Key Summary
- OpenZeppelin co-founder Manuel Araoz publicly advised friends and family to exit all DeFi positions, including Aave and MakerDAO.
- Nearly $630 million was stolen from DeFi in April, with Drift ($285 million) and Kelp DAO ($293 million) both linked to North Korean hackers.
- DeFi TVL dropped by about 14% since mid-April, and 25 more security incidents occurred in May, with over 40 protocols announcing their shutdown.
The person who wrote the most widely used smart contract security framework in the crypto world is now advising you to withdraw all your money from DeFi.
Manuel Araoz, co-founder of OpenZeppelin, recently posted on social media that he has changed his views on DeFi security and now concludes that "all DeFi is insecure." He revealed that he has begun personally advising friends and family to exit all DeFi positions, even long-established "blue-chip" protocols like Aave, MakerDAO, and Compound.
AI makes offense and defense completely unequal.
Araoz points out that the core problem lies in the structural asymmetry between attackers and defenders. He states that AI coding agents are "superior" at discovering vulnerabilities in smart contracts, a capability that naturally favors attackers. Defenders must plug every single vulnerability, while attackers only need to find one to steal the money.
These words carry particular weight coming from the founder of a security company. OpenZeppelin's smart contract library is used by the vast majority of Solidity developers worldwide, and Araoz's understanding of DeFi security is not merely theoretical. His assessment essentially states that, under the current technological architecture, the security model of DeFi is fundamentally one where the attacker has the upper hand.
Losses have continued to widen since April.
The data comes from Araoz. In April alone, nearly $630 million was stolen from DeFi protocols, making it the worst month for losses since the approximately $1.5 billion theft from Bybit in February 2025. Two major exploits, Drift ($285 million) and Kelp DAO ($293 million), were both attributed by tracking agencies to the Lazarus Group, a hacking group supported by the North Korean government.
Market confidence has clearly been shaken, with the total value locked (TVL) of DeFi protocols falling by about 14% since mid-April, from approximately $172 billion to $148 billion. May has also been turbulent, with 25 security incidents to date, including a $11.6 million loss due to the exploitation of the Verus Network cross-chain bridge and a loss of approximately $570,000 due to an attack on Polymarket's UMA CTF Adapter.
More than 40 protocols announced their closure or entered liquidation mode in the first five months of this year. Statistically, North Korean-linked attackers accounted for 76% of global cryptocurrency hacking losses in 2026, a further increase from 64% in 2025. The crisis of losing confidence in DeFi continues to spread.
Frequently Asked Questions
Why does the founder of OpenZeppelin say that all DeFi is insecure?
Manuel Araoz argues that AI code proxies give attackers a significant advantage in discovering vulnerabilities. Defenders must plug all vulnerabilities, but attackers only need to find one to steal funds. This structural asymmetry puts all DeFi protocols, including Aave and MakerDAO, at risk.
How much money was stolen from DeFi in 2026?
By the end of May, the total amount stolen had exceeded $770 million, with nearly $630 million stolen in April alone. The two largest incidents were Drift ($285 million) and Kelp DAO ($293 million), both linked to the North Korean hacking group Lazarus Group.
Related reports
