Nexo Earn with Nexo
OpenZeppelin founder warns all of DeFi is unsafe amid security breaches

OpenZeppelin founder warns all of DeFi is unsafe amid security breaches

Manuel Aráoz says the asymmetry between attackers and defenders has made decentralized finance fundamentally insecure, especially as AI supercharges exploit discovery.

Share

Add us on Google
by Editorial Team

When the co-founder of one of crypto’s most respected security firms tells you the entire DeFi ecosystem is unsafe, it’s worth putting down your coffee and paying attention.

Manuel Aráoz, who co-founded OpenZeppelin alongside Demian Brener back in 2015, declared on May 26 that he now considers all of DeFi unsafe. His reasoning centers on a structural problem: the imbalance between attackers and defenders in smart contract security has grown so severe that even rigorously audited protocols can no longer be considered safe. And AI, he warns, is making the problem worse.

$600 million gone in a single month

The context for Aráoz’s warning is grim. In April 2026 alone, more than $600 million was drained from DeFi protocols across multiple exploits.

Advertisement

KelpDAO was the hardest hit, losing $292 million. Drift followed with $285 million drained. Euler saw $197 million siphoned away. Three protocols, three massive losses, all within the same calendar month.

AI is tipping the scales toward attackers

Here’s the thing about smart contract security: it has always been asymmetric. Defenders need to find and fix every vulnerability. Attackers only need to find one. Aráoz argues that advanced AI coding agents are now dramatically worsening the equation, getting remarkably good at reading smart contract code and identifying exploitable bugs at machine speed.

OpenZeppelin itself appears to recognize the shifting threat landscape. On May 12, the firm published a framework it calls the “Four Layers of DeFi Risk,” designed to help institutions understand and manage the multifaceted dangers of deploying capital into decentralized protocols. The framework emphasizes that audits alone are no longer sufficient and that continuous monitoring and layered security approaches are essential.

What this means for investors

For institutional players, Aráoz’s warning and OpenZeppelin’s new risk framework together suggest a shift in due diligence requirements. Allocating to DeFi strategies will increasingly demand evidence of continuous security monitoring, bug bounty programs, formal verification of critical code paths, and insurance coverage. A clean audit report from six months ago simply does not cut it anymore when AI agents can discover new attack vectors in hours.

The uncomfortable truth that Aráoz is pointing to is this: DeFi’s security model was designed for a world where human hackers manually reviewed code for vulnerabilities. That world no longer exists. Until the defense scales as fast as the offense, “unsafe” might be the most honest word available.

Disclosure: This article was edited by Editorial Team. For more information on how we create and review content, see our Editorial Policy.
DEFI

OpenZeppelin founder warns all of DeFi is unsafe amid security breaches

OpenZeppelin founder warns all of DeFi is unsafe amid security breaches

Manuel Aráoz says the asymmetry between attackers and defenders has made decentralized finance fundamentally insecure, especially as AI supercharges exploit discovery.

by Editorial Team

Share

Add us on Google

When the co-founder of one of crypto’s most respected security firms tells you the entire DeFi ecosystem is unsafe, it’s worth putting down your coffee and paying attention.

Manuel Aráoz, who co-founded OpenZeppelin alongside Demian Brener back in 2015, declared on May 26 that he now considers all of DeFi unsafe. His reasoning centers on a structural problem: the imbalance between attackers and defenders in smart contract security has grown so severe that even rigorously audited protocols can no longer be considered safe. And AI, he warns, is making the problem worse.

$600 million gone in a single month

The context for Aráoz’s warning is grim. In April 2026 alone, more than $600 million was drained from DeFi protocols across multiple exploits.

Advertisement

KelpDAO was the hardest hit, losing $292 million. Drift followed with $285 million drained. Euler saw $197 million siphoned away. Three protocols, three massive losses, all within the same calendar month.

AI is tipping the scales toward attackers

Here’s the thing about smart contract security: it has always been asymmetric. Defenders need to find and fix every vulnerability. Attackers only need to find one. Aráoz argues that advanced AI coding agents are now dramatically worsening the equation, getting remarkably good at reading smart contract code and identifying exploitable bugs at machine speed.

OpenZeppelin itself appears to recognize the shifting threat landscape. On May 12, the firm published a framework it calls the “Four Layers of DeFi Risk,” designed to help institutions understand and manage the multifaceted dangers of deploying capital into decentralized protocols. The framework emphasizes that audits alone are no longer sufficient and that continuous monitoring and layered security approaches are essential.

What this means for investors

For institutional players, Aráoz’s warning and OpenZeppelin’s new risk framework together suggest a shift in due diligence requirements. Allocating to DeFi strategies will increasingly demand evidence of continuous security monitoring, bug bounty programs, formal verification of critical code paths, and insurance coverage. A clean audit report from six months ago simply does not cut it anymore when AI agents can discover new attack vectors in hours.

The uncomfortable truth that Aráoz is pointing to is this: DeFi’s security model was designed for a world where human hackers manually reviewed code for vulnerabilities. That world no longer exists. Until the defense scales as fast as the offense, “unsafe” might be the most honest word available.

Disclosure: This article was edited by Editorial Team. For more information on how we create and review content, see our Editorial Policy.