DeFi Unsafe as AI Becomes 'Superhuman' at Hacking
OpenZeppelin CEO Manuel Aráoz warns that AI coding agents have become superhuman at finding smart contract vulnerabilities. DeFi has lost over $1.1 billion to hacks in 12 months while total value locked declined $20 billion in 2026.
FinCNews Editorial
View source
What Happened
OpenZeppelin CEO Manuel Aráoz issued a stark warning on May 27, 2026, declaring that he now considers all of decentralized finance unsafe due to advances in AI-powered coding agents. Aráoz cited the emergence of sophisticated AI models like Anthropic's restricted Claude Mythos, which can autonomously discover and weaponize software vulnerabilities in smart contracts.
The warning comes as DeFi faces mounting security challenges. Over the past 12 months, the sector has suffered losses exceeding $1.1 billion to hacks and exploits. Notable incidents include high-profile breaches at Kelp DAO and Step Finance. Additionally, DeFi's total value locked has fallen by more than $20 billion during 2026 alone, reflecting both security concerns and broader market headwinds.
Aráoz emphasized that DeFi's transparent, on-chain code architecture, once considered a feature enabling security audits, now presents a critical vulnerability. AI systems can rapidly analyze this publicly available code to identify exploitable flaws at speeds and with sophistication exceeding human security analysts' capabilities.
Why It Matters
The convergence of AI advancement and DeFi's structural transparency creates an asymmetrical security challenge. While human developers and auditors work at traditional speeds, AI coding agents operate at scales that allow them to simultaneously analyze thousands of smart contracts and identify zero-day vulnerabilities. This dynamic fundamentally shifts the risk calculus for DeFi platforms and their users.
For investors and participants, the implications are significant. DeFi protocols face existential pressure as major security voices declare the entire ecosystem compromised. The $20 billion decline in total value locked suggests market participants are already factoring in heightened risk premiums or divesting entirely. For institutions considering DeFi integration, such warnings create major barriers to adoption and legitimacy.
The broader crypto industry confronts a critical juncture: either defensive technologies must evolve faster than offensive AI capabilities, or DeFi's current architecture requires fundamental redesign. The sector's transparency principle—a core selling point—may require new guardrails or privacy-enhancing technologies to remain viable.
Expert Perspective
Aráoz's warning represents a significant shift in tone from security executives who previously argued that code transparency and third-party audits could contain DeFi risks. The emergence of autonomous AI systems capable of discovering vulnerabilities without human intervention changes the threat model fundamentally. This mirrors historical moments when cryptographic standards became obsolete not due to mathematical breakthroughs but through computational advances that rendered previous assumptions invalid.
The specific mention of Anthropic's Claude Mythos suggests that large language models have crossed a capability threshold in code analysis. Previous generations of AI tools could assist human analysts; current systems appear capable of independent, comprehensive vulnerability discovery. This escalation trajectory suggests diminishing windows for protocol developers to patch vulnerabilities before automated discovery and exploitation cycles complete.
What to Watch
Investors should monitor DeFi protocol security incident reporting for any exploits attributed to AI-assisted or autonomous discovery methods. Track total value locked across major DeFi platforms for continued decline acceleration beyond the $20 billion already lost in 2026. Watch for announcements of new defensive technologies, including privacy-preserving smart contracts, formal verification breakthroughs, or architectural innovations. Additionally, observe whether major institutional capital reduces DeFi allocations following this warning from a leading security authority. Any new major exploit within six months would substantially validate Aráoz's concerns and likely trigger additional capital flight.
Not financial advice.
Disclaimer: This article is AI-assisted and for informational purposes only. Nothing published on FinCNews constitutes financial advice, investment recommendation or solicitation. Cryptocurrency markets are highly volatile. Always conduct your own research and consult a qualified financial advisor before making investment decisions. About our editorial standards →