Decentralized finance (DeFi) faces a hurdle in its development. According to JPMorgan, security vulnerabilities and stagnant total value locked (TVL) are limiting institutional interest in the sector.
In a report sent to clients on April 23, 2026, analysts at the US bank, led by Nikolaos Panigirtzoglou, noted that Recent attacks have exposed structural weaknesses in the ecosystem, affecting confidence and causing capital outflows.
Specialists highlight a change in the behavior of capital. “Just as traditional investors turn to cash in times of uncertainty, participants in the world of cryptocurrencies have responded to recent attacks by seeking refuge in stablecoins,” they indicated. This movement reinforces the role of stablecoins as a defensive alternative within the ecosystem.
Despite advances in smart contract audits, the JPMorgan report highlights that vulnerabilities persist, especially in complex infrastructures such as inter-chain bridgeswhich expand the functionality of the ecosystem but also its attack surface.
“This raises questions about whether DeFi can achieve the organic growth needed to support broader institutional adoption,” they concluded.
One of the most relevant recent cases was the hack of the Kelp DAO protocol, which occurred on April 18. The attack exploited a vulnerability in a bridge between chainswhich allowed approximately $292 million in rsETH tokens (liquid restored ether) to be minted without backing, as reported by CriptoNoticias.
These assets were used as collateral in Aave to withdraw ETH, generating a debt of $292 million.
And the impact was not limited to the affected protocol. The analysts indicated that “the incident caused capital outflows from funds that had no direct exposure to the compromised asset, demonstrating that DeFi interconnection can be a weakness during adverse events.”
This was reflected in market data: The DeFi ecosystem recorded an outflow of $7.48 billion in 24 hours after the Kelp DAO bridge hack. That is to say, although some investors did not have funds in Kelp DAO, they still withdrew capital from other protocols out of fear.
Between April 18 and 23, the TVL, which measures the total value of assets deposited in DeFi protocols, It went from 99,520 million dollars to 84,585 million, a drop of 15%.
It should be noted that the Kelp DAO hack was not an isolated case. On April 1, the Drift protocol suffered an attack that resulted in losses close to $280 million.
Since the Drift attack, the cryptocurrency ecosystem has recorded at least 12 additional security incidents.