OpenZeppelin co-founder Manuel Aráoz says he now considers all of DeFi unsafe, warning that he has been advising friends and family to exit even positions in major protocols such as Aave, MakerDAO and Compound. This should be treated as an expert opinion, not proof that every DeFi protocol has already been compromised. But the signal matters because it comes from a security insider, not an outside critic of crypto.

Aráoz’s core argument is the asymmetry between attackers and defenders. Protocol teams need to secure every smart contract, bridge, oracle, frontend, key-management process and operational workflow. Attackers only need one bug, one compromised key or one weak integration to drain funds. As AI coding agents become better at scanning for vulnerabilities, that imbalance may become more dangerous.

The warning comes after a brutal month for DeFi security. The Block reported that nearly $630 million was stolen from DeFi protocols in April, including major attacks on Drift and Kelp DAO worth roughly $285 million and $293 million. DeFi total value locked has also fallen about 14% since mid-April, from around $172 billion to $148 billion. For investors, the message is clear: DeFi yields now need to be judged against smart-contract, bridge, governance and operational risks — including the possibility of a total loss.