Did OpenZeppelin's CEO really say DeFi is unsafe?

Yes. Manuel Aráoz, co-founder of OpenZeppelin, said in May 2026 that AI agents have become superhuman at finding smart contract vulnerabilities and that DeFi protocols can no longer rely on traditional audits alone. CoinDesk reported the comments alongside the figure of over $1.1 billion hacked from DeFi in the past year.

Why is the DeFi audit model considered obsolete?

Audits are point-in-time reviews, but DeFi protocols change constantly through governance, dependency upgrades, and oracle wiring. AI-driven attackers can probe deployed bytecode continuously, so a clean audit on Tuesday tells you very little about the state of the protocol on Friday.

What does continuous security for DeFi protocols actually look like?

It means live invariant monitoring, AI-driven fuzzing against deployed contracts on a recurring schedule, tested kill switches, and bounty platforms wired into autonomous agents. The pattern looks more like Datadog or a SIEM than like a one-off PDF audit.

DeFi

OpenZeppelin CEO Says DeFi Unsafe: The Audit Model Just Died

By Anurag Verma•May 31, 2026

Manuel Aráoz, co-founder of OpenZeppelin, told an audience last week that DeFi is no longer safe because AI has gotten superhuman at finding smart contract bugs. The firm he started writes the security libraries that a huge chunk of Ethereum imports by default. When the OpenZeppelin CEO calls DeFi unsafe, the conversation about the audit model is over.

I've watched audit reports land for four years at LCX. The good ones are dense, narrow, and honest about their scope. They are also frozen in time. The protocol you audited on Tuesday is not the protocol running on Friday once governance ships a config change, a dependency bumps a version, or a new oracle gets wired in. Aráoz's point, reported by CoinDesk, is that the attacker side of that asymmetry just got an order-of-magnitude upgrade.

Meanwhile, over $1.1 billion has been drained from DeFi protocols in the last twelve months. That number is not a bug-hunting problem. It is a system design problem.

Why the OpenZeppelin CEO calling DeFi unsafe matters

Aráoz is not an outsider taking a free shot at the industry. He helped build the standards.

The ERC-20, ERC-721, and AccessControl patterns that almost every serious protocol uses trace back to OpenZeppelin's libraries. When that founder says the security model is broken, it carries the weight that, say, a random Twitter thread does not. The Manuel Aráoz AI hacking superhuman framing landed because the person saying it has paid the bill for the old model himself.

A short list of what the admission actually concedes:

Point-in-time audits cannot keep up with the rate at which AI agents find new attack paths.
The economic incentives on the attacker side now scale with model capability, not with human auditor headcount.
Even codebases audited by top-tier firms have shipped exploitable bugs in 2025 and 2026.

The DeFi audit model obsolete in 2026, not 2030

The audit-as-a-PDF model was already strained. AI just made the strain visible.

A traditional Solidity audit is one to four weeks of human review, a report, and a fixed-fee retainer. The output is a snapshot. The attacker now has a tireless agent that can fuzz, replay mainnet state, and pattern-match against thousands of past exploits without coffee breaks. That is the asymmetry Aráoz is describing when he says AI is becoming superhuman at offensive security.

A concrete recent example: the LayerZero DVN misconfiguration that cost Kelp DAO $292M was not a Solidity bug. It was a configuration drift between an audited state and a running state. No PDF audit catches that on Friday afternoon when ops pushes a change.

I think the cleanest way to put it: an audit tells you the code was probably safe on the day it was reviewed. It does not tell you the system is safe right now.

What an AI smart contract vulnerability scanner actually changes

The defender side of this has been moving too, just slower than the attacker side. That gap is the whole problem.

The useful pattern I am seeing in production looks less like "replace the auditor" and more like "give every protocol a continuous adversary":

AI agents that re-fuzz the deployed bytecode after every governance action, not just at deploy.
Invariant monitors that watch live state and trigger circuit breakers when the math drifts, not when a human notices on Discord.
Bug bounty platforms wired into autonomous agents that submit and triage findings 24/7.

Forta, Spearbit's Cantina, and OpenZeppelin's own Defender have been moving in this direction for a couple of years. The shift Aráoz is signaling is that this is no longer the premium tier. It is the floor.

Continuous security for DeFi protocols, not annual checkups

The analogy I keep coming back to is medical. A pre-listing audit is a physical exam. Continuous security is a heart monitor.

In regulated finance, the auditor signs off once a year, but the SIEM, the WAF, and the trade surveillance system run every second. DeFi adopted the once-a-year part and skipped the live monitoring part, then acted surprised when more than a billion dollars walked out the door. The lesson from twenty years of cloud security is that monitoring eats audit for every dollar spent past the first one.

A few concrete shifts I would bet on:

Audit firms repositioning as continuous-monitoring vendors with SLAs, not report-delivery shops.
Insurance underwriters pricing protocols by their live security telemetry, not their last PDF.
Governance frameworks that require a re-audit trigger on any parameter change above a threshold.

None of this is exotic. Web2 figured it out a decade ago. DeFi just has the harder version because the code is the bank vault.

What protocols should actually do this quarter

If you run a DeFi protocol and you are reading this, the homework is not subtle:

Stop treating the audit PDF as the security artifact. Treat it as one input to a pipeline.
Wire monitors to invariants you care about: collateral ratios, oracle deviations, admin role changes, bridge inflow/outflow ratios.
Stand up a kill switch you have actually tested. A pause function that has never been triggered in a drill is decoration.
Run AI-driven fuzzing against your deployed contracts on a recurring schedule. Not once. Forever.

The firms that adapt will look more like Datadog than like a Big Four auditor. The ones that do not will be the next $200M headline.

The deeper read of Aráoz's comment is that the security industry has finally said the quiet part out loud: the attacker stack has been compounding faster than the defender stack for two years, and the gap is now wide enough that the people who built the defender stack are calling it.