«All DeFi is insecure»: OpenZeppelin's AI alarm

As of June 1, 2026, there is no large-scale DeFi hack attributed to an autonomous AI agent acting as an attacker. And yet, on May 26, Manuel Aráoz —co-founder of OpenZeppelin, the world's most widely used smart contract auditor— wrote on X that "I now consider all DeFi unsafe." His argument is not that thefts perpetrated by autonomous artificial intelligence already exist, but something more structural: AI coding agents (models that read and write code autonomously) are "superhuman at finding vulnerabilities," and the security of smart contracts (programs that run themselves on the blockchain and custody money) is "too asymmetric: the defender has to fix all the flaws, while the attacker only needs one exploit to steal the funds." Aráoz even stated that he had advised friends and family to exit Aave, MakerDAO, and Compound. This article separates the verifiable from the projective: it quantifies the asymmetry he denounces, reviews with dated figures the worst quarter of hacks in DeFi history —over $606 million in April alone, 76% of the year's stolen value in just two North Korean attacks according to TRM Labs— and explains what is changing operationally, without falling into the alarmism that has infected recent coverage.

What exactly did the OpenZeppelin co-founder say?

Aráoz's message was a brief and blunt "PSA" (public service announcement), published on May 26 and amplified by the specialized press the following day. The key phrase —"coding agents are superhuman at finding vulnerabilities"— maintains that the historical bottleneck of a protocol attack (finding the flaw) is collapsing: what previously required weeks from an expert human auditor can now be done by an AI agent in hours, on any public code.

It is worth clarifying who is speaking, as the press has simplified it. Aráoz co-founded OpenZeppelin in 2015 and was its CTO, but he left the company in 2019: he holds no current position. His warning carries weight because of his track record —he wrote part of the contract libraries used by half of Ethereum today— not because it represents the company's official stance. In fact, OpenZeppelin distanced itself in the media: it stated that "Aráoz's views do not represent the current position of OpenZeppelin," and its CEO and co-founder, Demian Brener, argued that the correct response is continuous security augmented by AI, not withdrawal. This was not a formal statement on their corporate blog, but rather clarifications to the press.

A chronological nuance that several media outlets have confused is important: the "Four Layers of DeFi Risk" framework that OpenZeppelin published on May 12 predates Aráoz's post and is not a rebuttal to its co-founder. Anyone presenting it as "the company replied with a framework" has the dates wrong.

Why is the DeFi attack surface so asymmetric?

The asymmetry Aráoz denounces is not rhetorical: it is a structural property of how DeFi works. A deployed smart contract has three traits that, combined, grant the attacker an advantage.

First, the code is public. Anyone can read the bytecode on the blockchain, and the vast majority of serious protocols also publish the verified source code. The attacker does not need to leak blueprints or bribe an employee to see how the vault is built: it is open on the table, with the schematics right next to it.

Second, the code is immutable or nearly so. Once deployed, it isn't patched like a mobile app pushing an update overnight. Changing it requires governance mechanisms, admin keys, or upgradeable contracts —which in turn are additional attack surfaces. The defender is late by design.

Third, the code custodies money directly. There is no banking layer to freeze a suspicious transfer after the fact. If the exploit works, the funds leave in the same block and, via a cross-chain bridge, are dispersed in minutes.

Mathematical asymmetry is built upon these three traits: the defender must close one hundred percent of possible flaws —those known and those not yet imagined— indefinitely; the attacker needs to find exactly one. It is the same logic as in classic cybersecurity, with a brutal difference: here, there is no emergency patch or transaction reversal.

What AI changes in this equation is not creativity —the best exploits still require intuition regarding a protocol's economic logic— but the scale and speed of offensive auditing. The loop is concrete and cheap to operate: a coding agent extracts the verified source code of a contract via the Etherscan public API, deploys it on a local fork of the chain, executes symbolic fuzzing —testing automatically generated inputs to force unexpected states— on every function, and iterates over thousands of contracts with no marginal cost per attempt. No one needs to be bribed and no blueprints leaked: the source material is public and the machine does not tire. The defender of a single protocol still moves at human speed; massive offensive scanning does not.

How much has actually been lost in DeFi in 2026?

Here is the hard data that gives credibility to the warning, regardless of AI. According to CoinDesk, in the twelve months between May 2025 and May 2026, more than $1.1 billion was lost in DeFi —a figure that should be read as a journalistic aggregate, not as independently audited on-chain data. And the pace has skyrocketed in 2026: 47 incidents in the first four and a half months of the year compared to 28 in the same period of 2025, a 68% increase, according to CryptoTimes and Crowdfund Insider.

The monthly distribution tells a story of violent acceleration toward April:

The figures from January to March are ranges because sources (DefiLlama, CryptoTimes) consolidate at different rates; the quarter closed at around 169 million according to DefiLlama. The takeaway is not in the exact decimal but in the shape of the curve: three contained months and then an April that, on its own, more than triples the entire quarter. The corollary is a drop in TVL (total value locked in DeFi protocols) of more than $20 billion so far this year, according to CoinDesk —not all attributable to hacks, but the loss of confidence weighs heavily.

Who is behind the major thefts of April?

This is where the narrative of "AI is already attacking DeFi" crumbles in the face of facts. The two largest thefts of the year have perfectly identified human authors, and neither was the work of an autonomous agent.

The most compelling empirical evidence comes from TRM Labs: North Korea stole 76% of all crypto hack value in 2026 (up to April) with just two attacks —Drift on April 1 and Kelp DAO on April 18, totaling about $577 million combined. In the words of TRM, those two hits represent "3% of the 2026 incident count and 76% of the stolen value." Concentration matters more than the percentage itself: the problem in 2026 is not a diffuse cloud of autonomous AI scanning contracts, but a single human state actor moving the needle for the entire year with two carefully prepared operations. Any threat model that ignores this is looking in the wrong place.

The Kelp DAO hack ($292 million, April 18) exploited the protocol's LayerZero bridge. The cause was not a logic flaw that an AI "discovered": it was an insecure configuration —a single verifier (DVN, Decentralized Verifier Network) in "1 of 1" mode— combined with a denial-of-service (DDoS) attack on RPC nodes to blind the protocol during the maneuver. The wETH was stranded across twenty chains. Chainalysis and Halborn attribute it to Lazarus, the North Korean group.

The Drift Protocol hack (~$285 million, April 1, on Solana) was even more analog: according to Chainalysis, months of social engineering against protocol signers, topped off with an abuse of "durable nonces" (a Solana mechanism that allows signing valid transactions indefinitely). Chainalysis, TRM Labs, and Elliptic attribute it to North Korean actors. Human patience, not machine speed.

The case that comes closest to Aráoz's thesis is Step Finance (between $27 and $40 million depending on the source; protocol closed on February 24, 2026). The sequence matters: human attackers compromised the devices of protocol executives, thereby obtaining their private keys, and once inside, abused the protocol's own AI agents —which had fund transfer permissions— as an amplifying vector to move the loot. BleepingComputer puts the theft at $40 million; Halborn, which reconstructed the incident, places it around $30 million based on the 261,854 SOL diverted. This is a decisive nuance and exactly the opposite of the easy headline: AI was a tool exploited after a classic human compromise, not an autonomous attacker. The breached component was the machine identity with excessive permissions, not a model deciding to steal on its own.

So, is AI already hacking DeFi or not yet?

As of June 1, 2026, there is no large-scale DeFi hack attributed to an autonomous AI agent acting as an attacker. Anyone claiming otherwise is selling headlines. The major thefts of 2026 are human operations —Lazarus leading the way— which in some cases use AI as just another tool, much like they use exploits, social engineering, or DDoS.

This does not weaken Aráoz's warning: it strengthens it by putting it in its proper place. What he describes is an emerging capability, not a casualty report. His thesis is that the barrier that historically protected mediocre protocols —that finding a flaw was expensive and slow— is falling. When offensively auditing all public DeFi code becomes cheap and fast, the inventory of "economically unprofitable to find" flaws will cease to exist. The defender-attacker asymmetry, which was always there, becomes unsustainable for any protocol that does not have top-tier security.

Honesty about this distinction is precisely what separates analysis from clickbait. The danger is real and structural; the "it's already happening with AI" is still false. Both things are true at once.

Should a user exit Aave or Compound because of this?

The short answer: Aráoz's position is that of a private individual who left the company in 2019, and OpenZeppelin itself qualified it. Aave, MakerDAO (now Sky), and Compound are precisely the protocols with the densest continuous audits, largest bug bounties (rewards for reporting flaws), and emergency pause mechanisms in the sector. They are not the weak link; they are the most expensive targets to attack.

That said, the warning has a sensible operational reading for any user, without panic:

Running away from the most audited protocols to put capital into poorly reviewed alternatives would be the worst possible outcome of this warning: exactly the opposite of what it intends.

What makes a protocol secure in 2026?

The most uncomfortable answer to the "superhuman attacker" thesis is this: the two largest hacks of 2026 did not fall due to a hidden vulnerability that an AI had to discover, but because of a human configuration decision that had already been flagged. LayerZero had explicitly warned Kelp of the risk of operating the bridge with a verifier in "1 of 1" mode —a single DVN signing, without redundancy— before the hack. It didn't take an agent scanning thousands of functions: the door was marked as insecure by the provider itself and was left open anyway. The defender-attacker asymmetry is not lost in the sophistication of the attacker; it is lost in the specific negligence of the defender.

This reorders the hierarchy of defense. Before the stack of layers comes the discipline of not ignoring the warnings already on the table. And the economics of defense, when done right, are quantifiable: Aave's bug bounty program on Immunefi pays up to $1,000,000 for a reported critical flaw. That figure is the key lever —if rewarding the report of a flaw is more profitable than exploiting it, the attacker's economics are inverted, and hunters (human and, increasingly, AI-assisted) work for the defender. Upon these two foundations —not ignoring warnings, paying for flaws— the rest is built:

• Continuous, not one-off, auditing. A two-year-old audit on a protocol that has changed ten times is worthless. Serious protocols audit every change and maintain real-time on-chain monitoring.
• Pause mechanisms. The ability to freeze the contract in the face of anomalous behavior is the only thing that turns a theft of hundreds of millions into one of a few —provided it is activated in time; in Kelp, RPC nodes were blinded with a DDoS precisely to prevent this.
• Verified bridge configuration. The Kelp case in one line: never operate a cross-chain bridge with a single verifier when the provider recommends redundancy.
• On-chain insurance. Coverage like that from Nexus Mutual doesn't prevent the hack, but it transfers part of the risk and is a sign that independent third parties have evaluated the protocol as insurable.
• Minimum permissions for machine identities. The lesson from Step Finance: an AI agent with transfer permissions is a bomb. The principle of least privilege applies to bots as much as to people.

What is the lesson from this warning?

Aráoz's phrase works as a thermometer, not a sentence. And the real thermometer of 2026 points to a very different place than the headline suggests: if North Korea concentrates 76% of the year's stolen value in two attacks, the dominant risk in DeFi today is not diffuse in an autonomous AI that does not yet exist, but concentrated in a human state actor with time, patience, and hand-picked targets. The correct threat model for 2026 is Lazarus performing social engineering against signers, not a language model stealing on its own.

The irony defended by Brener, the CEO of OpenZeppelin, is consistent: the same AI that amplifies the attacker can be put to work auditing continuously on the defender's side. The open question —and honestly unanswered today— is who runs faster in that scanning race, the one defending a protocol or the one scanning thousands at once. That race has not yet been decided, and pretending the attacker has already won is giving away fear where risk management is needed.

The projective aspect —that coding agents make the defender-attacker asymmetry unsustainable by making massive offensive scanning cheap— is plausible and deserves to be taken seriously. But rational behavior today is not to flee DeFi: it is to prefer protocols that do not ignore the warnings they already have (the Kelp lesson), with defense-in-depth and large bug bounties, minimize exposure in bridges, revoke idle approvals, and distrust yield coming from unaudited protocols. The asymmetry was always there; what is new is not that AI is already attacking, but that the cost of exploiting it is falling while the actor who steals the most remains flesh and blood.

Sources and links: CoinDesk — Aráoz: «DeFi isn't safe anymore» · CoinDesk — Kelp DAO, $292 M · Chainalysis — Lessons from the Drift hack · CryptoTimes — April 2026, worst month · OpenZeppelin — Four Layers of DeFi Risk · CoinDesk — $20 B drop in TVL · TRM Labs — North Korea, 76% of stolen value in two attacks · Halborn — The Step Finance hack · BleepingComputer — Step Finance, compromised devices and $40 M