Manuel Aráoz, the co-founder and former chief technology officer of blockchain security firm Openzeppelin, is telling retail investors to cash out of major decentralized finance tokens. He says the safety risks are too high. The warning lands as other industry leaders insist DeFi lending has become far safer — roughly 98% more secure than it was four years ago.
Why Aráoz is sounding the alarm
Aráoz, who helped build Openzeppelin’s widely used smart contract auditing tools, didn’t mince words. He specifically called out “DeFi blue-chips” — the largest and most established lending and trading protocols. His concern isn’t about any single hack but about the underlying structural vulnerabilities he believes remain unresolved. While he didn’t detail a specific exploit or timeline, his track record in the security space gives the warning weight. Openzeppelin’s audits are a standard in the industry, so when one of its founders tells retail investors to leave, it’s not a casual remark.
The industry’s counter-claim
On the other side of the debate, leaders within the DeFi lending sector argue that the landscape has transformed. They claim that security has improved by approximately 98% since 2020. That year saw a wave of high-profile hacks, including the $25 million bZx exploit and the $15 million Harvest Finance attack. Since then, protocols have adopted better insurance mechanisms, formal verification, and more rigorous auditing practices. The 98% figure, if accurate, would suggest that the risk of losing funds to a code exploit has dropped dramatically. But the claim is not independently verified, and the metrics behind it aren’t public.
A gap in perception
The two positions are hard to reconcile. If lending protocols are indeed 98% safer, why would a leading security expert advise retail investors to run the other way? One possibility is that the improvement, while real, applies unevenly. Some protocols may have hardened their code while others lag. Another is that the 98% figure measures something different — perhaps the frequency of attacks rather than the potential damage. Aráoz may be looking at the same data and seeing a different picture, one where the residual risk remains too high for the average user.
What retail investors face
For individual investors who aren’t security researchers, the conflicting signals are confusing. Diving into a blue-chip DeFi protocol still requires wrapping one’s head around smart contract risk, oracle manipulation, and liquidity pool dynamics. Even a 98% reduction in risk doesn’t eliminate it. And a single catastrophic failure could wipe out a portfolio. Aráoz’s warning suggests that for retail participants without the time or expertise to vet each protocol, the safer move is to step away entirely. The industry’s claim of dramatic security gains offers comfort, but Aráoz’s warning reminds investors that in DeFi, the burden of proof still falls on the user. For now, the decision rests with each person holding those tokens.
