The Signal
A stark warning from one of DeFi's earliest security figures has turned a brutal hack streak into an existential test. On May 27, Manuel Aráoz, co-founder and former CTO of OpenZeppelin, advised investors to exit DeFi positions, including exposure to Aave, MakerDAO, and Compound, arguing that autonomous AI coding agents have made smart contract vulnerabilities trivially easy to find at scale.
“"Coding agents are superhuman at finding vulnerabilities, and smart contract security is too asymmetric. Defenders need to fix every bug while attackers need just one exploit to steal funds."”
On-Chain Data
- Total Value Locked: DeFi TVL has fallen from roughly $172 billion in mid-April to $148 billion as of press time, marking five consecutive weeks of outflows. This 14% decline in just over a month reflects a loss of confidence that goes beyond market volatility. With Bitcoin approaching $72,000, the capital exodus from DeFi suggests investors are rotating into assets perceived as safer, possibly in response to the growing threat of automated attacks. The outflows are concentrated in lending protocols and DEXs, where liquidity is most exposed.
- Exploit Losses: Over $1.1 billion lost to exploits in the past year, with April alone accounting for $635 million across 28 reported hacks. This represents a 40% increase month-over-month, and the trend is alarming: attackers are using AI to identify and exploit vulnerabilities in hours rather than weeks. The most affected protocols include cross-chain bridges and lending platforms, where concentrated liquidity offers juicy targets. Notably, the average exploit size has grown from $5 million in Q1 2025 to $22 million in Q2 2026, indicating that attackers are going after bigger pools.
- Bitcoin Price: BTC approached $72,000 today, suggesting the TVL decline isn't purely due to broader market weakness. While BTC shows strength, DeFi bleeds capital, indicating a sector-specific sentiment shift. Investors appear to be rotating into base assets like Bitcoin, perceived as more resistant to smart contract attacks. This decoupling between BTC and DeFi TVL is a bearish signal for the sector, as it implies that even a rising tide is not lifting all boats.
- Attack Costs Plummet: AI dramatically lowers the cost and effort required to map smart contract vulnerabilities, per Aráoz. Tools like Anthropic's Claude and OpenAI's GPT-4 can analyze thousands of lines of code in seconds, identifying error patterns that previously required teams of auditors weeks. This democratizes attacks: any actor with access to these models can become a threat. A recent study by Trail of Bits found that AI-assisted audits reduced the time to find critical vulnerabilities by 70%, but also enabled attackers to discover exploits 5x faster than manual methods.
Market Impact
Aráoz's warning gains traction because DeFi's infrastructure is public, composable, and liquid, making it especially vulnerable to automated attacks. Research from a16z shows AI agents have consistently identified core vulnerabilities in historical DeFi exploits, even when failing to complete the exploit. For instance, in simulations, AI agents detected the reentrancy vulnerability in The DAO contract (2016) and the oracle error in the bZx hack (2020), demonstrating that machine learning can generalize from past attack patterns. Anthropic similarly restricted access to its Claude Mythos model due to its capacity to autonomously discover and weaponize software flaws, underscoring the seriousness of the threat. The implications are clear: if AI can find vulnerabilities faster than humans can patch them, the security model of DeFi is fundamentally broken.
However, protocol leaders push back. Aave founder Stani Kulechov argues that today's DeFi infrastructure is more resilient, with better risk engines, formal verification, audits, bug bounties, and automated monitoring. He notes that most recent losses stem from operational failures—stolen private keys, bridge spoofing, social engineering—rather than flaws in audited contract code. According to data from Rekt News, 60% of 2025 hacks involved private key compromises or governance exploits, not code bugs. This suggests that AI may not be the determining factor in all cases, but it does amplify risk where code is the vector. Moreover, formal verification tools like Certora and Scribble are becoming more widespread, potentially closing the gap.
The tension between these views defines the sector's future. If AI has truly tipped the scales toward attackers, DeFi could face a crisis of confidence that accelerates migration toward safer or regulated alternatives. Protocols that fail to adapt could see capital flight toward more protected options, such as U.S. Treasury-backed on-chain bonds or regulated stablecoins like USDC. Institutional investors, already cautious about DeFi, could retreat entirely if the risk perception continues to rise. The market is already pricing in this risk: the DeFi Pulse Index has underperformed Bitcoin by 25% year-to-date.
Your Alpha
To navigate this environment, investors and builders should consider:
- 1Review exposure to protocols with high TVL but low security upgrade cadence. Prioritize those using formal verification, frequent audits, and on-chain insurance. Protocols like Aave and Compound have dedicated security teams and bug bounty programs, but even they are not immune. Look for those that have implemented recent security patches and have a history of rapid response to vulnerabilities. Additionally, check if the protocol has a security council or multisig with time locks to prevent governance attacks.
- 2Monitor development of AI-based defense tools. Projects integrating autonomous security agents could differentiate themselves. For example, startups like Forta and OpenZeppelin Defenders are developing real-time monitoring systems that use AI to detect anomalous behavior in smart contracts. Investing in these projects or in tokens of protocols that adopt such solutions could be a long-term play. Also, keep an eye on zero-knowledge proof-based solutions that can verify contract integrity without exposing code.
- 3Diversify outside DeFi into safer assets like on-chain bonds or regulated stablecoins. Uncertainty could persist for months. Tokenized Treasury bonds, such as those offered by Ondo Finance or Maple Finance, provide attractive yields with lower smart contract risk. Regulated stablecoins like USDC or EURC, backed by audited reserves, are a liquid alternative for preserving capital while the market stabilizes. Consider also allocating to Bitcoin or Ethereum staking, which offer yield without the same level of smart contract exposure.
The market is already punishing protocols with recent incidents. The key is identifying who adapts fastest to the new threat landscape. Investors should watch for security updates and TVL metrics: a sustained drop in a specific protocol can be an early warning sign. Additionally, track the development of AI security standards, such as the OWASP Smart Contract Top 10, which may evolve to include AI-specific threats.
Next Catalyst
The DeFi security debate won't resolve overnight. However, two events could mark a turning point: the potential release of Anthropic's Claude Mythos model, which could demonstrate the true extent of AI offensive capabilities, and regulatory responses in the US and Europe that might impose minimum security standards for DeFi protocols. In particular, the SEC's proposal to mandate audits for protocols with over $100 million in TVL could take effect by year-end, forcing many projects to upgrade their security practices. The European Union's MiCA framework already includes provisions for smart contract security, which could set a precedent.
Additionally, the EthCC conference in July could be a stage where security teams present novel defenses against AI-powered attacks. Without significant progress, distrust could deepen. Conversely, if major protocols announce collaborations with cybersecurity firms to develop AI-based defenses, the market could react positively. Investors should closely follow these events and adjust their portfolios accordingly. Also, watch for any major exploit that could act as a black swan, accelerating the regulatory timeline.
The Bottom Line
Aráoz's warning is not a death sentence for DeFi, but it's a critical wake-up call. The sector has survived hack cycles before, and infrastructure is more robust than in 2020. However, AI changes the game: defenders must innovate at the same pace as attackers. For investors, prudence is key—reduce exposure to protocols with weak security activity and bet on those integrating automated defenses. DeFi's future hinges on its ability to adapt to this new era of intelligent threats. The question is not whether more attacks will come, but which protocols will be prepared to withstand them.
