“All DeFi unsafe”: how AI vulnerability hunting split crypto’s security establishment

Aráoz’s asymmetry argument

Aráoz built OpenZeppelin into one of the most widely used smart-contract libraries in crypto. When he says DeFi is unsafe, he is not dismissing the sector from ignorance. His core claim, as reported by Cointelegraph and ETHNews, rests on a structural asymmetry: defenders must fix every possible bug; attackers need only one miss. AI coding agents, he argues, have become “superhuman” at pattern-matching vulnerabilities across public Solidity and Rust repositories. Periodic audits — the industry’s pre-launch checkbox for the past decade — cannot keep pace when models can probe composable call graphs at machine speed.

The timing amplified the message. April 2026 saw the highest monthly crypto losses since February 2025, with security analysts linking part of the surge to more sophisticated tooling. Aráoz’s warning landed the same week Coinbase’s Base network launched Base MCP, a Model Context Protocol bridge that lets ChatGPT, Claude, and Cursor manage wallets, swap tokens, and interact with DeFi apps through natural language. Builders celebrated agentic finance. Security researchers saw the attack surface expanding on both sides of the trade simultaneously.

Mow’s Bitcoin thesis meets a real-world proof point

Samson Mow has argued for years that complexity is the enemy of sound money. His June 7 warning, covered by CryptoAdventure, reframes that view through an AI lens: if models can accelerate vulnerability discovery, smart-contract networks with millions of lines of composable code become permanently disadvantaged against Bitcoin’s intentionally limited scripting surface.

The Zcash Orchard incident gave both camps a concrete exhibit. Researcher Taylor Hornby used Claude Opus 4.8 to find a soundness bug in Orchard’s zero-knowledge circuit that could have minted unlimited counterfeit ZEC with no on-chain trace. The flaw lived undetected from May 2022 until an emergency hard fork on June 3. ZEC fell more than 30% after public disclosure on June 5. Arthur Hayes exited his entire position. Our Orchard analysis walks through the epistemic problem at the center: privacy design means nobody can cryptographically prove the exploit never ran on mainnet.

Mow’s argument is strongest as a security thesis, not a prediction that every DeFi app vanishes tomorrow. AI did not autonomously hack Zcash. A skilled researcher directed the model at a specific circuit, built a working exploit, and disclosed responsibly. But the episode proved that AI-assisted review can surface flaws that survived years of human expert audits — exactly the scenario Aráoz described for Ethereum lending pools and Solana program libraries.

The counter-case: DeFi is exposed, not doomed

Not everyone agrees exit is the rational response. Yu Xian, founder of blockchain security firm SlowMist, responded to Aráoz by describing a “dual threat” from AI-empowered black hats and the defensive opportunity for teams that adopt the same tooling. DeFi projects, he argued, must become “more diligent and ruthless than black hats” — running continuous on-chain and off-chain checks rather than treating security as a launch-day event.

Meir Dolev, CTO of Cyvers, told Cointelegraph that while public forensic proof of AI-executed exploits remains limited, the broader trend is verified: DeFi’s code is public, funds settle instantly, contracts compose, and attackers scale probing across admin keys, front ends, signer workflows, and social engineering simultaneously. AI makes each surface easier to test. But Dolev rejected abandonment. His prescription mirrors what enterprise security adopted a decade ago for cloud infrastructure: continuous monitoring, AI-assisted code review, real-time transaction simulation, pre-signing risk scoring, and red-team exercises that assume breach.

The honest middle ground: most DeFi losses still come from bridge compromises, private-key theft, governance takeovers, and oracle manipulation — attack classes that predate ChatGPT. AI raises the baseline for smart-contract soundness without eliminating the human layer. The $142 million leveraged ETH position on Aave that dominated weekend on-chain feeds is a reminder that even “blue chip” protocols are venues for macro bets, not vaults. A soundness bug in Aave’s core logic would be catastrophic; a whale borrowing USDT against ETH at a health factor of 1.16 is a different risk category entirely.

Why composability is the real multiplier

Single-protocol audits miss the DeFi-specific failure mode: composition. A lending market, a liquid-staking derivative, a DEX router, and a yield aggregator can each pass individual review while their interaction creates an exploitable state no single team modeled. AI agents excel at tracing these cross-protocol paths because the code is open and the economic incentives for finding bugs are immediate. A researcher who discovers a counterfeiting flaw in a privacy pool can responsibly disclose; an attacker who finds a re-entrancy path through three protocols has no such incentive.

This is where Mow’s simplicity argument and Dolev’s defense playbook converge on one practical insight: attack surface reduction matters more than chain tribalism. Protocols that minimize admin keys, reduce upgradeability, cap composable integrations, and publish formal verification for critical invariants will outperform those that ship fast and audit once. Bitcoin’s conservatism is one form of surface reduction. Aave v4’s modular isolation is another. The wrong response is assuming yesterday’s audit badge still means tomorrow’s safety.

The agentic finance paradox

Base MCP and similar wallet-agent integrations represent the industry betting that users want AI to operate DeFi, not just audit it. The same week Aráoz warned friends to exit, Coinbase shipped tooling that lets an LLM sign transactions on users’ behalf. That is not hypocrisy — it is the sector running two experiments at once: expand access through natural-language interfaces while the security perimeter shifts from “user reads the transaction” to “agent interprets user intent.”

Prompt injection, confused-deputy attacks, and malicious dApp front ends were already documented risks before agentic wallets. AI agents add speed and plausible authority. Our ChatGPT Lockdown Mode analysis covered how frontier labs are responding on the consumer side; DeFi has no equivalent product-wide guardrail. If you use agentic wallet tools, treat them like handing your seed phrase to a very fast intern who believes everything it reads on the internet.

What holders should actually do

Aráoz’s “exit all DeFi” advice is a personal risk posture, not a market forecast. For most participants, a more actionable framework looks like this:

• Size leverage to liquidation, not conviction. The Aave whale’s $1,354 ETH liquidation line is a live stress test through CPI week. If you cannot explain your health factor in one sentence, you are not investing — you are donating to the insurance fund. See our perpetual futures guide and margin trading primer for how funding and liquidation mechanics interact with macro shocks.
• Treat audit reports as snapshots. Ask when the last diff was reviewed, whether upgrades changed admin keys, and whether the protocol composes with assets you have never heard of.
• Diversify failure modes. Concentrating in one “blue chip” lending pool exposes you to smart-contract risk, oracle risk, governance risk, and the counterparty behavior of other borrowers — simultaneously.
• Watch disclosure velocity. The Orchard bug went from discovery to patched hard fork in five days. Protocols that cannot ship emergency fixes are as dangerous as those with buggy code.

The sector is not choosing between AI attack and AI defense. It is getting both at once. The protocols that treat security as an always-on execution-layer control — Dolev’s phrase — will survive the scrutiny that Zcash’s Orchard bug proved is now possible. The ones still selling last year’s audit certificate are the targets Mow described, whether or not he is right about Bitcoin absorbing the capital flight.

Three scenarios through summer 2026

Base case — defense catches up. Major protocols announce continuous AI-assisted monitoring, bug-bounty budgets rise, and the next critical flaw is found by a white hat before mainnet exploitation. Zcash-style disclosure selloffs become routine; prices recover faster as markets price “found and fixed” differently from “drained and gone.”

Bear case — one headline exploit validates the exit crowd. A nine-figure loss on a top-ten protocol with credible reports of AI-assisted discovery triggers a sector-wide deleveraging beyond the macro-driven flush of early June. Aráoz’s private advice becomes public consensus for institutional allocators.

Bull case for Bitcoin simplicity narrative. No single DeFi catastrophe, but a steady drip of AI-found flaws in ZK systems, bridges, and governance modules pushes conservative treasuries toward BTC and stables while keeping DeFi TVL flat. Mow’s thesis wins rhetorically without requiring DeFi to die.

The June catalyst week — WWDC on Monday, CPI on Wednesday, the House crypto tax hearing on Tuesday — will dominate price action near term. But the security debate Aráoz and Mow reopened is structural. AI made the Zcash Orchard bug findable. The next question is whether DeFi’s defenders can make their code defensible at the same speed.

Sources: Cointelegraph — AI DeFi security debate (May 27, 2026); ETHNews — Aráoz exit warning; CryptoAdventure — Samson Mow (Jun 7, 2026); Bitget News — AI vulnerability discovery context. Related: Zcash Orchard bug analysis, Monero audit queue, Aave whale leveraged ETH bet.