Crypto Security Pioneer: ‘I Now Consider All of DeFi Unsafe’

Manuel Aráoz, co-founder of OpenZeppelin, has publicly declared the entire decentralized finance (DeFi) sector unsafe, advising personal contacts to exit all DeFi investments, including major platforms like Aave, MakerDAO, and Compound. Aráoz attributes this stance to advancements in artificial intelligence, particularly AI agents’ ability to uncover vulnerabilities in smart contracts more efficiently than human auditors. He noted that defenders must patch every flaw, while attackers only need one exploit to steal funds, creating an asymmetric security risk. Anthropic’s AI models, including the restricted Mythos system, have demonstrated unprecedented capabilities in identifying critical bugs in widely used software, some operational for decades. The model’s potential security implications have prompted exchanges like Coinbase to seek access, though restrictions limit its availability. A $120 million DeFi hack last year exploited a long-standing smart contract vulnerability, reinforcing concerns about AI-driven attacks. April 2024 marked the worst month on record for crypto hacks, with nearly one incident per day, many linked to North Korean actors despite the regime’s denial of involvement. Recent attacks, such as the $13.5 million exploit targeting stablecoin issuer StablR, highlight persistent risks beyond smart contract flaws, including social engineering and poor key management. The StablR breach involved an attacker gaining control of a multisignature wallet key, minting unbacked stablecoins, and converting them to ether. While AI poses a growing threat, centralized weaknesses—like admin privileges and operational security failures—remain major vulnerabilities in DeFi projects. Despite marketing themselves as decentralized, many platforms rely on centralized components that become prime targets. The escalating frequency and sophistication of attacks underscore the urgent need for improved security measures across the crypto ecosystem.