DeFi Bridge Hacks Drive Institutional Pullback

A series of major bridge attacks in 2026 has eroded institutional interest in decentralized finance. Eight significant bridge exploits this year, including the Versus-Ethereum incident, accounted for about $328.6 million in bridge losses. High-profile breaches at Drift and KelpDAO contributed to a drop in total value locked in DeFi to roughly $86 billion. Institutions are withdrawing or pausing plans as yields on common DeFi markets fail to offset the risk of hacks.

Analysts at JPMorgan flagged bridge security as a persistent problem in an April research note and listed the Versus-Ethereum exploit as the eighth major bridge attack this year. The Drift Protocol breach, linked to a months-long social engineering campaign and attributed to actors connected to North Korea’s Lazarus Group, carried a reported loss of about $285 million. A separate incident at KelpDAO removed roughly $290 million from its cross-chain bridge. Two days after the KelpDAO attack, total value locked fell from just under $100 billion to about $86 billion, and DeFi pools shed an estimated $14 billion in the immediate aftermath.

Security firms and analysts identify bridges as frequent hacker targets. The frequency and scale of recent exploits complicate risk assessment for institutions that require clear downside estimates before allocating capital. Misha Putiatin, CEO of smart contract security firm Statemind and co-founder of DeFi protocol Symbiotic, said he often receives inquiries from large traditional institutions exploring DeFi exposure and recalled timing calls around new hacks: “Five minutes before I have a call with a big traditional institution, another big hack. They sit there looking at me like, ‘Is this normal? Is this every day for you?'”

Security specialists point to increasing technical complexity as a barrier to ordinary due diligence. Smart contracts can run tens of thousands of lines of code, protocols are layered, and cross-chain links create hidden interdependencies. A user who deposits Ether to earn yield can still be exposed to a breach on a bridge tied to a token they never touched. Putiatin criticized the industry mantra of “do your own research,” saying it no longer provides reliable protection for most investors.

DeFi yields have compressed as markets matured. On Aave’s Ethereum market, tether (USDT) supply APY is about 2.74 percent, below the 3.57 percent return on a three-month U.S. Treasury bill. Circle’s USDC supply APY on the same platform is roughly 4.14 percent. Institutions that underwrite risk with actuarial methods face difficulty pricing the unquantified hack risk that remains in DeFi, a challenge Putiatin highlighted when discussing institutional demand for higher certainty.

On-chain trackers show DeFi has lost more than $7.76 billion to exploits since 2016. Decentralized insurance products exist, but participants say available coverage is too small to match the scale institutions would require. Putiatin outlined missing market infrastructure such as on-chain insurance able to price hack risk with actuarial rigor, along with circuit breakers and curated due diligence frameworks.

Absent that infrastructure, institutions that do enter DeFi are likely to demand full know-your-customer checks, custodial controls and mechanisms to freeze tokens when needed. Putiatin warned that those requirements would remove many permissionless features and change how DeFi operates: “All of the benefits that we have as an industry, they kind of go away. Blockchain becomes just a database.” How developers, insurers and regulators respond to the security and insurance gaps will affect whether institutions return on terms that preserve or alter the current architecture of DeFi.