Persistent security vulnerabilities and stagnant total value locked (TVL) are weighing on the institutional appeal of decentralized finance (DeFi), according to Wall Street investment bank JPMorgan (JPM).
TVL refers to the total value of crypto assets deposited in DeFi protocols and is commonly used as an indicator of the size, usage, and overall health of the ecosystem.
The KelpDAO exploit, which the bank said wiped about $20 billion of TVL in a matter of days, exposed structural risks.
An attacker breached a cross-chain bridge, created $292 million in uncollateralized rsETH, and used it as collateral to drain lending protocols, leaving approximately $200 million in bad debt. The contagion has spread beyond directly affected platforms, highlighting how DeFi’s interconnectivity can amplify shocks.
“Just as traditional investors turn to liquidity in times of uncertainty, crypto players have responded to recent exploits by seeking refuge in stablecoins,” analysts led by Nikolaos Panigirtzoglou wrote in Wednesday’s report.
Hacks and exploits remain a major risk for crypto, as they directly undermine trust in systems that rely on code rather than intermediaries. Smart contract bugs, phishing, and cross-chain bridge flaws can expose large pools of locked assets, with attackers often needing to exploit a single weak point to trigger outsized losses.
These vulnerabilities are amplified by the complexity and interconnectivity of blockchain infrastructure. Cross-chain bridges, for example, expand functionality but also increase the attack surface, and have been responsible for billions of dollars in losses because they rely on complex designs, shared infrastructure, and sometimes weak validation mechanisms.
Beyond the immediate financial damage, repeated exploits erode trust in the entire ecosystem. Each major hack can alienate users and institutions, lead to stricter regulation, and slow adoption, making security a fundamental constraint on crypto growth.
The bank’s analysts noted that losses from hacks this year track 2025 levels, with infrastructure and bridge exploits remaining the top vulnerability despite progress in smart contract auditing.
Growth also remains moderate. Although TVL partially recovered in dollar terms, it remained largely unchanged in ether (ETH) terms, suggesting limited organic expansion and raising questions about DeFi’s ability to scale for institutional use, the report said.
In times of stress, investors continue to turn to stablecoins. Following this feat, capital flowed from DeFi loans to Tether’s USDT, which benefits from greater liquidity and faster exit ramps, further cementing its role as a favored flight-to-safety asset, according to the report.
Learn more: The $292 million Kelp DAO exploit shows why crypto bridges remain one of the weakest links in the industry.
