DeFi security is back in the news after OpenZeppelin founder Manuel Aráoz claimed that the entire sector is insecure. The issue has now sharply divided the community.
Stani Kulechov, the founder of leading DeFi lending protocol Aave, is the latest figure to dismiss Aráoz’s comment. He said,
Not a good estimate. DeFi infrastructure is materially more resilient today than in previous cycles (partly also due to AI).
Earlier this week, Aráoz said he “considers all of DeFi insecure,” citing the improving offensive capabilities of AI-powered cybersecurity agents that can quickly crack smart contracts and protocols.
According to him, the threat has led him to advise his friends and family to exit all DeFi holdings, including Aave, MakerDAO, and Compound.
However, Aave’s Kulechov countered that AI has also improved DeFi tooling, risk engines and other areas. He answered that
DeFi is constantly evolving, but pretending that the industry hasn’t matured significantly or that AI only has a net negative effect on DeFi security is simply not true.
OpenZepplin distances itself from founder’s DeFi warning
OpenZeppelin in particular is a leading blockchain security company, best known for automating on-chain financial transactions. It was therefore not surprising that a comment from the founder sparked such a wide and heated debate.
But does this mean that OpenZeppelin cannot defend itself against such threats? Is it also unsafe to use the product? Interestingly, the company distanced itself from its founder’s comments under public pressure.
Sam MacPherson, co-founder of Sky (formerly MakerDAO), echoed Kulechov’s position, noting:
Most of the recent major hacks have been opsec issues. Smart contracts from blue chips are quite safe these days.
Some analysts even claimed that less than 10% of DeFi hacks in 2025 were due to codebase issues. They noted that the majority of exploits were mainly related to poor parameter configuration and poor operational security (opsec).
But Aráoz countered that encryption tools are also superhuman at cracking these vulnerabilities. On an annual basis (year-over-year), approximately $1.45 billion has been stolen from the DeFi sector.
And more than 50% of exploits were tied to bridged exploits, compromised administrators, and private keys. So both sides of the debate are right.
That said, DeFi exploitsFears of contagion and the crypto winter have led to a capital outflow of $45 billion in 2026. DeFi’s total locked value (TVL) has since fallen 35% to $80 billion.
Final summary
- OppenZeppelin founder Manuel Aráoz sparked debate after warning that “all DeFi is unsafe” and that users should exit positions.
- Aave’s founder and other industry leaders have pushed back against his claims, noting that DeFi infrastructure has improved despite increasing exploitation risks.