Security exploits are weighing on institutional appetite for decentralized finance (DeFi), even as broader crypto adoption continues through stablecoins and tokenized assets.
In an April research note, JPMorgan analysts said that bridge security remains a challenge for the industry, raising questions on whether DeFi can grow to support further institutional adoption.
The recent exploit on the Versus-Ethereum bridge was the eighth major attack against DeFi bridges in 2026 so far, with cumulative losses totalling $328.6 million.
DeFi bridges remain prime targets for hackers seeking to steal millions of dollars. Source: PeckShield
Misha Putiatin, CEO of smart contract security firm Statemind and co-founder of DeFi protocol Symbiotic, said he regularly fields calls from major traditional institutions exploring DeFi exposure, often with bad timing.
“Five minutes before I have a call with a big traditional institution, another big hack,” he told Cointelegraph.
“They sit there looking at me like, ‘Is this normal? Is this every day for you?”
Still, institutions may get into DeFi, but the terms on which they arrive could reshape it into something that looks a lot more like traditional finance than the open, permissionless system its builders envisioned.
DeFi has become too complex for DYOR
At the beginning of April, North Korea’s Lazarus Group was implicated in the $285 million Drift Protocol exploit, carried out through a months-long social engineering campaign in which infiltrators approached Drift contributors at an in-person crypto conference.
The same actors were blamed for the KelpDAO breach a few weeks later, which drained about $290 million from the protocol’s cross-chain bridge.
Total value locked across DeFi fell to around $86 billion from just under $100 billion in two days following the KelpDAO hack in April. The outflows came from pools with no direct exposure to compromised assets, said JPMorgan analysts.
DeFi pools lost around $14 billion following the attack on KelpDAO. Source: DefiLlama
Related: Wall Street’s tokenization boom has a liquidity problem: Axis CEO
Putiatin said the complexity of modern DeFi makes it nearly impossible for ordinary users to know where their risk actually sits. “Do your own research doesn’t work anymore,” he said. “It hasn’t been working for a really long time.”
He explained that the system has become too interconnected and complex to trace.
For example, when a user deposits Ether (ETH) to earn yield while never touching any other token, they can still get hit by a breach on a bridge connected to a token they’ve never even heard of.
Do your own research, or DYOR, is an industry mantra born in the early days of Bitcoin, when protocols were simple enough that a user could read a whitepaper and make an informed decision.
Today, with smart contracts running up to tens of thousands of lines of code, protocols layered on top of one another, and new services and tokens launching at breakneck speed, that expectation has become almost impossible to meet.
“I’m not ever expecting people that just want to invest their money to ever figure out every part of the stack themselves,” Putiatin said.
“I’m not going to spend the next two years of my life trying to figure out how to get a 6% yield,” he added, claiming that traditional finance alternatives are close enough in return that the DeFi’s security risk rarely makes sense for most investors.
A shrinking premium for an unquantifiable risk
Tether (USDT), the world’s largest stablecoin, offers a supply APY of 2.74% on Aave’s Ethereum market, the biggest DeFi lending protocol. That’s below the 3.57% available on a three-month US Treasury bill. Circle’s USDC (USDC) fares better at 4.14%.
Supply and borrow APY on Aave’s Ethereum market. Source: Aave
Related: Why stablecoins and SWIFT may have to coexist
Putiatin said institutions see this clearly, even if they struggle to quantify it precisely. The problem is that institutions have no reliable framework for pricing the hack risk sitting underneath them.
“They can’t price risk properly,” he said. “So they discount the yield we provide by a lot.”
DeFi yields have compressed as the market has matured, eroding the premium that once justified the risk.
At the same time, the hacks have not slowed down. For investors used to underwriting risk with actuarial precision, shrinking upside and unquantifiable downside is a hard sell.
The cost of DeFi’s seat at the table
Putiatin’s benchmark for when DeFi has genuinely turned a corner is an onchain insurance system capable of underwriting hack risk across the entire ecosystem and pricing it with the kind of actuarial precision that institutions require.
“When we have circuit breakers, curators that can do due diligence, and a framework for that — we will get the fourth one that we desperately need as an industry,” he said. “We will get insurance.”
DeFi has lost over $7.76 billion to exploits, according to DeFiLlama data tracing back to 2016. Though DeFi insurance providers exist, their capacity remains too small to backstop anything approaching institutional scale.
Without that infrastructure, institutions that do come in will do so on their own terms, demanding full know-your-customer checks, custodial controls and tokens that can be frozen at any time.
The open, permissionless architecture that made DeFi worth building gets stripped to satisfy compliance requirements.
“All of the benefits that we have as an industry, they kind of go away,” he said. “Blockchain becomes just a database.”
It is an outcome Putiatin finds more troubling than the hacks themselves. The hacks, at least, are a problem the industry can work on. A version of DeFi that institutions have hollowed out to make it safe enough for their mandates is a surrender of everything the technology was supposed to change.
Magazine: 5 tech predictions the mainstream media got horribly wrong
