JPMorgan Says Persistent Security Flaws Curb DeFi’s Institutional Appeal

The recent KelpDAO incident, which wiped out roughly $20 billion in DeFi TVL, underscores a chronic weakness in cross‑chain bridge design. Attackers exploited a single flaw to mint $292 million of unbacked rsETH, creating $200 million of bad debt that rippled through multiple lending platforms. Such bridge‑centric breaches have consistently accounted for the bulk of DeFi losses, keeping hack totals at levels seen in 2025 despite advances in smart‑contract auditing. For investors, the lesson is clear: the broader ecosystem’s interdependence magnifies risk, making robust code verification and diversified infrastructure essential.

Institutional players, long‑awaiting a secure entry point into crypto, are now gravitating toward stablecoins like Tether’s USDT as a defensive posture. JPMorgan notes a pronounced flight‑to‑safety, with capital flowing from vulnerable DeFi lending protocols into assets that offer deeper liquidity and faster off‑ramps. This behavior mirrors traditional finance’s cash‑seeking during market stress, highlighting how security concerns directly shape asset allocation. Moreover, regulators are watching these patterns closely, as repeated high‑profile hacks could trigger tighter oversight aimed at protecting institutional participants.

Looking ahead, the stagnation of TVL in ether terms suggests DeFi’s growth is plateauing without a breakthrough in security. While dollar‑denominated TVL has modestly recovered, the lack of organic expansion signals that institutions remain skeptical of scaling opportunities. To revive confidence, the industry must prioritize bridge hardening, formal verification, and insurance mechanisms that can absorb shocks. Successful mitigation could reignite capital inflows, diversify use‑cases beyond speculative trading, and position DeFi as a viable component of institutional portfolios.