Manuel Aráoz, a co-founder of OpenZeppelin, has publicly declared that he now views all of decentralized finance as unsafe, according to a report by The Block published May 27, 2026. The Block did not make the full article available without a subscription, and the specific wording of Aráoz's statement has not been independently confirmed via his public social media accounts or a secondary source at time of publication. More strikingly, Aráoz disclosed that he has been privately advising friends and family to close their DeFi positions entirely. The warning carries unusual weight: OpenZeppelin is the company behind the smart contract security library that sits at the foundation of nearly every major DeFi protocol in existence, from Uniswap to Aave to Compound.

Aráoz is no longer an active figure in the crypto industry. His personal website, updated in March 2026, lists his current work as software development experiments with AI, biology research, real estate development in Uruguay, writing, and venture investing, with no mention of crypto or DeFi. That distance from the space gives his statement a directness that founders still inside the industry rarely achieve. He helped write the security playbook that DeFi relies on, and his reported conclusion that the entire ecosystem is unsafe implies that the playbook, however rigorous, has not been sufficient to contain the scale of the threat.

The timing is notable and hard to separate from context. The first four months of 2026 have been the worst stretch for DeFi security in recent memory. Losses through April totalled between approximately $770 million and $840 million across more than 47 incidents, with April alone accounting for over $600 million. That total includes the Drift Protocol breach on April 1, in which attackers exploited the Solana-based decentralized exchange for approximately $285 million, making it the second-largest DeFi hack of the year. The single largest breach was the $292 million KelpDAO exploit on April 18 and 19, attributed by Chainalysis to North Korea's Lazarus Group, operating as TraderTraitor. Attackers compromised internal LayerZero RPC nodes and simultaneously knocked out external nodes via distributed denial-of-service attacks, feeding false data to a verification network that was configured with a single point of failure: a 1-of-1 design where one compromised node was all it took to authorize fraudulent transactions. Approximately 116,500 rsETH tokens (a liquid staking derivative) were released to attacker-controlled wallets. The Arbitrum Security Council subsequently froze roughly 30,766 ETH in response.

The KelpDAO breach alone was enough to wipe 23 percent off Aave's total value locked, which dropped from $26.4 billion to approximately $20 billion, and pushed the AAVE token price down more than 18 percent. That kind of contagion effect, spreading from one protocol to the broader ecosystem, is exactly what OpenZeppelin's own research has been warning about. The company recently published a four-layer security framework describing how attack surfaces have expanded well beyond smart contract code into private key management, governance mechanisms, and cross-chain bridge infrastructure. "Point-in-time security posture is no longer sufficient," the company wrote in that report. Paul Vijender of Gauntlet Security put it more bluntly in comments to CoinDesk: "DeFi operates in a highly adversarial environment requiring systems as secure as their weakest components... zero-trust architectures are becoming essential."

The North Korea dimension is significant and worsening. TRM Labs estimates that the Lazarus Group and affiliated actors accounted for 76 percent of all global crypto hack losses through April 2026, up from 64 percent in 2025 and under 10 percent in 2020. "The dominant driver is North Korea, and that campaign is getting sharper, not broader," TRM Labs analyst Ari Redbord told Decrypt. Halborn's analysis of 100 major DeFi hacks adds structural context: only 20 percent of hacked protocols had undergone any security audit, and 80.5 percent of funds stolen in 2024 were taken through off-chain attack vectors, meaning exploits targeting signing interfaces, admin keys, and governance systems rather than on-chain code. Halborn also found that only 19 percent of hacked protocols used multi-signature wallets and just 2.4 percent used cold storage, compounding the off-chain exposure. Across the 100 hacks studied from 2014 to 2024, total losses reached $10.77 billion, a figure that sets the historical scale of a problem the industry has not yet solved.

For users outside the United States and Europe, the implications are especially serious. India ranks first globally in crypto adoption, with more than 20 million estimated active DeFi users, according to the Chainalysis 2025 Global Crypto Adoption Index. Pakistan ranks third and Bangladesh thirteenth. These are predominantly retail-driven markets operating through mobile interfaces, and the attack vectors that OpenZeppelin identifies as most dangerous today, including compromised wallet signing interfaces, malicious contract upgrades, and cross-chain bridge exploits, are precisely the ones least visible to ordinary users. Indians already lost roughly $2.6 billion (approximately 22,495 crore rupees) to broader cybercrime losses in 2025, a figure covering investment scams, phishing, and digital fraud that includes but is not limited to DeFi exposure. Regulatory frameworks in these markets offer no depositor protection for DeFi losses. In Sub-Saharan Africa, where DeFi is used primarily for remittances and inflation hedging rather than yield speculation, bridge protocols are the same infrastructure that facilitates cross-border transfers. The region recorded 52 percent year-on-year crypto adoption growth in 2025, according to Chainalysis, with Nigeria ranking sixth and Ethiopia twelfth globally in the same index. Cross-chain bridge losses across Web3 have exceeded $2.8 billion since 2022.

With approximately $160 billion still sitting in DeFi protocols globally (per DefiLlama), and with losses in the first four months of 2026 already reaching between $770 million and $840 million against a 2025 full-year total of $3.4 billion (Chainalysis), the conversation about what constitutes adequate security is shifting. OpenZeppelin's own lifetime audit record, covering 900-plus reviews and more than 10,000 identified vulnerabilities, represents the industry's best effort to date. Aráoz co-built that effort and is now, by his own reported account, drawing a line between doing the work and solving the problem. Whether the industry treats that distinction as a warning or a competitive opportunity may determine how much of that $160 billion is still there by year-end.