JPMorgan warns that ongoing security weaknesses limit DeFi’s attractiveness to institutional investors
A $20 billion loss from the KelpDAO breach underscores systemic vulnerabilities, while flat ETH-denominated growth and a shift to stablecoins indicate continued fragility in the decentralized finance sector.
Key points:
— JPMorgan noted that persistent hacks and stagnant capital levels in decentralized finance continue to dampen institutional interest, as evidenced by the $20 billion loss from the KelpDAO breach.
— Bridge and infrastructure exploits remain the primary risk, with losses tracking 2025 levels and undermining trust.
— Investors are rotating into stablecoins like USDT as a flight to safety during stress, the bank said.
Persistent security vulnerabilities and stagnant total value locked (TVL) are weighing on decentralized finance’s (DeFi) institutional appeal, according to Wall Street investment bank JPMorgan (JPM).
TVL refers to the total value of crypto assets deposited in DeFi protocols, and is commonly used as a gauge of the size, usage and overall health of the ecosystem.
The KelpDAO exploit, which the bank said erased about $20 billion in TVL within days, exposed structural risks.
An attacker breached a cross-chain bridge, minted $292 million in unbacked rsETH and used it as collateral to drain lending protocols, leaving roughly $200 million in bad debt. Contagion spread beyond directly affected platforms, underscoring how DeFi’s interconnectedness can amplify shocks.
«Much as traditional investors shift towards cash in uncertain times, crypto participants have responded to recent exploits by seeking refuge in stablecoins,» wrote analysts led by Nikolaos Panigirtzoglou in the Wednesday report.
Hacks and exploits remain a central risk for crypto because they directly undermine trust in systems that rely on code rather than intermediaries. Smart contract bugs, phishing and cross-chain bridge flaws can expose large pools of locked assets, with attackers often needing to exploit just a single weak point to trigger outsized losses.
Beyond the immediate financial damage, repeated exploits erode confidence across the ecosystem. Each major hack can drive users and institutions away, prompt stricter regulation and slow adoption, making security a foundational constraint on crypto’s growth.
The bank’s analysts noted hack losses this year are tracking 2025 levels, with infrastructure and bridge exploits still the primary vulnerability despite gains in smart contract auditing.
Growth also remains muted. While TVL has partially recovered in dollar terms, it is largely unchanged in terms of ether (ETH), suggesting limited organic expansion and raising questions about DeFi’s ability to scale for institutional use, the report said.
In periods of stress, investors continue to rotate into stablecoins. Following the exploit, capital flowed from DeFi lending into Tether’s USDT, which benefits from deeper liquidity and faster off-ramps, reinforcing its role as a preferred flight-to-safety asset, the report said.