Wall Street investment bank JPMorgan Chase (JPM) says that persistent security vulnerabilities and stagnant total value locked (TVL) are impacting the institutional appeal of decentralized finance (DeFi).
TVL refers to the total value of cryptoassets stored in a DeFi protocol and is often used as a metric to measure the size, usage, and overall health of the ecosystem.
The bank said the KelpDAO breach wiped out approximately $20 billion in TVL within days, exposing structural risks.
An attacker compromised a cross-chain bridge, minted $292 million in unsecured rsETH, and used it as collateral to drain loan protocols, leaving around $200 million in bad debt. The contagion spread beyond directly affected platforms, highlighting how the interconnectedness of DeFi amplifies shocks.
“Just as traditional investors turn to cash during times of uncertainty, cryptocurrency players have responded to recent vulnerabilities by seeking stablecoins,” analysts led by Nikolaos Panigirtzoglou wrote in a Wednesday note.
Hacks and vulnerabilities remain a major risk for cryptocurrencies because they directly undermine trust in systems that rely on code rather than intermediaries. Smart contract bugs, phishing, and cross-chain bridge flaws can expose large amounts of locked assets, and attackers often only need to exploit a single weakness to cause massive losses.
These vulnerabilities are exacerbated by the complexity and interconnectedness of blockchain infrastructure. For example, cross-chain bridges expand functionality but also increase the attack surface and cause billions of dollars in losses because they rely on complex designs, shared infrastructure, and sometimes weak verification mechanisms.
In addition to direct financial losses, repeated attacks undermine confidence in the entire ecosystem. Each major hack can lead to a loss of users and institutions, prompting tighter regulations and slow adoption, making security a fundamental limit to cryptocurrency growth.
The bank’s analysts noted that despite progress in smart contract audits, hacker losses this year are approaching 2025 levels, with infrastructure and bridge vulnerabilities remaining the main vulnerabilities.
Growth also remains sluggish. While TVL has partially recovered in U.S. dollar terms, it has remained largely unchanged in Ethereum (ETH) terms, indicating limited organic expansion and raising questions about DeFi’s ability to scale for institutional use, the report said.
Investors continue to turn to stablecoins during times of stress. According to the report, after the exploit, funds flowed from DeFi lending into Tether’s USDT, which benefited from higher liquidity and faster exits, reinforcing its role as the preferred safe-haven asset.
Read more: The $292M Kelp DAO breach shows why crypto bridges remain one of the industry’s weakest links