Loading prices…
🩸BEARISH

DeFi "Unsafe": OpenZeppelin Founder Tells Friends to Exit

When the lead author of the contracts the space audits itself against tells you to leave Aave, MakerDAO, and Compound too, the warning is structural — not protocol-specific.

Manuel Aráoz, co-founder of crypto security firm OpenZeppelin, said on Tuesday that he now considers "all of DeFi" unsafe and has been personally advising friends and family to exit every DeFi position — including blue-chip protocols Aave, MakerDAO, and Compound. "Coding agents are superhuman at finding vulnerabilities, and smart contract security is too asymmetric," he wrote on X. "Defenders need to fix every bug while attackers need just one exploit to steal funds."

The warning lands on top of a brutal stretch for the sector: nearly $630 million was stolen from DeFi protocols in April, the worst month for exploits since the $1.5 billion Bybit hack in February 2025. Two breaches accounted for most of the damage — the $285 million social-engineering exploit of Drift and a $293 million cross-chain bridge attack on Kelp DAO — both widely attributed to North Korea's state-backed hackers. DefiLlama counted 27 DeFi exploits in April, with 25 more already recorded in May.

Why it matters

Aráoz is not a critic on the outside looking in — OpenZeppelin wrote the contract libraries and security tooling that much of the DeFi stack runs on, and his firm audits the same blue-chip protocols he is now telling people to exit. When the person most familiar with the defensive state of the art withdraws the "protocols are safe if audited" assumption, the framework the rest of the industry uses to price risk has to be re-examined. His framing — asymmetric offence, AI-augmented exploit search, an attack surface that keeps growing — is the same argument institutional risk teams have been making quietly, now stated publicly by the most credentialed possible source.

Market impact

The fear is showing up in the flows. DeFi total value locked is down roughly 14% since mid-April, sliding from about $172 billion to $148 billion, a notable risk-off move that accelerated in the days after the Kelp DAO breach. May's exploits have been smaller — Verus Network lost $11.6 million on an Ethereum bridge bug, and Polymarket acknowledged a $573,200 breach — but the cadence, not the size, is what the market is reading.

Related tokens
$AAVE $COMP $ETH

Frequently asked questions

  1. Who is Manuel Aráoz and why does his warning carry weight?

    Manuel Aráoz is the co-founder of OpenZeppelin, the crypto security firm that wrote widely used smart-contract libraries and audits major DeFi protocols — including the blue-chip venues he is now telling people to avoid.

  2. What is the asymmetry Aráoz is describing in DeFi security?

    Defenders must find and fix every vulnerability in a protocol's code, while attackers only need to find one working exploit to drain funds — a gap he says is widening as AI coding agents accelerate vulnerability discovery.

  3. How bad was April for DeFi exploits?

    Nearly $630 million was stolen across 27 reported incidents in April, the worst month since the $1.5 billion Bybit hack in February 2025, according to The Block's dashboard and DefiLlama data.

  4. Which attacks drove most of April's DeFi losses?

    Two incidents accounted for the bulk: a $285 million social-engineering exploit of Drift and a $293 million cross-chain bridge attack on Kelp DAO. Both have been widely attributed to North Korea's state-backed hackers.

  5. Is the DeFi market already reacting to the security concerns?

    Yes. Total value locked across DeFi protocols has fallen roughly 14% since mid-April, sliding from about $172 billion to $148 billion, with the outflows accelerating after the Kelp DAO breach.

Source attribution
Aggregated from TheBlock · Verified · Last refreshed 45d ago
Open original →