Ethereum co-founder Vitalik Buterin said digital security should be understood as reducing the gap between what users think they are doing and what computers actually do, arguing that this challenge underpins both safety and user experience.
In a recent post on X, Buterin said security and usability are not separate fields but different views of the same problem, as user experience deals with everyday mismatches that cause confusion or frustration, while security focuses on rare, high-stakes cases where a mismatch can cause serious loss, especially when attackers are involved.
He added that the idea of “perfect security” is unrealistic, not because software and hardware are inherently broken, but because human intent is too complex to fully encode in a single instruction or interface.
When “send 1 ETH to Bob” stops being simple
Buterin used the simple example of a person who wants to send “1 ETH to Bob” on the Ethereum network, saying that while this feels straightforward to the user, each part becomes slippery once it is translated into code. The identity of “Bob” has to be approximated with an address or key that might be wrong or manipulated, and the meaning of “ETH” could become contested if the blockchain splits into different versions after a hard fork.
In the real world, users rely on common sense and social context to resolve such questions, but computers require strict definitions and cannot access that background understanding.
The gaps grow wider when the goals are more abstract, such as “protect my privacy,” he said, as many people assume encryption alone is enough to keep their communications safe, but the pattern of who talks to whom and when they talk can reveal a great deal about their lives.
Misaligned intent as a common threat in AI and security
Because no single instruction can fully capture what a user really wants, Buterin argued that good security design depends on redundancy, saying that systems should invite users to express their intentions in several overlapping ways and only proceed when those different signals line up.
He pointed to practices in software development and cryptocurrency tools where this is already visible, saying that typed programming languages require developers not only to write code but also to declare how data should look at each step, with mismatches stopping the program from compiling, while formal verification makes them describe the system both as code and as mathematical properties so that any failed proof shows the implementation does not match the stated goal.
Testing the transaction first: simulations as a security layer
In the context of digital wallets and financial transactions, Buterin highlighted techniques such as transaction simulations, where users are shown a preview of the on-chain consequences before they approve an action, and post-conditions, where a transaction specifies both what it will do and what the end result should look like, with the system rejecting it if the outcome does not match the expectation.
Multi-signature and social recovery setups, where several keys or trusted parties must agree before funds move or accounts are recovered, are another way of spreading authority across multiple signals instead of a single point of failure, while spending limits and extra checks for unusually large or unusual actions add a further layer by making routine, low-risk operations simple while slowing down dangerous ones and forcing users to restate intent more clearly.
Across these examples, Buterin said the common theme is “risk reduction through redundancy” rather than absolute protection, meaning that effective designs approach human intent by analyzing the action itself, its expected consequences, the significance of the event, and the economic size of potential losses so that errors or attacks have more chances to be detected before causing damage.
Using language models as a mirror of user behavior
Buterin also said this framework offers a way to think about the role of large language models in security, as general-purpose models can act as a rough simulation of human common sense, while models fine-tuned to an individual user can approximate that person’s habits and preferences more closely, giving them the ability to flag behavior that looks unusual or out of character and provide yet another angle on what a user is likely to intend.
He cautioned, however, that such models should never be treated as the sole authority on intent. Instead, they should sit alongside more traditional, explicit checks, with their difference in approach making the overall system more robust.
Making dangerous actions harder, not everything harder
Buterin concluded that security should not be equated with forcing users through extra clicks and constant obstacles. Low-risk actions, he said, should be easy or automated, while high-risk actions should be meaningfully harder to complete. The key design challenge, in his view, is finding the right balance between convenience and friction so that systems stay aligned with what people actually mean to do.
