OpenZeppelin Warning Fuels DeFi Debate Over 98% Security Gain

OpenZeppelin co‑founder Manuel Aráoz recently urged retail investors to exit blue‑chip decentralized finance protocols, calling the sector unsafe. OpenZeppelin publicly distanced itself from some of his comments, and several security and protocol founders responded with data and technical proposals.

On‑chain exploits remain a threat. Blockchain security firm PeckShield reported cross‑chain protocol hacks drained $328.6 million from the start of the year through mid‑May.

Michael Heinrich, co‑founder and CEO of 0G Labs, cited an approximately 98% improvement in DeFi lending security since 2020 and noted that daily loss rates on major lending protocols have fallen to roughly 0.001%. He argued that blanket advice to exit established platforms such as Aave and Maker did not match that risk profile.

Leo Fan, founder of Cysic, criticized the tone of the warnings and called calls to ‘exit everything’ ‘doomer content,’ arguing that clear numbers would better drive change.

Aráoz warned that artificial intelligence coding agents can scan open‑source smart contracts and find complex flaws at machine speed. He has privately advised friends and family to leave long‑established DeFi platforms because of that perceived risk. Other industry figures said the rise of automated attackers requires changes in defensive practices rather than abandonment.

Several security leaders urged an end to reliance on single, point‑in‑time audits. Fan wrote, ‘The point‑in‑time audit is already dead; people just haven’t held the funeral.’ Heinrich described a layered defense model that starts with pre‑deployment AI‑assisted audits and human review, followed by continuous post‑deployment monitoring, well‑funded bug bounties, verifiable defensive AI and formal verification on critical contract paths.

Heinrich added, ‘Audits don’t go away. They become the first checkpoint in a machine‑speed defense pipeline.’

Discussions also covered insurance and capital efficiency. Heinrich noted structural limits in decentralized insurance pools, which lock capital that could otherwise earn active yield. He pointed to Nexus Mutual holding about $190 million of capital while the broader DeFi market’s total value locked has ranged between roughly $40 billion and more than $100 billion. He added that defining an on‑chain exploit for claims purposes remains complex.

Heinrich urged product innovation rather than insurance mandates, calling for parametric on‑chain policies that pay automatically on verifiable signals and for protocols that bundle coverage into product economics. A March 2026 forecast by Coinlaw projects decentralized insurance could grow nearly fivefold by 2029.

Fan recommended regulators focus on operational security where funds actually leave protocols-custody, multisig governance, bridge safety and incident response-rather than only policing smart‑contract code. He also urged use of cryptographic proofs, such as zero‑knowledge proofs, to show what code ran and that it ran correctly, calling that ‘a far better compliance primitive than a PDF audit report.’

The exchange between Aráoz and other DeFi figures centered on the threat from automated attackers and on how to adapt defenses. Industry participants presented proposals for faster, layered security practices, parametric insurance products and stronger operational standards as responses.