Compliance Theatre
Web3 / compliance
Compliance theatre is the practice of performing the visible indicators of security and regulatory compliance — obtaining audits, publishing documentation, displaying institutional backers, and marketing bug bounty programs — without addressing the substantive risks that those measures are supposed to mitigate. The term, borrowed from aviation security criticism, captures protocols that achieve clean audit reports by scoping reviews narrowly enough to exclude actual vulnerabilities, or that treat documented security findings as backlog items rather than critical issues requiring immediate resolution. The result is an organization that can demonstrate comprehensive compliance attestations while harboring unmitigated attack surfaces. Example: Resolv Labs exemplified compliance theatre before its March 2026 hack: eighteen independent security audits, a $500,000 Immunefi bug bounty, real-time threat monitoring with Hypernative, and institutional VC backing — yet a documented audit finding labeled "Missing upper [limit]" on the minting key was never fixed, and no audit had ever reviewed the AWS environment storing the single private key with unlimited minting authority. Why it matters for compliance: Compliance theatre is particularly dangerous in DeFi because users, investors, and institutional counterparties often use audit count and backer prestige as proxies for actual security. The Resolv hack demonstrated that these proxies are unreliable: documentation does not fail over, and the performance of security provides no protection when the actual attack surface was never reviewed.
Explore the full Web3 Glossary — 2,000+ expert-curated definitions. Need guidance? Talk to our consultants.