When we think about security in DeFi, our first instinct is to look at smart contract risk. How many audits? By which firms? Were vulnerabilities found?

The good news is that DeFi has gotten significantly better at this. Losses from smart contract-based exploits have dropped significantly over the years. The industry learned the hard way, and DeFi in 2026 isn’t DeFi in 2022.

The bad news is that attackers have moved on. They are now targeting the people and systems holding the keys. Recent hacks including Kelp, Drift and Resolv were not code failures, they were custody failures at the protocol level.

The industry needs to catch up, fast.

Custody is not just about who holds the keys. For a protocol, custody is also where the funds live but who has the power to act on a protocol: who can move capital, update the logic, or shut things down. Having a noncustodial wallet is irrelevant if all the funds are actually deposited in custodial protocols.

One of the distinction that actually matters is between code risk and control risk. Code risk is what audits are designed to catch, and they do it reasonably well. Control risk is what happens when someone uses legitimate access to do something they should not, and it’s almost never treated with the same urgency.

Audit reports flag access control issues, but it is rarely perceived as critical, and that needs to change.

Control risk also compounds in ways code risk does not, because teams change, keys get compromised, governance gets captured, and custodians can do things their clients never anticipated or consented to.

Noncustodiality at the protocol level is one of the only property that removes this risk entirely for DeFi infrastructure. This is the original ethos of DeFi: open, permissionless, and trustless, not as a philosophical stance but as a verifiable onchain guarantee that no single actor can override.

Uniswap V2 remains a clear proof of concept, with no admin keys, no upgrade path, and no need to trust the team behind it. The trust lives in the code, verifiable by anyone, and that is precisely what institutions are increasingly asking for when they evaluate DeFi infrastructure.

Noncustodiality is not a single feature but a property that emerges from several design decisions working together. The goal of each layer is the same: to reduce the surface through which a single actor, comprised or not, could cause harm.

• Immutable code removes the most dangerous attack category entirely. If the core protocol cannot be upgraded, there is no upgrade path to exploit, no admin function to compromise, and no possibility of an atomic hack where funds are drained in a single transaction before anyone can respond.
• Governance minimization follows the same logic, since every governance mechanism is also an attack surface and should be scoped as narrowly as possible.
• Where some mutability is unavoidable:
  • Timelocks and granular roles prevent atomic attack vectors: timelocks ensure any change have a mandatory public delay before taking effect, turning a potential silent attack into something that can be caught, revoked or at least minimized.
  • Roles should be scoped and segmented so that no single actor has more access than they need. Guardian and sentinel mechanisms provide emergency intervention capabilities, the ability to pause or revoke, without introducing new centralized control or allowing the response itself to be turned against users.

Noncustodiality should be a default consideration when evaluating DeFi infrastructure, not a philosophical differentiator that some protocols happen to care about more than others.

Before allocating to any DeFi protocol, the questions worth asking are who controls the admin keys and what they can do with them, whether there is a timelock on parameter changes, whether the protocol can be upgraded and by whom, and how assets are actually held at every layer of the custody stack.

There is also a less discussed dimension: noncustodiality is what makes Lindy durable. If someone has the power to change the rules at any moment, they can reset years of accumulated trust back to zero.

When no single actor can alter the system, trust compounds unconditionally over time rather than depending on the continued good faith of whoever holds the keys.

The industry has spent years getting better at auditing code and now needs to get equally serious about control, because the most dangerous attacks in DeFi are not the ones that break the code but the ones that use it exactly as intended, but for malicious purposes.