In practice, "open source" is a spectrum of licensing choices, not a single switch. Permissive licenses such as MIT and Apache 2.0 let anyone reuse or repackage the code, even in closed commercial products, while copyleft licenses like GPL or LGPL require that any modified version stays open too. Bitcoin Core, for instance, is released entirely under the MIT license, whereas Ethereum's codebase is more fragmented: many libraries use MIT, but core clients such as Geth carry GPLv3 or LGPLv3, which can obligate anyone shipping a modified client to publish their changes.
Open code matters most where money is at stake. A smart contract's logic determines exactly how funds move, so publishing and verifying that source code on a block explorer lets independent researchers check for hidden mint functions, blocked sell orders, or backdoors before depositing capital. Projects that keep contracts unverified or closed remove that layer of scrutiny; several documented rug pulls succeeded precisely because attackers exploited code nobody outside the team could inspect.
Most blockchain infrastructure, from consensus clients to wallets, is hosted publicly on platforms like GitHub, where anyone can propose fixes or fork the project entirely. This openness underpins the ethos of continuous, permissionless building sometimes called "BUIDL." Still, open source is not a guarantee of safety on its own: published code can contain unnoticed bugs, and a license only governs reuse and distribution, not audit quality. It is a necessary condition for trustless verification, not a substitute for it.