OpenZeppelin co-founder Manuel Aráoz warned that AI coding agents have made all of DeFi 'fundamentally unsafe' and is telling friends to exit. On-chain RWA tokenization has crossed $30B, but only $2.47B is actually composable in DeFi.

DeFi Unsafe , Agentic Trading , The RWA Stack

OpenZeppelin co-founder Manuel Aráoz warned that AI coding agents have made all of DeFi "fundamentally unsafe" and is advising friends and family to exit blue-chip positions. The RWA tokenization market has crossed $30 billion on-chain, but less than 10% is actually active in DeFi — exposing a composability gap.

What You Need to Know: On May 27, 2026, OpenZeppelin co-founder Manuel Aráoz went public with a warning that AI-enhanced hacks and weak audits have made all of DeFi fundamentally unsafe, and that he is telling friends and family to exit blue-chip DeFi positions. The same week, CryptoSlate reported that of the nearly $30 billion in on-chain RWA tokenization tracked by DefiLlama, only $2.47 billion is active in DeFi, exposing a composability gap that the agentic-trading era is going to test directly.

Why It Matters

For DeFi users: The warning is not from a critic of crypto — it is from the co-founder of the most-used smart-contract security library in the industry. Treat accordingly.
For AI-coding tool vendors: Your product is now a documented threat-multiplier on a $100B+ TVL attack surface.
For RWA issuers: The gap between "tokenized" and "composable in DeFi" is now the limiting factor on the RWA thesis, not regulatory clarity.
For agentic-trading builders: Letting an LLM call smart contracts without a verification layer is now an existential risk, not a research direction.

What Actually Happened

Manuel Aráoz: "All of DeFi is fundamentally unsafe" right now

Manuel Aráoz, co-founder of OpenZeppelin — the company whose libraries secure most of the Ethereum DeFi ecosystem — went on record on May 27, 2026, warning that AI coding agents are making DeFi fundamentally unsafe. Per coverage in CCN and corroborating pieces in AInvest, Aráoz said he has privately advised friends and family to exit blue-chip DeFi positions. OpenZeppelin subsequently clarified in a statement that Aráoz's personal views do not represent the company's official position, but the substance of the warning is technically grounded: AI coding agents help attackers find smart-contract bugs faster than audit shops can patch them, and the asymmetry in speed and skill is now the dominant risk factor for the DeFi attack surface. The Bitcoin Foundation's coverage noted that Aráoz's primary argument is that "the security landscape for smart contracts" has shifted decisively against defenders. Sources: CCN — No DeFi Is Safe Anymore, Warns Top Crypto Security Executive, BitcoinFoundation — DeFi Security Pioneer Says AI Makes All Smart Contracts Unsafe, AInvest — When AI agents in DeFi stop working, CryptoTalkies — Crypto's Wild Ride: From Whales to AI-Powered Trading.

OpenAI's EVMbench confirms the asymmetry

A separate, harder data point: OpenAI published EVMbench in February 2026, an evaluation that measures the ability of AI agents to detect, patch, and exploit smart-contract vulnerabilities. The benchmark's framing — explicitly including "exploit" as a measured capability — is the AI lab acknowledging that its own technology, in the right (or wrong) harness, is a near-perfect vulnerability-finder. The agent's success on the "exploit" tasks is, depending on your point of view, either a useful defensive signal or a public roadmap for attackers. Either way, it confirms Aráoz's premise: AI has changed the economics of vulnerability discovery. Reference: OpenAI EVMbench paper (PDF), arXiv HTML version.

Agentic trading on top of unsafe contracts is the obvious next failure mode

If AI is both the attacker's vulnerability-finder and the user's trading agent, the agentic-trading era is a high-speed collision waiting to happen. The pattern that worries every protocol team right now: an LLM-driven agent given a smart-contract address and a transaction intent, with insufficient pre-execution verification, can drain a wallet in a single failed "optimization" call. Several research teams have started publishing on the "agentic stablecoin payment vulnerability" class of issues — payments where an autonomous agent signs a transfer that it has no business signing. The defensive answer is mandatory pre-execution simulation, transaction-intent verification, and human-in-the-loop on any non-trivial size. None of that exists by default in current agentic-trading stacks. Reference: OpenAI EVMbench paper, MoFo Tech — AI Trends For 2026: The Convergence of AI & Stablecoins.

The RWA stack: $30 billion tokenized, $2.47 billion composable

CryptoSlate reported on May 18, 2026, that the on-chain real-world asset (RWA) market has crossed $30 billion per DefiLlama data, but only $2.47 billion is active in DeFi protocols — less than 10% of the total. The split is the "RWA composability gap": the bulk of the growth is in tokenized money-market funds and Treasury bills, which sit on-chain but are not routed through lending, AMM, or derivatives protocols. BlackRock's BUIDL fund integrated Chronicle Protocol's Proof of Asset verification in March 2026, a meaningful step toward real-time independent verification of the underlying assets. Grayscale Research's April 2026 tokenization report puts the on-chain RWA market at $30 billion — about 0.01% of global equity and bond markets. The investment implication is that the next leg of the RWA thesis requires the composability layer to catch up, not the issuance layer. Sources: CryptoSlate — RWA tokenization boom exposes DeFi composability gap, Cryptorank — The $30 billion RWA tokenization boom, Grayscale Research — Investing in the Tokenization Megatrend, Autheo — Real-World Asset Tokenization Hit $30 Billion: Reality Check.

The Take

Aráoz is right, and the more uncomfortable truth is that the asymmetry is going to get worse before it gets better. AI coding agents are improving on both sides of the offense/defense ledger, but the offense has the structural advantage: an attacker only needs to find one bug, and the bug is usually a single contract in a sea of thousands. The RWA stack is a slower-moving story, but the $2.47B / $30B ratio tells you where the real money is parked and where the composability work is going to be paid for. For builders, the takeaway is to ship agentic-trading systems only with mandatory pre-execution simulation and explicit human-in-the-loop boundaries, and to assume any contract you integrate is a soft target until proven otherwise. For investors, the takeaway is that the "AI agents trade DeFi" pitch is currently trading on a future where the underlying contracts are still safe. That assumption is no longer defensible.

Quick Summary

OpenZeppelin co-founder Manuel Aráoz warned that AI coding agents have made all DeFi "fundamentally unsafe" and is telling friends to exit. Separately, on-chain RWA tokenization has crossed $30B, but only $2.47B is actually composable in DeFi.

Sources:

Source: TLDR | mr.technology — The Master Skill Index