OpenZeppelin pushes back as ex-CTO declares all of DEFI unsafe

Manuel Aráoz (@maraoz), co-founder of blockchain security firm @OpenZeppelin, went public this week with a stark warning: he now considers all of decentralized finance unsafe. The reason, he argued, is a structural one. "Coding agents are superhuman at finding vulnerabilities, and smart contract security is too asymmetric: defenders need to fix every bug while attackers need just one exploit to steal funds." Aráoz said he has been privately advising friends and family to exit all DeFi positions, including what he described as low-risk blue chips such as Aave ($AAVE), MakerDAO ($MKR), and Compound ($COMP).

OpenZeppelin Distances Itself From the Warning

@OpenZeppelin moved quickly to separate itself from Aráoz's comments. The firm noted that Aráoz left the company in 2019 and that his personal views do not reflect its position. OpenZeppelin said it has secured over $35 trillion in onchain value since 2015 and described AI as a real threat but also "one of the most powerful defensive tools we have." On May 12, the firm released a framework called the "Four Layers of DeFi Risk," stating that audits alone are no longer enough to reduce risks in DeFi systems and recommending continuous threat monitoring, operational controls, and multiple security layers as part of a broader defense strategy.

Not everyone agrees with Aráoz's framing. Aave contributor Marc Zeller (@Marczeller) argued that less than 10% of past-year DeFi issues are due to codebases, attributing most losses to bad parameter configuration, collateral blowups, and poor operational security. Investor Jacob Franek added that timelocks and circuit breakers remain effective non-code mitigations, and that the same AI tools will eventually power defensive formal verification when shipping new code.

The Hack Data Behind the Warning

The backdrop to the debate is difficult to ignore. Aráoz's comments come amid a sharp decline of more than $20 billion in DeFi's total value locked this year and over $1.1 billion lost to hacks in the past 12 months, including high-profile exploits at Kelp DAO and Step Finance. Nearly $770 million has been lost to hacks and exploits in 2026 alone, with April seeing $606 million drained across 12 separate incidents in just 18 days.

On April 19, Kelp DAO lost between $292 and $293 million after an exploit targeted a LayerZero V2 bridge route configured as a single point of failure. Step Finance is another instructive case: after a theft in late January, the team announced a full shutdown in February. Industry experts say AI-powered coding tools are lowering the technical barriers for attackers, enabling vulnerabilities to be identified and exploited faster than many protocols can defend against them.

A clean audit report from six months ago no longer offers sufficient cover when AI agents can discover new attack vectors in hours. DeFi's security model was designed for a world where human hackers manually reviewed code for vulnerabilities. That world no longer exists. The debate now centres on whether defensive AI tools can close the gap before losses compound further.

Sources:
CoinDesk: DeFi isn't safe anymore because AI is becoming 'superhuman' at hacking, security chief warns
Live Bitcoin News: DeFi Loses $770M to Hacks in 2026
DefiLlama: DeFi Hacks and Exploits Database