DeFi security risks hit confidence as TVL slips ~14% and $630M stolen

Manuel Aráoz, the OpenZeppelin co-founder who has spent years at the center of crypto security, now says DeFi security risks are severe enough that he considers “all of DeFi” unsafe. In a May 26 post on X, he said he had advised friends and family to exit DeFi positions, including exposure to major names such as Aave, MakerDAO, and Compound.

That warning lands differently when it comes from a security insider rather than an outside critic. Moreover, it comes at a moment when decentralized finance is already under pressure from a surge in exploits, bridge attacks, and wallet-related breaches.

Aráoz tied his warning to what he described as a deep imbalance in smart contract security. Defenders, he argued, have to catch every flaw. Attackers need only one opening.

Aráoz says all of DeFi is unsafe

Aráoz’s message was blunt. He said he now sees “all of DeFi” as unsafe, which marks a notable shift in tone from a figure closely associated with defending crypto systems rather than dismissing them.

He also said he had advised friends and family to leave DeFi positions. That detail matters because it turns a broad market critique into a personal risk judgment. This was not framed as a theoretical concern. Instead, it was presented as advice for people with money on the line.

His reasoning centered on the structure of the fight itself. Aráoz said there is an ongoing imbalance between attackers and defenders in smart contract security. In his words, “Coding agents are superhuman at finding vulnerabilities, and smart contract security is too asymmetric.” He added that defenders need to fix every bug, while attackers need just one exploit to steal funds.

That is a sharp distillation of why DeFi security risks have become such a central issue for the sector. Even well-known protocols can look solid until one missed bug, one weak bridge design, or one compromised key turns a technical weakness into a mass loss event.

April’s DeFi hacks sharpen the case for caution

The backdrop to Aráoz’s warning is brutal. Nearly $630 million was stolen from DeFi protocols during April, based on data cited from The Block and DefiLlama. DefiLlama also recorded 27 DeFi exploit cases in April alone.

Several major protocols were hit. Kelp DAO lost around $293 million after attackers targeted a cross-chain bridge vulnerability. Drift suffered roughly $285 million in losses after a social engineering attack that reportedly lasted six months. Euler was also hit by a major exploit that drained about $197 million.

The attacks did not stop when the calendar turned. May has already seen 25 exploits recorded so far, although reported losses have been smaller than in April.

• Verus Network lost $11.6 million after its Ethereum bridge was compromised.
• Polymarket disclosed a $573,200 security breach that may have involved a compromised private key tied to internal wallet operations.

Why these DeFi security risks matter for the broader market

The significance here goes beyond a bad month for hackers and victims. When a leading security figure says DeFi is unsafe and the market is staring at hundreds of millions in losses, confidence itself becomes part of the story.

That matters because DeFi runs on more than code. It runs on trust in protocols, bridges, wallet controls, and the idea that risk is being managed well enough for users to stay in the system. Once that trust weakens, capital starts moving out.

The current cycle also raises a harder question for the industry: whether traditional smart contract audits are still enough in an environment where attackers can move faster, automate more of their search process, and exploit operational weaknesses beyond the code itself. In turn, Aráoz’s warning carries extra weight. He is not just saying hacks are happening. He is arguing that the defensive model may be falling behind.

OpenZeppelin’s four-layer framework responds to the threat

Earlier this month, OpenZeppelin tried to answer that problem with a more structured framework. On May 12, the firm released “Four Layers of DeFi Risk,” a model designed to help institutions assess risks tied to decentralized finance protocols and digital asset exposure.

The message behind that framework was clear: audits alone are no longer enough.

Instead, the model points toward a broader security posture built around continuous threat monitoring, operational controls, and layered defenses. That shift is important because many of the recent incidents were not simple one-bug stories. They involved bridge vulnerabilities, social engineering, and potential key compromise, all of which sit outside a narrow “audit the code once and ship” mindset.

In practical terms, that means DeFi security risks are no longer just a developer problem. They are becoming a full-stack issue that touches protocol design, team operations, treasury controls, and live monitoring after launch.

TVL falls as confidence weakens

The market response has already shown up in the numbers. Total value locked across DeFi protocols has dropped by about 14% since mid-April.

That decline took DeFi TVL from nearly $172 billion to around $148 billion during the period.

This is the second major reason the warning matters. TVL is not just a headline metric. It reflects whether traders and investors are willing to keep assets inside protocols despite the mounting pressure from DeFi hacks and other security incidents. A drop of that size suggests at least some capital is stepping back while users reassess risk.

For investors and protocol teams, the warning signs are now lining up from multiple directions at once: a prominent security founder saying he no longer trusts the sector, nearly $630 million lost in a single month, 27 exploits in April, and a visible slide in locked capital. That combination is hard to ignore.

The bigger test for DeFi now is whether layered defense models and stronger operational controls can restore confidence before the next wave of attacks does even more damage.