Persistent security vulnerabilities and stagnant total value locked (TVL) are weighing on the institutional appeal of decentralized finance (DeFi), according to Wall Street investment bank JPMorgan (JPM).
TVL refers to the total value of cryptoassets deposited in DeFi protocols and is commonly used as an indicator of the size, usage, and overall health of the ecosystem.
The KelpDAO exploit, which the bank said wiped around $20 billion in TVL in a matter of days, exposed structural risks.
An attacker breached a cross-chain bridge, minted $292 million in unbacked rsETH, and used it as collateral to drain lending protocols, leaving approximately $200 million in bad debt. The contagion spread beyond the directly affected platforms, underscoring how DeFi interconnectedness can amplify shocks.
“As traditional investors turn to cash in times of uncertainty, crypto participants have responded to recent exploits by seeking refuge in stablecoins,” analysts led by Nikolaos Panigirtzoglou wrote in Wednesday’s report.
Hacks and exploits remain a central risk for cryptocurrencies because they directly undermine trust in systems that rely on code rather than intermediaries. Smart contract bugs, phishing, and cross-chain bridge flaws can expose large pools of locked assets, and attackers often need to exploit a single weak point to cause massive losses.
These vulnerabilities are amplified by the complexity and interconnectedness of blockchain infrastructure. Cross-chain bridges, for example, expand functionality but also increase the attack surface and have been responsible for billions of dollars in losses because they rely on complicated designs, shared infrastructure, and sometimes weak validation mechanisms.
Beyond the immediate financial damage, repeated attacks erode trust throughout the ecosystem. Every major hack can alienate users and institutions, lead to tighter regulation and slow adoption, making security a critical constraint to the growth of cryptocurrencies.
Analysts at the bank noted that hacking losses this year are tracking 2025 levels, and that infrastructure and bridge vulnerabilities remain the top vulnerability despite advances in smart contract auditing.
Growth also remains moderate. While TVL has partially recovered in dollar terms, it remains virtually unchanged in ether (ETH) terms, suggesting limited organic expansion and raising questions about DeFi’s ability to scale for institutional use, according to the report.
In times of stress, investors continue to turn to stablecoins. Following the exploit, capital flowed from DeFi loans to Tether’s USDT, which benefits from deeper liquidity and faster exit ramps, reinforcing its role as a preferred flight-to-safety asset, according to the report.
Read more: $292M Kelp DAO Exploit Shows Why Crypto Bridges Remain One of the Industry’s Weakest Links
