Public Code Was DeFi’s Superpower. AI Just Made It a Liability

OpenZeppelin’s co-founder recently made a statement worth taking seriously: all of DeFi is unsafe. The reasoning isn’t sensationalism. It follows directly from what AI coding agents can now do, and from one structural property of DeFi that most builders prefer not to dwell on. The same property that makes DeFi trustless is the same property that makes it uniquely exposed to AI-powered attacks.
That property is public code. And it’s not a bug that can be patched.
We build AI systems for Web3 companies and DeFi protocols. The shift in smart contract security threat models over the past 12 months is something we see in practically every security engagement we run. What changed isn’t the code. It’s the cost of analyzing it.
What ‘superhuman’ actually means here
When people describe AI as superhuman at finding bugs, the claim is about speed and coverage. An AI coding agent can scan an entire protocol’s codebase systematically, check it against every known vulnerability pattern, test edge cases in module interactions, and surface candidates for novel exploits at a pace no human audit team can match. What took a team of engineers weeks now takes hours.
This capability is deployed by leading security firms, embedded in audit workflows, and available through public tools at various levels of sophistication. The question that follows is the one Manuel Aráoz raised: if AI can find bugs this efficiently across all software, why is DeFi specifically the one sector treating this as a crisis?
The answer comes down to two things: threat surface, and who gets access to the tools.
DeFi’s threat surface is structurally different from traditional finance
Traditional finance runs on private code. The transaction logic inside any major bank’s infrastructure isn’t publicly visible. An attacker with a powerful AI bug finder still needs to obtain the source code before they can start looking for vulnerabilities — breaching internal systems first, a difficult and noisy process that creates detection opportunities and legal exposure — before any exploitation begins.
DeFi operates differently by design. Smart contracts are deployed publicly on-chain. Anyone can inspect the bytecode. Where source code is verified, anyone can read the original logic. The full codebase of every live DeFi protocol is available to every person on the planet right now, free to download, free to run through any analysis tool, with no authentication required.
This was an intentional design choice. Trustlessness requires transparency. If users can’t inspect the code, they have to trust a centralized party’s claims about what it does, which defeats the purpose. Public code is a feature. It’s also what creates the attack surface.
The point here is migration surface, not imminent failure. The defensive properties that buffer traditional finance against AI-powered vulnerability analysis are mostly absent in DeFi. Bank transactions can be reversed or frozen. Legal systems recover stolen funds. Regulatory oversight creates accountability. In DeFi, a successful exploit drains funds in a single transaction, and those funds are typically unrecoverable.
The cost of finding vulnerabilities just dropped significantly
DeFi’s security model was built for a world where code analysis is expensive and slow. Finding exploits in complex protocol logic required skilled security engineers spending days or weeks on manual review. The cost of mounting a sophisticated attack was high enough that the expected value of most potential exploits didn’t justify the effort — especially for smaller or newer protocols.
AI changes that calculation. The marginal cost of scanning a protocol for vulnerabilities drops significantly when systematic analysis can be partially automated. A sophisticated attacker with access to the same class of AI tools used by leading audit firms can now run analysis that previously required an entire security team, at a fraction of the cost and in a fraction of the time.
This already shapes the risk profile of protocols that seemed adequately secured under the old model. A protocol that passed a thorough manual audit in 2022 was secure relative to the threat environment of 2022. The threat environment of 2026 is different. The code hasn’t changed. The cost of attacking it has.
The access race is the real variable
Manuel Aráoz’s warning points at something specific beyond ‘AI is powerful.’ The distribution of access to frontier AI tools matters enormously for how this plays out across the ecosystem.
If defensive teams, audit firms, protocol security researchers, and bug bounty hunters get consistent access to the most capable AI analysis tools before or alongside attackers, the outcome can be net positive. More vulnerabilities found and fixed before deployment. Faster identification of newly discovered vulnerability classes. Lower ongoing cost of security monitoring for individual protocols.
If the access distribution runs the other way — and well-funded adversaries, sophisticated criminal organizations, or state-level actors reach frontier AI capabilities before the defensive community — protocols that were adequately defended against human-speed adversaries may not hold up against AI-speed analysis. The attack surface hasn’t grown, but the cost of exploiting it has dropped.
This makes access to AI security tooling a first-order concern, not just a productivity upgrade. It’s a competitive race between two sides with access to the same underlying capability.
What the audit-once model misses
Much of DeFi’s current security culture is built around pre-deployment audits as the primary quality gate. Get a reputable firm to audit the code, address critical findings, deploy. This model was reasonable when audits were expensive and represented a substantial fraction of the total analytical effort that would ever be applied to the code.
In an environment where AI can continuously and cheaply scan deployed protocol code, a single pre-deployment audit establishes a security snapshot at a point in time, not ongoing security. New vulnerability patterns may be discovered later that apply retroactively to existing code. Protocol upgrades may introduce new interactions that weren’t analyzed. An attacker running continuous AI-powered scans against a live protocol may find something a one-time human audit missed.
The shift this implies is from audit as a deployment gate to security as a continuous process. Ongoing automated monitoring, regular re-audits, and integration of AI-powered scanning into internal development workflows become components of a baseline security posture rather than optional upgrades.
Why traditional finance isn’t panicking
Banks and financial institutions are not publicly worried about AI-powered bug finding in the same way. The explanation comes down to threat surface. Private code is a genuine defensive layer. Reversible transactions reduce the stakes of any individual exploit. Legal frameworks and regulatory oversight provide recourse and deterrence. Authentication systems outside the code mean that finding a bug in bank software doesn’t automatically grant access to funds.
DeFi chose to operate without those properties because they come with costs: centralization, censorship risk, intermediary trust. That tradeoff was deliberate. Understanding that it also changes the security calculus relative to AI-powered threats is part of reasoning clearly about what the tradeoff actually involves.
What builders should do now
The practical response is updating the security practices built on top of DeFi’s design principles — without abandoning those principles themselves.
Continuous monitoring matters more than it used to. Single-point pre-deployment audits are a floor, not a ceiling. Code simplicity has direct security value in a world where any complexity is a potential attack surface for automated analysis. Bug bounty incentives should reflect the actual risk of the vulnerabilities they’re designed to surface. Access to AI-powered audit tooling for defensive purposes should be treated as a security resource — the same way access to penetration testing teams was treated in the previous generation of practice.
At Boosty Labs, we built our AI Smart Contract Security Audit service around exactly this threat model. AI scanning of your contracts for vulnerabilities, logic errors, and security risks — faster than a manual audit, designed as a first line of defense before deployment and as part of an ongoing monitoring cadence. The goal is to ensure your team is running the same class of analysis against your own code that a sophisticated attacker would run against it. If there’s a vulnerability to find, you want to find it first.