About

This framework is designed for multiple audiences:

For Protocol Developers:

• Audit your existing intervention capabilities using the Scope × Authority matrix
• Design new emergency response mechanisms informed by the effectiveness data
• Benchmark your response times against the median performance by authority type

For Governance Designers:

• Use the legitimacy conditions framework to pre-authorize emergency actions
• Consider the "Optimistic Freeze" model for balancing speed and legitimacy
• Establish mandatory post-mortem processes to build institutional memory

For Researchers:

• Download the datasets and reproduce the analysis
• Extend the taxonomy to new intervention mechanisms or blockchain architectures
• Cross-validate findings with alternative data sources

This work stands on the shoulders of giants. Special thanks to:

• Nimrod Talmon for invaluable research guidance.
• Sebastian Bürgel (VP Technology Gnosis, Founder HOPR) for starting this conversation.
• The papers "A Decade of Cryptocurrency 'Hacks': 2011 – 2021" (Charoenwong & Bernardi, 2021) and "Blockchain Compliance: A Framework for Evaluating Regulatory Approaches" (Charoenwong, Soni, Shankar, Kirby, Reiter, 2025) for foundational data frameworks.
• The Rekt.news, DeFiHackLabs, and SlowMist teams for their exhaustive incident reporting.
• Daniel Kokotajlo, Scott Alexander, Thomas Larsen, Eli Lifland, Romeo Dean for the foundational model of ai-2027.com.

Industry practitioners — Several teams are already operationalizing the principles this research documents. Their work validates the core thesis that intervention mechanisms are being operationalized in practice, and that legitimacy constraints are worth formalizing where intervention is on the table:

• Hypernative — Proactive threat detection and automated response infrastructure. Their real-time monitoring platform embodies the "golden hour" principle, enabling protocols to detect and contain exploits within minutes rather than hours.
• SEAL 911 — Emergency response coordination for the crypto ecosystem. SEAL operates as a decentralized "Delegated Body" in practice—a trusted cohort of security researchers who can be mobilized rapidly when protocols come under attack.
• Phylax Systems — Protocol-level security assertions and invariant monitoring. Phylax's approach to pre-deployment security constraints maps directly to the "scope-limited intervention" pattern our data shows is most effective.

This research aggregates exploit data from four primary sources, spanning 2014-2026:

• Charoenwong & Bernardi (2021) — Academic study covering 2011-2021 (30 cases)
• De.Fi Rekt Database — Industry incident database, 2021-2026 (~450 cases)
• Rekt.news Reports — Investigative post-mortems, 2020-2025 (282 cases)
• DeFiHackLabs — Technical incident tracking with PoC, 2022-2026 (~200 cases)
• Manual Research — Intervention curation from forums, tweets, post-mortems (120 interventions)

All data and analysis scripts are available in the GitHub repository for reproducibility.

The dataset was constructed through a multi-stage pipeline:

• Collection: 705 exploit cases aggregated from De.Fi Rekt, Rekt.news, DeFiHackLabs, and academic sources (2014–2026).
• Technical filtering: 640 cases retained after removing non-technical incidents (rug pulls, regulatory actions).
• Eligibility classification: 601 cases ($9.60B) classified as intervention-eligible based on whether a protocol override could have prevented or reduced damage.
• Intervention curation: 130 documented interventions identified through forum posts, governance proposals, and post-mortems.
• High-fidelity subset: 52 cases with complete data on response time, authority type, scope, and outcome—used for the effectiveness analysis and Scope × Authority matrix.

The Scope × Authority taxonomy classifies interventions along two dimensions: Scope (Account, Module, Protocol, Network) defines what gets affected, while Authority (Signer Set, Delegated Body, Governance) defines who decides. This creates a 4×3 effectiveness matrix that maps the design space for emergency response.

• Response time estimates: Many response times are inferred from block timestamps and governance proposal timelines rather than precise internal records. True response times may be faster or slower than reported.
• Selection bias: Successful interventions are more likely to be publicly documented than failed ones. The 26.0% effectiveness rate may overstate or understate actual industry capability depending on unreported cases.
• USD valuation: All loss figures are denominated in USD at time of incident. Given crypto volatility, the same exploit can appear larger or smaller depending on market conditions at the time of reporting.
• Taxonomy boundaries: Some interventions span multiple scope or authority categories. We classify by the primary mechanism; edge cases are documented in the individual case rationales.
• Survivorship bias: We can only study protocols that survived long enough to be exploited. Protocols that failed before attracting significant TVL are underrepresented in the dataset.