Manuel Aráoz, co-founder of smart contract security firm OpenZeppelin, publicly warned on May 26 that people should exit DeFi entirely — including major blue-chip projects.
He argued that AI-powered coding agents have shifted the security balance so heavily in favor of attackers that no protocol can currently be trusted to hold user funds.
Aráoz’s Warning
The software engineer wrote on X that “PSA: I now consider all of DeFi unsafe.”
He said he has been privately advising friends and family to withdraw from all DeFi positions, naming Aave, MakerDAO, and Compound as examples of protocols he no longer considers safe.
Aráoz’s reasoning rests on a basic asymmetry in security: defenders must find and fix every vulnerability, while attackers need only discover a single flaw to cause damage. With AI coding agents capable of scanning smart contracts far more quickly and thoroughly than human teams, he believes that asymmetry has become untenable.
OpenZeppelin recently noted that crypto companies lost more than $3.4 billion to hacks in 2025, though the firm attributed most of those losses to compromised credentials, operational failures, and code changes shipped between audits rather than to smart contract bugs.
The year has seen a string of large attacks: more than $650 million was stolen in April alone. That total included a $292 million exploit of KelpDAO and roughly $285 million taken from Drift Protocol, with experts saying the latter involved months of social engineering.
Pushback From X Users
Aráoz’s statement sparked strong reactions and immediate pushback on X. Mark Zeller, founder of the Aave Chan Initiative, responded bluntly and with data: he noted that fewer than 10% of DeFi incidents over the past year were caused by code-level vulnerabilities. According to Zeller, most failures were due to poor risk parameters, collateral mismanagement, and weak operational security rather than AI-assisted exploits.
Others expressed similar skepticism. Sam McPherson, co-founder of Phoenix Lab, said smart contracts on blue-chip DeFi platforms are “quite safe these days,” pointing to operational security failures as the real drivers behind the major hacks. Robert, a developer at Polaris Finance, echoed that distinction, arguing that genuine smart contract exploits are “almost non-existent these days” and that recent breaches primarily involved centralized components that permit human control rather than immutable on-chain code.
Ethereum co-founder Vitalik Buterin offered a different perspective on AI’s impact on crypto security. He suggested earlier this month that AI-assisted formal verification could strengthen crypto systems over time. In his view, developers can deploy AI both to write code and to help produce the mathematical proofs that demonstrate its correctness, potentially improving long-term security.