CertiK CEO Gu Ronghui has warned that AI is tilting the economics of DeFi security in favor of attackers, describing the growing gap between offensive and defensive spending as an “unfair game” that threatens the broader Web3 ecosystem.
The warning, which circulated via Telegram and was tied to a DL News feature on CertiK’s security outlook, frames the problem not as a technology failure but as a cost imbalance. Attackers can deploy AI tools to scan for vulnerabilities at scale, while defenders must protect every surface of a protocol simultaneously.
The statement is an opinion, not a disclosure of a specific exploit or breach. But it lands at a moment when DeFi security losses continue to climb and the tools available to bad actors are becoming cheaper and more automated.
Why the Attacker-Defender Cost Gap Keeps Widening
CertiK’s own Hack3d 2025 security report documented the scale of losses across Web3 protocols, reinforcing the thesis that the industry’s defensive spending has not kept pace with the threat landscape.
AI lowers the marginal cost of running exploit attempts. An attacker can use language models and automated fuzzing to probe smart contracts around the clock, testing thousands of edge cases without human oversight. The cost of each additional scan approaches zero.
Defenders face the opposite dynamic. Auditing a single protocol requires manual review, formal analysis, and ongoing monitoring. Each additional layer of assurance adds cost, and most DeFi teams operate on limited security budgets. That asymmetry is what Gu described as unfair.
Recent incidents have underscored the pattern. A DL News investigation into the worsening crypto hacking epidemic pointed to the same structural problem: attackers need to find one flaw, while defenders need to cover every possible vector.
As exchanges expand their crypto futures index offerings and DeFi protocols attract more capital, the attack surface only grows. The security question is no longer confined to niche protocols; it extends to the institutional products being built on top of blockchain infrastructure.
Formal Verification as the Defensive Response
The DL News feature explicitly tied Gu’s remarks to formal verification, a mathematical approach to proving that smart contract code behaves exactly as intended under all possible inputs. Unlike standard audits, which sample and test, formal verification aims to eliminate entire classes of bugs before deployment.
The method is expensive and time-consuming, which is precisely why it has not been widely adopted. Most DeFi teams prioritize speed to market over exhaustive proofs. But if AI is compressing the time attackers need to find exploits, the calculus shifts: the upfront cost of formal verification may be lower than the expected loss from a breach.
For protocols managing significant total value locked, the question is becoming less theoretical. Teams that have already weathered incidents, including cases like the KelpDAO incident documented by LayerZero, face pressure from users and investors to adopt stronger assurance methods.
The debate also intersects with broader market infrastructure. As altcoin market capitalizations grow and DeFi protocols handle more value, the stakes of a single exploit scale accordingly. Firms exploring new digital asset yield strategies are equally exposed to the systemic risk that unchecked vulnerabilities create across interconnected protocols.
What Comes Next for DeFi Security Teams
Gu’s framing suggests the industry needs a structural shift, not just better tools. If attackers can automate discovery at near-zero cost, defenders need assurance methods that are provably complete rather than probabilistically sufficient.
That means DeFi teams, auditors, and infrastructure providers may need to treat formal verification not as a premium add-on but as a baseline requirement. Protocols that skip it are effectively betting that manual audits will catch everything AI-assisted attackers throw at them.
The warning is an opinion, and CertiK has a commercial interest in selling security services. But the underlying data on DeFi losses and the trajectory of AI-powered exploit tools make the argument difficult to dismiss. For teams building on-chain financial products, the cost of ignoring the asymmetry is measured in lost funds.
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Cryptocurrency and digital asset markets carry significant risk. Always do your own research before making decisions.
