit breaker isn’t actually designed so that we can stop or prevent anything from happening,” Cronje said. “It’s to give us time to react.”
The logic is sound. If Kelp DAO had a circuit breaker, the $292 million drain might have been caught after $50 million instead of $292 million. If Drift had one, the 12-minute withdrawal sequence might have been paused for review. Speed kills in DeFi exploits. Circuit breakers buy time.
Why Is Egorov Warning Against Them?
Because circuit breakers are controlled by humans. And humans are exactly the problem Cronje just described.
“The circuit breakers are controlled by humans, which means they could become a potential vulnerability themselves,” Egorov told Cointelegraph. He warned that if emergency controls allow signers to change contract code or block withdrawals, a compromised signer could turn the safety feature into a weapon. The thing designed to protect users could become the thing that traps their funds.
This is the central tension. DeFi was built on the idea that code runs without human intervention. You deposit funds into a smart contract and nobody can change the rules, freeze your assets, or block your withdrawal. That trustlessness is the entire point.
Circuit breakers add a human layer back in. Someone has to decide when to trigger them. Someone has to decide when to release them. Someone has to hold the keys. And as April proved, “someone holding the keys” is exactly how things go wrong.
Egorov’s preferred solution is to design systems that keep running safely without manual intervention. Build protocols that do not need a human to save them because the moment a human can save them, a human can also break them.
Is DeFi Actually Decentralised Anymore?
Cronje says no, and the data backs him up. Most popular DeFi protocols now use upgradeable proxy contracts. That means the team can change the code after deployment. They use multisig wallets controlled by a small group of known signers. They rely on off-chain infrastructure like RPC nodes, oracles, and cloud servers that can be compromised independently of the smart contracts.
Cronje went further, saying that “real” DeFi lives in command lines, not websites. No polished UI. No wallet integrations. No gas abstraction. Just raw smart contract interaction. Almost nobody uses DeFi that way. The moment you add a website, a team, a support channel, and upgradeable contracts, you have a company. Companies have employees. Employees can be compromised.
The philosophical question is whether that is a problem or an evolution. Early Bitcoin maximalists had the same debate about exchanges. Pure Bitcoin means holding your own keys. But most people use Coinbase. Is that a failure of the vision or a necessary step toward adoption? DeFi is having the same argument, just four years later.
What Does This Mean for DeFi Users?
Two practical takeaways. First, do not assume that “audited” means “safe.” April proved that audited contracts can sit on top of compromised infrastructure. An audit checks the code. It does not check the team, the servers, the key management, or the bridge configuration.
Second, understand that your funds in most DeFi protocols are ultimately controlled by a small group of people. Those people may be competent and trustworthy. But they are human. They can be phished, bribed, threatened, or simply make mistakes under pressure. Circuit breakers add another layer of human control on top of that.
Cronje is not saying DeFi is dead. He is saying it has changed into something different from what it started as. Whether you see that as growth or corruption depends on what you thought DeFi was supposed to be in the first place.
Disclaimer: This article is for informational purposes only and does not constitute financial, investment, or legal advice. Always conduct your own research before making any investment decisions.
