DeFi Beware! "All DeFi is Unsafe," Says OpenZeppelin Founder

OpenZeppelin founder Manuel Aráoz recently made a bold statement in May 2026. He said, "All DeFi is unsafe." 

This statement appeared on X on May 26 and 27, 2026. Aráoz advised his friends and family to exit all DeFi positions, including major protocols like Aave, MakerDAO, and Compound.

He also recommends withdrawing funds off-chain. Let's discuss this calmly so you understand the risks DeFi security threat without excessive panic. 

Aráoz's statements are personal, as he left OpenZeppelin in 2019. OpenZeppelin itself has clarified that these views do not represent the company.

Key Takeaways

• Manuel Aráoz, co-founder of OpenZeppelin, said all DeFi is unsafe due to the threat of coding agents that can quickly find smart contract vulnerabilities.
• April 2026 was the worst month on record, with losses of around US$630 million from 27 DeFi hacks.
• The total value locked in DeFi has fallen 14 percent since mid-April, from $172 billion to around $148 billion.

Register at Bittime now and start trading crypto with a fast, safe, and easy process in the app.

Manuel Aráoz's Statement and the Background to His Warning in May 2026

Manuel Aráoz is the co-founder of OpenZeppelin, a company known for developing smart contract security standards. 

OpenZeppelin has secured over US$36.2 trillion in capital and supports a total value locked of US$136 billion across 410 million wallets. Although Aráoz left the company in 2019, his reputation remains respected in the crypto world.

In late May 2026, he wrote on X that "all of DeFi is unsafe." He explained the main reason was the imbalance between attackers and defenders. Defenders must fix every small flaw in the protocol.

While attackers only need one vulnerability to steal millions of dollars, the threat of coding agents, namely AI agent those who can write code and find bugs are making the situation even worse. Aráoz called these agents "superhuman" at finding smart contract vulnerabilities.

He advised everyone he knew to withdraw funds from DeFi, including investments in blue-chip protocols considered the safest. This advice came after April 2026 saw significant losses.

A total of US$630 million was lost from 27 exploit cases. Some major examples are the attacks on Kelp DAO around 293 million US dollars via cross-chain bridges, Drift around 285 million US dollars from six months of social engineering, and Euler around 197 million US dollars.

In May 2026, hack volume dropped sharply by 93 percent to just US$44 million. However, there were still 25 exploit cases. For example, Verus Network lost US$11.6 million on the Ethereum bridge, and Polymarket lost US$573,000 due to a possible private key leak.

Aráoz's statement drew attention because he is a DeFi security insider. Many in the industry responded. Some called it an important warning, while others deemed it overblown. Clearly, it's a reminder that we should all be more cautious.

Read also: GameStop Offers $56 Billion to Acquire eBay

The Increasingly Real Threat of Coding Agents and Defi Hack Warnings

Coding agents are AI programs that can write and test smart contract code at incredible speeds. 

According to Aráoz, these agents pose a serious new threat to DeFi security. They can scan millions of potential vulnerabilities in a fraction of the time required for a human developer team to check them all.

This throws the security balance out of balance. Attackers only look for one vulnerability. Defenders must close all of them. Aráoz called this "too asymmetric." He also warned that attacks don't just originate from code. They can also originate from operational aspects, such as social engineering or weak bridges. Even AI agents can exploit these.

Data from April 2026 shows how real this Defi hack warning is. Two major attacks alone stole nearly US$580 million. 

Many are suspected to be state-backed groups. DeFi withdrawals were a natural response from some users. Total value locked dropped 14 percent in a matter of weeks. This indicates that investor confidence is starting to waver.

However, not everyone agrees with Aráoz's view. Some experts say that formal verification technology and better audits could counter this threat. 

OpenZeppelin itself, on May 12, 2026, launched the "Four Layers of DeFi Risk" framework. This framework emphasizes that audits alone are not enough. Continuous monitoring, operational controls, and other layers of defense are necessary.

Here are some of the key risks mentioned in the May 2026 discussion:

1. Coding agent that can find bugs quickly.
2. Vulnerable cross-chain bridge.
3. Social engineering against the project team.
4. Private key leaked due to human error.
5. Lack of monitoring after protocol launch.

Given these facts, we can see why the founder of OpenZeppelin issued a stern warning. But this also presents an opportunity for DeFi projects to improve security.

Check out the price movements of popular DeFi coins such as Hyperliquid (HYPE), which are available for direct trading on Bittime.

Read also: AI agents are predicted to dominate in 2028.

Market Impact and Solana Floor News Amid Concerns

News from Solana Floor News also highlighted this situation. After the massive losses in April 2026, the total value locked in Solana remained flat. This contrasts with declines in other ecosystems. However, it still indicates investors are hesitant to invest more in DeFi.

Overall, the DeFi market has lost approximately US$24 billion in locked value since mid-April. This decline occurred despite relatively stable prices for major cryptocurrencies. Many users have opted to store their assets in private wallets or centralized exchanges for the time being.

Aráoz's statement at OpenZeppelin in May 2026 serves as a reminder that DeFi still faces significant challenges. 

However, DeFi also retains advantages such as transparency and open access. Many projects have begun to improve security standards. Some have added multi-signatures, time-locks, and larger bug bounties.

For casual investors, this is a good time to evaluate your portfolio. There's no need to rush to withdraw all your funds. Instead, it's best to understand the risks of each protocol you use. Check the latest audits, the development team, and the security history. This way, you can stay involved in DeFi without undue worry.

Start trading HYPEIDR with Bittime here!

Read also: ZachXBT Accuses US Law Firm of Taking $71 Million in Lazarus Funds

Conclusion

Manuel Aráoz's warning that all DeFi is unsafe in May 2026 was an eye-opener for many. The persistent threat of coding agents and Defi hack warnings serve as reminders that security remains a major challenge. The massive losses in April 2026 and the decline in TVL demonstrate the real risks.

But this also pushes the industry to increase protection. It's best to remain calm, learn the facts, and manage your funds wisely. DeFi has great potential, but like any investment, it requires caution. Hopefully, security will improve in the future, allowing everyone to use DeFi more safely.

The claim that all DeFi platforms are unsafe should not be dismissed as mere fearmongering. Rather, it serves as a reminder of the importance of choosing a secure investment platform

Bittime is a licensed and regulated Digital Financial Asset Trader (PAKD) supervised by Indonesia’s Financial Services Authority (OJK) — where you can buy Bitcoin in Indonesia and hundreds of other crypto assets starting from just Rp10,000. The registration process is fast, secure, and you can get started today.

Track USDT to IDR conversions and monitor your favorite crypto assets in real time. Everything is available in one crypto investment app that you can download for free on the Play Store

Ready to start? Register now on Bittime and execute your investment strategy with a platform trusted by millions of users in Indonesia.

FAQ

Is all DeFi really that unsafe? 

This is Manuel Aráoz's personal view. Many projects already use audits and security layers, but risks remain.

Who is Manuel Aráoz and what is his connection to OpenZeppelin? 

He was a co-founder of OpenZeppelin but left in 2019. His statement in May 2026 was personal.

How much will DeFi lose in April 2026? 

Around 630 million US dollars from 27 hack cases, including Kelp DAO and Drift.

What is the threat of coding agents? 

An AI agent that can find and exploit smart contract vulnerabilities very quickly and accurately.

What should DeFi investors do now? 

Check the latest audits, diversify, and consider withdrawing some funds if you are concerned.