Persistent security vulnerabilities and stagnant total value locked (TVL) are weighing on decentralized finance (DeFi)’s institutional appeal, according to Wall Street investment bank JPMorgan (JPM).
TVL refers to the total value of cryptoassets deposited in DeFi protocols and is commonly used as a measurement of ecosystem size, usage, and overall health.
The KelpDAO exploit, which the bank said wiped out about $20 billion in TVL within days, exposed structural risks.
An attacker broke a cross-chain bridge, minted $292 million in unbacked rsETH and used it as collateral to drain the lending protocols, leaving around $200 million in bad debt. Contagion spread beyond the directly affected platforms, underscoring how DeFi’s interconnectivity can amplify shocks.
“Much as traditional investors turn to cash in uncertain times, crypto participants have responded to recent exploits by seeking refuge in stablecoins,” analysts led by Nikolaos Panigirtzoglou wrote in Wednesday’s report.
Hacks and exploits remain a central risk to crypto because they directly undermine trust in systems that rely on code instead of intermediaries. Smart contract failures, phishing and cross-chain bridge failures can expose large pools of locked assets, with attackers often needing to exploit just a single weak point to trigger large losses.
These vulnerabilities are compounded by the complexity and interconnectedness of the blockchain infrastructure. Cross-chain bridges, for example, extend functionality but also increase the attack surface and have been responsible for billions of dollars in losses because they rely on complicated designs, shared infrastructure, and sometimes weak validation mechanisms.
Beyond the immediate economic damage, repeated exploits erode trust across the ecosystem. Each major hack can drive away users and institutions, encourage tighter regulation and slow adoption, making security a fundamental limitation to crypto’s growth.
The bank’s analysts noted that hack losses this year are tracking 2025 levels, with infrastructure and bridge exploitation still the primary vulnerability despite advances in smart contract auditing.
Growth also remains subdued. While TVL has partially recovered in dollar terms, it is largely unchanged in terms of ether (ETH), suggesting limited organic expansion and raising questions about DeFi’s ability to scale for institutional use, the report said.
During periods of stress, investors continue to rotate to stablecoins. Following the exercise, capital flowed from DeFi loans to Tether’s USDT, which benefits from deeper liquidity and faster off-ramps, reinforcing its role as a preferred flight-to-safety asset, the report said.
Read more: The $292 million Kelp DAO exploit shows why crypto-bridges are still one of the industry’s weakest links
