A controversy erupted this week after OpenZeppelin’s co-founder warned that all DeFi is unsafe, but top builders are pushing back with data showing massive security improvements.
The Warning That Shook DeFi
Manuel Aráoz, co-founder of blockchain security firm OpenZeppelin, sent shockwaves through the cryptocurrency industry when he declared that “all DeFi is unsafe” on May 27, 2026. His warning went viral on social media, prompting many retail investors to question whether they should pull their money out of even the most trusted decentralized finance platforms.
Aráoz didn’t soft-pedal his message. He said he’s been privately advising friends and family to exit all DeFi positions, including what most people consider “blue-chip” protocols like Aave, MakerDAO (now Sky), and Compound.
His reasoning centers on a new threat: AI-powered coding agents. Aráoz argues these tools have “superhuman talent” for finding vulnerabilities in smart contracts. He described the security problem as fundamentally asymmetric: defenders must patch every single flaw, but attackers only need one weakness to steal millions.
Industry Leaders Push Back Hard
The response from DeFi’s biggest names was swift and skeptical.
Aave’s Founder Dismisses the Claim
Stani Kulechov, founder of Aave (one of the largest DeFi lending protocols), responded with characteristic directness: “Not a good take.” He explained that DeFi infrastructure is “materially more resilient than in prior cycles,” crediting AI for improving security tools and risk engines alongside making attacks easier.
Kulechov pushed back against the idea that AI is only a net negative for security. DeFi has evolved significantly since 2020, he argued, and pretending otherwise ignores real progress.
Sky Co-Founder Agrees: Blue Chips Are Safe
Sam MacPherson, co-founder of Sky (formerly MakerDAO), echoed Kulechov’s stance. He pointed out that most recent major hacks stem from operational security (opsec) issues, not smart contract vulnerabilities. According to MacPherson, “Smart contracts of blue chips are quite safe these days”.
Analysts backing this view note that less than 10% of 2025 DeFi hacks involved codebase problems. The majority came from poor configuration, compromised private keys, or weak multi-signature governance.
The Data Suggests DeFi Has Improved Dramatically
While Aráoz’s warning sounds alarming, the numbers tell a different story.
98% Improvement in Lending Safety
Michael Heinrich, CEO of 0G Labs, highlighted a striking statistic: DeFi lending security has improved by roughly 98% since 2020. Daily loss rates on major lending protocols have dropped to around 0.001%, according to his analysis.
“Telling retail to exit blue-chips like Aave and Maker doesn’t match the actual risk-adjusted picture,” Heinrich told Bitcoin.com News.
But Exploits Are Still Happening
The counterargument isn’t meaningless, though. Blockchain security firm Peckshield found that cross-chain protocol exploits alone drained $328.6 million between January and mid-May 2026. On a year-on-year basis, approximately $1.45 billion has been stolen from DeFi.
Over 50% of these exploits involved bridged assets, compromised admin keys, or private key breaches—not necessarily smart contract bugs.
The Real Problem: Static Audits Are Dead
Both sides of the debate agree on one thing: the old security model doesn’t work anymore.
Why Annual Audits Fail
Leo Fan, founder of security firm Cysic, delivered a blunt assessment: “The point-in-time audit is already dead; people just haven’t held the funeral”. Relying on a single annual audit before deploying code is no longer credible defense against AI-speed attackers.
The New Four-Layer Security Stack
Heinrich from 0G Labs outlined what modern DeFi security should look like:
- Pre-deployment AI-assisted audits paired with human review
- Continuous post-deployment monitoring (machine-speed, not periodic)
- Well-funded bug bounties to incentivize white-hat hackers
- Verifiable AI on the defender side running against live contracts
“Audits don’t go away,” Heinrich said. “They become the first checkpoint in a machine-speed defense pipeline”.
The ultimate goal is formal verification on critical paths—using mathematical proofs rather than subjective human reviews to guarantee code safety.
DeFi Insurance Is Growing but Still Underdeveloped
Another critical piece of the security puzzle is insurance. Here’s the problem: the decentralized insurance sector is severely underdeveloped.
Nexus Mutual, the market leader, holds approximately $190 million in coverage against a DeFi market with $40–100+ billion in total value locked (TVL). That’s a dangerously thin capital ratio.
Despite this, demand is accelerating. A March 2026 forecast by Coinlaw projects the decentralized insurance market will grow nearly fivefold by 2029.
“What actually moves the needle are parametric on-chain products that pay out automatically on verifiable signals,” Heinrich explained.
What Should Regulators Focus On?
Leo Fan offered sharp advice for policymakers: focus on operational security, not just code.
“The smarter regulatory instinct isn’t to panic about AI attackers specifically,” Fan said. “It’s to focus on the operational layer where the money actually leaves: key custody, multisig governance, bridge security, and incident response”.
Fan argued that regulators focusing exclusively on smart contract code while ignoring day-to-day operations is like “regulating the 10% and missing the 90%.”
He also pushed for cryptographic proof (like zero-knowledge proofs) as a compliance primitive instead of PDF audit reports. “It is auditable by math, not by trust,” Fan said.
The Bottom Line for Retail Investors
So, is all DeFi unsafe? The evidence suggests no, but with important caveats:
- Blue-chip protocols (Aave, Compound, Sky) have significantly improved security since 2020
- Most hacks come from opsec failures, not smart contract bugs
- AI makes both attacks and defenses stronger—it’s not a one-sided threat
- Static audits are dead; continuous monitoring is essential
- Insurance remains thin but is growing rapidly
Aráoz’s warning highlights real risks, but industry leaders argue his “exit everything” framing oversells the danger while undermining credible security progress. For retail investors, the takeaway is clear: stick to established protocols, use hardware wallets, enable multi-sig where possible, and stay informed about operational security best practices.
DeFi isn’t perfectly safe—but it’s far more resilient than Aráoz’s dramatic warning suggests.
