The Man Who Helped Build Crypto’s Biggest Security Firm Just Said All of DeFi Is Unsafe

If you have ever put money into a DeFi platform – or are thinking about it – this story is for you. Manuel Araoz co-founded OpenZeppelin back in 2015, building it into the firm that has audited the security code behind Aave, Compound, MakerDAO, Uniswap, and Coinbase. When he speaks about DeFi security, he is not an outsider looking in. He built the tools the industry relies on. On May 26, he posted publicly on X that he now considers all of DeFi unsafe – and said he had personally told his friends and family to exit every DeFi position they hold. For anyone still figuring out what cryptocurrency is, understanding what DeFi actually is becomes essential before putting any money into these platforms.

His warning has two parts. First, the scale of hacks has become impossible to ignore. In April 2026 alone, nearly $630 million was stolen from DeFi protocols across 27 separate exploits – the worst month for DeFi security since the Bybit hack in early 2025. The biggest hits were Kelp DAO, which lost $293 million through a cross-chain bridge vulnerability, and Drift Protocol, which was drained of $285 million after a social engineering attack that had been running undetected for six months.

The second part of Araoz's argument is the more frightening one. He says AI coding agents have now become superhuman at finding vulnerabilities in smart contracts. His exact words: “defenders need to fix every bug while attackers need just one exploit to steal funds.” In other words, the game has always been asymmetric – but AI has made that asymmetry catastrophic. An AI model can scan all of a protocol's publicly visible on-chain code, identify subtle flaws, and generate a working exploit in seconds. It does not get tired. It does not miss things. A human security auditor working for weeks can catch most of what is visible – but AI attackers can now probe at a speed and depth that no human team can match. To understand which best DeFi wallets are still considered relatively safe for basic storage versus active DeFi use is one of the most practical distinctions in crypto right now.

OpenZeppelin itself pushed back on the warning. The firm said Araoz left in 2019 and his views do not represent their current position. They argued that the industry has responded to recent hacks with better tools and faster response times. That may be true – but Araoz's structural point about the attacker-defender asymmetry does not depend on which firm you work for. It is a feature of the technology itself. DeFi protocols publish their code publicly because transparency is part of the design. That same transparency means any attacker can study the code looking for flaws.

The total value locked in DeFi has dropped by more than $20 billion in 2026 so far – partly because of hacks, partly because of the broader market decline. The key question going forward is whether the industry can develop defenses that move at AI speed. A few teams are working on AI-powered security tools that would scan code continuously rather than once at audit time. If those tools become widely adopted, the attacker-defender balance might shift again. Until then, Araoz's warning is worth taking seriously even if you disagree with his conclusion. The question is not whether DeFi has risks. The question is whether those risks are now too large to justify the yield.