Foreign media reports indicate that DeFi security has once again become a focal point in the industry. Manuel Aráoz, founder of OpenZeppelin, recently stated that he believes "all DeFi is insecure," and claimed that AI-driven cybersecurity agents are increasing attack efficiency, enabling them to discover and exploit smart contract and protocol vulnerabilities much faster.

He also stated that he had advised friends and family to exit all DeFi positions, including Aave, MakerDAO, and Compound. This statement quickly sparked disagreement within the crypto community.

Aave founder publicly refutes

Aave founder Stani Kulechov subsequently responded that this statement was "inappropriate." He believes that DeFi infrastructure is already more resilient than in previous cycles, and AI is improving risk control engines, development tools, and security processes, rather than simply amplifying attack risks.

Kulechov stated that DeFi has been evolving, and it is unrealistic to ignore the industry's maturity over the years or to view AI solely as a negative factor in the security field.

Sky co-founder Sam MacPherson also supports this view. He stated that the recent major attacks are more likely to be operational security issues than serious flaws in the smart contracts of the leading protocols themselves.

The controversy centers on the source of the attack.

The report mentioned that some analysts said that less than 10% of DeFi attacks in 2025 were directly caused by codebase issues, with more losses related to parameter configuration errors and weak operational security.

At the same time, Aráoz argues that coding agents can also effectively exploit such vulnerabilities, so it cannot be concluded that "the risk has been controlled."

• Approximately US$1.45 billion was stolen this year.
• More than half of the attacks involve cross-chain bridges, administrator privileges, or private keys.
• Code defects are not the main cause of all losses

Industry funds continue to flow out

The report also stated that, affected by attacks, concerns about risk spillover, and market downturn, DeFi saw approximately $45 billion in outflows in 2026. The industry's total value locked (TVL) decreased by 35% to $80 billion.

The core of this debate is not simply whether DeFi is secure, but rather whether the industry's main risks currently stem from contract code, operational processes, or the enhanced attack capabilities of AI. At least based on public statements, the industry tends to believe that while DeFi security issues remain prominent, it cannot be simply summarized as "the entire industry is insecure."