OpenZeppelin CEO Manuel Araoz declared that he now considers "all" of decentralized finance unsafe, warning that AI coding agents have achieved "superhuman" capabilities in discovering and exploiting smart contract vulnerabilities. The stark assessment from one of crypto's most prominent security firms arrives as the sector grapples with accelerating losses and shrinking total value locked.

Market Context

DeFi's total value locked has contracted by more than $20 billion since the start of 2026, according to DeFiLlama data. While broader crypto price weakness accounts for some of that decline, a relentless series of high-profile exploits continues to erode confidence in on-chain financial protocols. The sector's market share relative to centralized exchanges has shrunk as institutional and retail participants alike question whether the transparency once marketed as DeFi's greatest strength has become its most significant liability.

Analysis

Araoz's warning centers on a fundamental shift in the economics of smart contract security. Traditional defense requires developers to identify and patch every potential vulnerability across vast codebases, while attackers need only discover one exploitable flaw to drain funds. AI coding agents have compressed the timeframe for vulnerability discovery from weeks or months to hours or minutes, rendering that asymmetry catastrophic.

The timing of Araoz's remarks coincides with Anthropic's disclosure about its restricted Claude Mythos model, which can autonomously discover software vulnerabilities and develop working exploits at a level surpassing existing automated security tools. If AI systems can scan publicly available smart contract code, pinpoint weaknesses and weaponize them faster than development teams can respond, the entire DeFi security model built around human-paced defense becomes obsolete.

Cross-chain infrastructure has emerged as a particular vulnerability vector. April's $292 million Kelp DAO exploit demonstrated how weaknesses in bridging protocols can cascade through interconnected ecosystems. The Solana-based Step Finance protocol was forced to shut down entirely after a $27 million exploit left the project unable to recover, illustrating that even established platforms cannot always survive sophisticated attacks.

Key Numbers

- $1.1 billion: Total value lost to DeFi hacks over the past 365 days

- $292 million: April's Kelp DAO exploit, one of the largest single incidents

- $27 million: Step Finance loss that prompted platform shutdown

- $20 billion+ decline in DeFi total value locked since January 2026

What to Watch

Development teams will need to accelerate formal verification processes and implement automated threat detection systems that can match AI-powered attack speeds. Upcoming protocol audits and security upgrades will be critical indicators of whether the industry can adapt before the next major exploit. Regulatory scrutiny around smart contract liability may intensify if large-scale losses continue, potentially creating compliance frameworks that reshape how DeFi protocols operate.