Manuel Aráoz, co-founder of the crypto security firm OpenZeppelin, considers the entire DeFi sector unsafe and advises friends and family to exit their positions completely. According to him, the DeFi security risk also affects established blue-chip protocols such as Aave, MakerDAO and Compound.
OpenZeppelin is a smart contract security firm and the publisher of the most widely used Solidity library. Furthermore, the company runs an institutional security platform with OpenZeppelin Defender and audits the smart contracts on which much of the DeFi ecosystem operates. Aráoz founded the firm in 2015 together with Demian Brener, the current CEO; since 2017 it has carried out more than 900 audits. By its own account, OpenZeppelin secures 250 billion USD in total value locked, and 9 of the 10 largest stablecoins as well as all 10 largest tokenized funds by market capitalization use its contracts. Aráoz bases the warning on a structural asymmetry: AI-powered coding agents shift the balance of power between attackers and defenders in favor of attackers.
AI agents as an accelerator of the DeFi security risk
Aráoz's warning is no emotional outlier but a structural argument about the economics of smart contract security. In an X post, he wrote that modern AI tools tip the already uneven balance between attack and defense for good. Defenders must therefore find and close every vulnerability. An attacker, however, needs only a single working exploit to drain a protocol's entire capital.
"Coding agents are superhuman at finding vulnerabilities, and smart contract security is too asymmetric. Defenders have to fix every bug, while attackers only need a single exploit to steal funds." - Manuel Aráoz, co-founder of OpenZeppelin
Research backs this asymmetry with concrete numbers. As early as March 2026, tests showed that modern AI agents independently carry out end-to-end exploits on 72% of known-vulnerable DeFi contracts. Purpose-built AI security agents do detect 92% of vulnerabilities, yet the attack side retains the advantage. For this reason, Aráoz's verdict explicitly applies to blue-chip protocols such as Aave, MakerDAO and Compound as well. Institutional investors have treated these as comparatively safe so far.
Subscribe to our newsletter
The best articles of the week, directly delivered into your mailbox.
When clean code is not enough: the four layers of DeFi risk
OpenZeppelin itself breaks the problem down into a model of four risk layers. The first layer covers vulnerabilities in the smart contract code, the second the key management and signing infrastructure. In addition, governance and upgrade attacks form the third layer, while cross-chain, integration and dependency exploits form the fourth. Most institutions, however, concentrate on the first two. At the same time, they significantly underestimate the latter, even though precisely these caused the largest losses between 2024 and 2026. A classic code audit therefore covers only the first layer at its core.
Two major cases illustrate why clean code alone is no guarantee of security. The Bybit hack of February 2025 stole more than 1.4 billion USD and counts as the largest crypto theft ever. It rested, however, not on a smart contract bug but on a supply chain attack against Safe{Wallet}. The attackers compromised a developer machine, stole AWS session tokens and manipulated the wallet's JavaScript interface. As a result, this redirected the ETH destination to addresses controlled by North Korea. Likewise, OpenZeppelin's own analysis of the KelpDAO exploit carries the title "292 million lost, no bug found": the audited contract code was flawless, and the cause lay in the bridge and verifier configuration.
April 2026: 630 million USD stolen in a single month
The concrete trigger for the warning comes from an unprecedented wave of exploits. In April 2026, DeFi protocols lost roughly 630 million USD across 27 reported incidents. Consequently, it remained the worst month since February 2025, when the Bybit hack alone consumed about 1.5 billion USD. Over the year through the end of April, 47 incidents added up with losses of 771.8 million USD. That means 68% more cases than in the same period a year earlier, which saw 28 incidents.
The largest single loss came from the attack on the Drift Protocol, a Solana-based DEX. Over a six-month social engineering scheme, the attackers gradually infiltrated the circle of protocol signers. Subsequently, they drained 285 million USD in only about twelve minutes; TRM Labs attributes the incident to a North Korean hacking group.
A few weeks later came the KelpDAO exploit, which hit the liquid restaking protocol behind the rsETH token. Through a single-verifier vulnerability in a LayerZero bridge, the attackers seized 293 million USD. Of this, roughly 70 million USD froze on Arbitrum, while the rest flowed out via THORChain. TRM Labs also traces this case back to the same North Korean group. In total, this group caused 76% of all crypto hack losses in 2026 through April with merely two attacks, and the total theft attributed to it since 2017 exceeds 6 billion USD.
TVL decline and ongoing exploits in May 2026
The wave of exploits has additionally triggered a measurable capital outflow. Since mid-April, total DeFi TVL fell by roughly 14%, from about 172 billion USD to about 148 billion USD. At Aave, however, the reaction was especially pronounced: within 24 hours of the KelpDAO exploit, its TVL dropped from 26.4 billion USD to 17.9 billion USD. Investors therefore withdrew their capital even from a protocol that was not directly affected itself.
Funds deposited in DeFi protocols (Total Value Locked, TVL) / Source: DeFi Llama
In May 2026, the pattern continued with 25 reported exploits so far, albeit on a smaller scale. On 18 May, the Ethereum bridge of the Verus Network lost 11.6 million USD. A missing validation in the checkCCEValues function turned an input of 0.01 USD into an output of 11.58 million USD in ETH, tBTC and USDC; the Verus blockchain stopped afterward. A few days later, Polymarket acknowledged an incident worth 573,200 USD, which traced back to a compromised, six-year-old private key of an internal wallet. Here, however, there was no smart contract exploit, and no user funds were affected.
