OpenZeppelin Founder: 'All of DeFi' Now Unsafe

Manuel Aráoz, founder of OpenZeppelin, the security firm that audits some of DeFi's largest protocols, has declared all of decentralized finance unsafe. In private conversations, Aráoz has advised friends and family to exit their DeFi positions entirely.

The warning marks a significant escalation in public concern about DeFi security from one of the industry's most trusted voices. OpenZeppelin has audited protocols worth billions in total value locked (TVL), including major platforms like Uniswap, Aave, and Compound. When the founder of such a firm declares the entire sector unsafe, it carries weight that goes beyond typical market commentary.

Aráoz did not publicly specify which recent security incidents prompted this assessment, but the timing suggests a confluence of breaches has eroded his confidence in the ecosystem's current safeguards. DeFi has suffered several high-profile exploits in 2026 alone, though no single incident has approached the scale of earlier attacks like the Ronin bridge hack (2022) or Poly Network exploit (2021). The statement appears to reflect a systemic concern rather than a reaction to one event.

The core issue centers on the reliability of current auditing practices. Even protocols that have undergone multiple security audits have fallen victim to exploits, suggesting that the audit model itself may have fundamental limitations. Smart contract code is complex, formal verification tools remain imperfect, and new attack vectors emerge constantly. OpenZeppelin's own audit reports carry disclaimers that audits cannot guarantee absolute security, yet the market has often treated a successful audit as a near-guarantee of safety.

This creates a credibility problem for the auditing industry. If a firm like OpenZeppelin cannot confidently assure the safety of protocols it has directly audited, what value does the audit provide? The firm continues to offer security services to DeFi platforms, which raises a question about whether Aráoz's personal warning reflects a loss of faith in his own company's work or a judgment that the underlying technology and incentive structures of DeFi are fundamentally flawed in ways audits cannot fix.

Counter-arguments exist. DeFi security infrastructure has materially improved over the past three years. Formal verification tools are more sophisticated. Multi-signature governance structures and timelock mechanisms are more common. Battle-tested code from mature protocols like Uniswap V3 has weathered years of attack attempts. Some protocols operate with minimal TVL and attack surface, making them lower-risk than others. A blanket statement that all of DeFi is unsafe may overstate the case.

Market participants may view Aráoz's warning as outlier opinion rather than industry consensus. Other security researchers and auditors have not issued similar blanket statements. Some may interpret the warning as fear, uncertainty, and doubt (FUD) rather than sober technical analysis. OpenZeppelin's continued operation and client base suggest the firm itself has not lost confidence in the possibility of securing DeFi platforms.

The practical impact of Aráoz's statement remains unclear. DeFi TVL has proven resilient to past security incidents and public warnings. Users who have already absorbed losses from previous exploits may discount further warnings. However, institutional capital, which has increasingly flowed into DeFi, may take such a warning from a credible source seriously and reduce exposure.

The statement highlights a persistent tension in DeFi: the sector offers genuine innovation in financial infrastructure, but the security model remains fragile. If a founder of a major security firm cannot recommend DeFi to his own family, it suggests the risk-reward calculus for many users may be broken. Whether this reflects a temporary crisis of confidence or a fundamental flaw in how DeFi approaches security will likely shape the sector's trajectory over the next 18 months.