Digital Asset: Canton can block state-sponsored DeFi threats

Yuval Rooz, CEO of Digital Asset, said Canton’s permissioned design gives financial firms a way to exclude state-linked hackers from institutional DeFi applications after the Kelp DAO $290 million exploit.

Canton launched in 2024 as a public but permissioned blockchain. Rooz described features that let participants set access controls for subnets and for the digital assets they issue. Projects can choose to mirror open networks like Ethereum and Solana or to enable controls that limit which parties can interact with an application.

Rooz said Wall Street firms have raised questions about preventing state actors from touching their systems. He cited industry estimates that groups linked to North Korea have stolen more than $6 billion in crypto since 2017 and argued that institutions have a fiduciary duty to keep bad actors out of their platforms.

The comments followed the Kelp DAO incident in which attackers drained roughly $290 million. When Arbitrum’s 12-member security council froze about $71 million of funds left exposed on the layer‑2 network, debate focused on how permissioned responses affect DeFi’s permissionless ideals. Rooz defended the freeze, arguing it was appropriate and adding, “Nobody should say that that’s a bad thing.”

Rooz warned that attacks have become more sophisticated, evolving from simple phishing to long campaigns aimed at gaining privileged access to protocols. He noted Canton does not impose access limits by default; projects must opt to use the protections. He predicted that most consumer-facing applications will adopt safety parameters as a baseline and commented, “People want all the freedom in the world with none of the risks.”

Critics of Canton contend its permissioned features centralize control and therefore do not fit some definitions of a public blockchain. Rooz acknowledged the network is not a universal solution and emphasized that teams must enable the safeguards for them to apply. He presented Canton as an option for institutions that want the ability to exclude known threats while maintaining blockchain functions for approved participants.

The Kelp DAO exploit also prompted organized recovery efforts. A group called DeFi United, promoted by the founder of Aave, raised 132,650 ETH-about $303 million at recent prices-to help cover the losses. Stablecoin issuers took different approaches after attackers used issuer infrastructure to move funds: one issuer said it would not freeze coins without a court order, while another has cooperated with authorities to freeze assets allegedly tied to illicit finance.

Rooz framed the discussion as a choice between open, permissionless networks and the need for institutional controls to meet legal and operational responsibilities. He suggested tools that allow rapid exclusion of known bad actors may become more common in institutional applications if teams opt to activate those controls.