What Happened
On May 27, 2026, Manuel Aráoz, co-founder of OpenZeppelin, one of the most established smart contract security firms in the industry, declared that he now considers all of DeFi unsafe. His argument centers on AI coding agents that have become, in his words, superhuman at finding smart contract vulnerabilities. The core asymmetry he describes: coding agents are superhuman at finding vulnerabilities, and smart contract security is too asymmetric because defenders need to fix every bug while attackers need just one exploit to steal funds. OpenZeppelin's client list includes Aave, Compound, MakerDAO, Uniswap, and Coinbase. The warning is not from an outsider speculating about risk. It is from the firm that audits the largest protocols in the sector.
The warning lands against a documented backdrop of losses. In the past 12 months, more than $1.1 billion has been drained from DeFi protocols. April 2026 was the worst single month: $630 million stolen across 27 documented exploit incidents, with the Kelp DAO bridge exploit accounting for $292 million of that total in a single attack on April 18. DeFi's TVL has declined more than $20 billion in 2026. The direction of travel is not improving.
The Economics of an AI-Driven Exploit
The specific data point that frames the threat is the cost curve. Research from Anthropic's safety team established that AI agents can exhaustively scan a smart contract for known vulnerability classes for an average cost of $1.22. In the span of 1 year, AI agents went from successfully exploiting 2% of known-vulnerable contracts to 55.88%, with potential exploit revenue doubling approximately every 1.3 months. Token costs fell roughly 23% every 2 months as model efficiency improved. In 2024, a full AI-powered contract scan cost close to $100. Today it costs $1.22. At the current cost reduction rate, it will cost under $0.50 by end of 2026.
The implication is not just that individual high-value protocols are at risk. It is that automated AI scanning becomes cheap enough to run against every public smart contract continuously, not just against the largest targets. A Binance research report found AI is 2x more effective at exploiting smart contract vulnerabilities than at detecting them, meaning the offense-to-defense ratio is worsening on the same tooling. OpenZeppelin's response, launched May 11, 2026, is the Continuous Security Program: a subscription model combining AI-augmented, lifecycle-spanning monitoring. The explicit rationale for the program is that point-in-time audits can no longer cover code deployed between audit cycles. The Kelp DAO bridge was audited before deployment. The configuration error that caused $292 million in losses was not in the originally audited code.
The Asymmetry That Cannot Be Patched Away
DeFi's open-source architecture creates an asymmetry that is structural, not incidental. Every smart contract governing a DeFi protocol is publicly readable on-chain. Defenders and attackers access the same code. AI auditing tools cost both sides $1.22 to run. What is not equal is the win condition. A defender must correctly identify and patch every exploitable bug across every function, every contract, and every cross-protocol interaction, including interactions with contracts deployed after the original audit. An attacker must find one.
This asymmetry existed before AI. What AI changes is the speed and cost at which the one-bug search can be conducted, and the continuous nature of the search. A human security researcher scanning a complex protocol might spend 200 hours finding a critical vulnerability. An AI agent running the same scan costs $1.22 and completes it faster. More significantly, the AI agent can be run against every new contract deployed on a network, continuously, for a total cost that would have been prohibitive for human auditors to match. The attack surface in DeFi grows with every new deployment. The cost to scan the entire attack surface is falling fast.
What This Means for You
If you self-custody Bitcoin in your own private keys on the Bitcoin network, this story is structurally irrelevant to your attack surface. Bitcoin's UTXO model does not expose contract code to AI auditing. There is no smart contract governing your BTC. There is no protocol function for an AI agent to scan. The asset is controlled by the key, and the key is in your custody. No AI exploit agent can drain your Bitcoin by auditing code because there is no code to audit. The attack vectors that remain (phishing, physical access, seed phrase compromise) are social and physical, not algorithmic.
If you hold DeFi positions, yield-bearing protocol tokens, or assets bridged across chains, Aráoz's warning applies to the specific custodial risk structure you are in. You are counterparty to smart contract code that is publicly auditable by anyone, including adversaries running AI agents at $1.22 per scan. That does not mean your position will be exploited. It means the structural risk is real and growing as the capability curve rises. The April 2026 data is the empirical record: $630 million stolen in 1 month from audited protocols. Self-custody of native BTC is the structural off-ramp from this specific risk class, not because Bitcoin is immune to all attacks, but because it has no smart contract layer for the attack class Aráoz is describing.
What to Watch
Watch whether DeFi protocols adopt continuous AI monitoring at scale following Aráoz's warning. OpenZeppelin's Continuous Security Program is the current commercial answer, but it requires each protocol to subscribe and does not retroactively cover the full deployed contract history. The exploit cost curve is the next thing to track. At a 23% reduction every 2 months, the current $1.22 per scan becomes a sub-$0.50 commodity by end of 2026. DeFi TVL bears watching as AI exploit risk gets priced into capital allocation decisions. The $20 billion TVL decline in 2026 predates today's warning. Whether OpenZeppelin or other security firms follow the warning with proposed architectural standards or protocol-level mitigations remains open. And watch whether AI-powered defense tooling closes the 2x offense-versus-defense gap the current research shows. If the gap widens further, the structural case for keeping real value in self-custodied native BTC rather than in smart contract positions gets harder to argue against.