Manuel Aráoz, the co-founder of pioneering smart contract security firm OpenZeppelin, sent shockwaves through the Web3 ecosystem on Tuesday by declaring that he now considers “all of DeFi” fundamentally unsafe. In a blunt warning that marks a dramatic turning point in security sentiment, Aráoz revealed he has been privately advising close friends and family to completely liquidate their decentralized finance positions.
The warning does not just target high-risk, experimental yield-farming protocols. Aráoz explicitly emphasized that his exit advice extends to low-risk, battle-tested “blue chip” protocols that serve as the foundational liquidity infrastructure of the entire industry, including Aave, MakerDAO, and Compound.
I've been privately advising friends and family to exit all DeFi positions including low-risk "blue chips" like Aave, MakerDAO & Compound.
— Manuel Aráoz (@maraoz) May 26, 2026
AI Weaponization Break: Superhuman Attackers vs. Flawed Defenders
The core of Aráoz’s alarmist thesis rests on how generative AI and specialized autonomous coding agents have fundamentally broken the traditional cybersecurity equilibrium. Historically, smart contract security has always suffered from a brutal structural asymmetry: developers have to secure a protocol’s entire code surface perfectly, whereas a malicious actor only needs to find a single logical oversight, compiler quirk, or edge-case bug to siphon millions.
According to Aráoz, advanced AI agents have now achieved a “superhuman” capability to ingest, analyze, and reverse-engineer smart contract code at machine speed. These automated systems can scan complex, multi-layered codebases to discover hidden, fractional vulnerabilities that human security auditors might easily miss during a routine review. Because attackers are leveraging these tools to accelerate exploit discovery, traditional post-deployment monitoring and periodic audits are no longer sufficient to guarantee the safety of capital.
Devastating Spring for Decentralized Finance
Aráoz’s warning lands during one of the most financially disastrous stretches for decentralized protocols since the inception of the ecosystem. According to data tracking platforms, April 2026 went down as the worst month for ecosystem security since early 2025, with nearly $630 million drained across 27 distinct exploits.
The relentless barrage of hacks has severely rattled investor confidence, triggering a sharp pullback across the board. The Total Value Locked (TVL) across all DeFi ecosystems plummeted roughly 14% in a matter of weeks, sliding from a spring high of $172 billion down to $148 billion.
Even specialized prediction markets have not been spared. Last week, Polymarket acknowledged a $573,200 breach stemming from a private key compromise on an internal wallet. With the co-founder of the very firm responsible for auditing and securing a massive portion of the world’s smart contracts pulling the emergency brake, the industry faces an existential reckoning on how to rebuild a defensive wall against an increasingly automated threat landscape.
