In the AI Era, Crypto Needs Verifiable Off-Chain Execution

The last few weeks have been damaging for DeFi. On April 1, Drift was drained of roughly $285 million. On April 18, Kelp DAO lost 116,500 rsETH worth roughly $292 million through an RPC node vulnerability in its LayerZero-powered bridge. Although the full accounting of the Kelp DAO rstETH exploit is still pending, the trend is clear: in just a few weeks, two major industry incidents exposed critical security vulnerabilities outside of the smart contracts themselves. With critical security threats going increasingly beyond the smart contract layer and with AI reducing the cost of identifying vulnerabilities, crypto needs verifiable off-chain execution.

The Incidents

In the case of Drift, according to Chainalysis and Drift’s own post-mortem report, attackers spent months building relationships with the team. They used Solana’s durable nonce feature to get Security Council members to unknowingly pre-sign transactions, then used valid admin authority to whitelist a worthless token as collateral and withdraw real assets in return. In other words, the exploit path ran through privileged, off-chain process and transaction handling. It wasn’t a simple smart contract bug.

The Kelp DAO exploit has surfaced a different, but closely related, type of risk. LayerZero’s public account attributes the exploit to compromised downstream RPC infrastructure entering a single-verifier path. Kelp DAO has pushed back, arguing that the single-verifier configuration reflected LayerZero’s own defaults and guidance. Whatever the ultimate cause was, the common takeaway is that concentrated, opaque, off-chain verification infrastructure is now part of DeFi’s systemic risk.

Kelp DAO’s exploit was not contained to one protocol. It quickly spilled into Aave, the largest DeFi lending protocol by TVL, where the attacker used stolen rsETH as collateral, ultimately contributing to roughly $195 million in bad debt. This was followed by a sharp drop in Aave TVL with over $6 billion in withdrawals.

Security Beyond Smart Contracts

These incidents should not be treated as isolated failures or just another bad stretch for crypto. They are reminders that DeFi is not secured by smart contracts alone. The real security boundaries of a crypto system include signer workflows, verifier paths, RPC infrastructure, deployment processes, and the off-chain machines that fetch data, validate messages, and produce signatures. When any of those systems fail, on-chain code can still behave exactly as it's supposed to and users can still lose hundreds of millions of dollars. Modern DeFi security systems and infrastructure needs to be built with this wider scope in mind.

Drift’s own recovery plan points towards a broader security model. Alongside audits, its relaunch security program emphasizes key management, infrastructure, team access controls, dedicated signing devices, independent verification, and disabling durable nonces.

Advancements in AI are making this harder to ignore. Research has already shown LLM agents autonomously exploiting real one-day vulnerabilities, and Anthropic’s Mythos Preview says current frontier models can identify and exploit zero-day vulnerabilities across major operating systems and browsers at a level that warrants coordinated defensive action. The cost of searching for weaknesses and the time to address potential threats keep decreasing. In that environment, every opaque workflow, every unverifiable process, and every hidden dependency becomes more and more dangerous.

TEEs

Enter attestation in Trusted Execution Environments (TEEs). In simple terms, attestation in TEEs verifies the integrity of software running inside a secure hardware enclave. While TEEs do not replace decentralization, they do make off-chain execution harder to tamper with and trust assumptions explicit enough to verify. Decentralization and attestation solve different problems. Decentralization distributes operator, jurisdictional, and physical concentration risk. Attestation addresses the digital question: what code is actually running inside the systems that feed data, verify messages, or sign outcomes. In other words, decentralization tells us who participates; attestation tells us what is executed.

The next security stack for crypto needs both sides of that model. It needs decentralized operators to reduce concentration and physical trust assumptions. And it needs attested execution to reduce silent tampering in the off-chain workloads that increasingly determine on-chain outcomes. In a world of more capable automated attackers, the right direction is minimizing the tradeoffs between decentralization and verifiable execution. Decentralization plus TEEs.

AI-Era Crypto Infrastructure and Switchboard’s Unique Position

Switchboard has a uniquely credible voice to bring to this conversation. Switchboard’s oracle nodes run in TEEs. Guardians attest those TEE environments before nodes join the oracle queue. Signatures are verified on-chain and multiple oracles can be required for consensus. Operators have SWTCH at stake and are slashable. Switchboard feeds can be deployed permissionlessly from on-chain or off-chain sources. Decentralization AND verifiable execution are already integral to Switchboard.

More importantly, the next wave of crypto infrastructure will not only be consumed by humans. AI-era crypto infrastructure must be built around attestation, automation, and verifiable off-chain computation from the beginning. Switchboard is already documenting AI-agent and LLM workflows, including x402 support and an agent skill for designing, simulating, deploying, updating, and reading feeds across chains.

The Start of a New Era of DeFi

While many have reacted to recent exploits by proclaiming the end of DeFi, the more apt response is to help deliver a more mature security model for DeFi. One in which what is on-chain is decentralized and what is off-chain is verified. Crypto’s first phase was about minimizing who users had to trust. The next phase will also have to prove what was actually executed.