“Defenders Lose Every Time”: OpenZeppelin’s Founder on AI and DeFi’s Fatal Flaw

OpenZeppelin co-founder Manuel Araoz says all of DeFi is now unsafe, warning AI coding agents give attackers an edge defenders can never fully close.

The person who helped write DeFi’s security rulebook now thinks the game is broken.

Manuel Araoz, co-founder of OpenZeppelin, posted a public service announcement on X this week that rattled corners of the crypto space. Coding agents, he said, have become superhuman at finding vulnerabilities. Smart contract security is too asymmetric: defenders must patch every single flaw, while attackers only need to find one.

Blue Chips Are Not Safe, He Told People Closest to Him

He did not stop at the warning. Araoz said on X he has been privately advising friends and family to exit all DeFi positions, a category that includes protocols widely considered low-risk. Aave, MakerDAO, and Compound all got named. Not as bad actors. Just as protocols that cannot win this fight.

The DeFi exploit wave has not slowed in 2026. A 1inch liquidity provider lost nearly $6.7 million to a resolver contract attack just weeks ago. Researchers linked it to a 2025 incident. Same threat actor, different vulnerability.

Smart contracts are immutable and cannot be taken down, one respondent wrote on X. They sit on-chain, visible to anyone. A honeypot, in the most literal sense.

The Community Pushed Back, But Not on the Core Math

Aave contributor Marc Zeller called the statement “moronic” on X, arguing that fewer than ten percent of last year’s DeFi incidents came from codebase flaws. Most losses, he said, traced back to bad parameter configuration, collateral blow-ups, and poor operational security.

Sam MacPherson, known on X as hexonaut, pushed a similar line. The recent major hacks, he wrote, were mostly OpSec issues, not smart contract failures. Blue chip code is quite safe these days. That argument did not challenge the asymmetry point directly.

Bee Swarm on X said the framing missed the real problem. Battle-tested protocols with years of total value locked and zero exploits do exist. The dangerous ones, the account said, are always the new, unaudited, incentive-farming contracts.

AI as Red Team: The Other Side of the Argument

Diego Sierra, writing on X, agreed with the risk but flagged the flip side. The same agents that find vulnerabilities before deployment can also be used to stress test contracts. Big challenge for dev teams, he wrote. Not a death sentence.

That tension is not new. An AI-generated code flaw tied to a smart contract exploit cost one protocol $1.78 million earlier this year. The incident sharpened debate about how much autonomy coding agents should have in production environments.

Rekt Academy, a developer education platform, agreed with Araoz’s asymmetry framing on X. They said they are building tooling in response. Cyber security is going to become more important than ever, they posted, and the stakes in TVL are high. Ab on X offered a different read entirely: the ability to pressure test a system to the max before deploying it may actually hand developers more leverage, not less.

Tokenized Assets Are Next, One Respondent Said

Julia Suontama, writing on X, said the wording “we feel DeFi isn’t ready yet” has accelerated in conversations with Wall Street organizations through early 2026. Institutions should not be pushed onto public chains, she said. Let them build on purpose-built solutions.

One account, iagadanight on X, extended the concern outward. If DeFi is unsafe, look into tokenized assets sitting on those same chains, the post read. “Next up tokenized assets.” No further explanation given. Left it there.

Araoz has not responded publicly to the pushback on the blue-chip distinction. The militereum account on X put it plainly: smart contracts are not encrypted, they are permanent, and the store-now-exploit-later nature of on-chain code gives coding agents a structural advantage that is not going away.

The post “Defenders Lose Every Time”: OpenZeppelin’s Founder on AI and DeFi’s Fatal Flaw appeared first on Live Bitcoin News.