Is DeFi still worth investing in? The true destination of institutional funds

By mid-2026, decentralized finance is undergoing its most severe trust test since inception. On one side, OpenZeppelin co-founder issues a stern warning—AI programming agents have surpassed humans in vulnerability detection, making DeFi entirely unsafe; on the other side, institutional funds have not exited but are quietly reconfiguring along three paths: stablecoins, real-world assets, and permissioned DeFi. As hacker attacks evolve from sporadic incidents into systemic threats, the fundamental value logic of the entire sector is being rewritten.

Twelve Months of Security Breach

Factually, as of May 29, 2026, the total losses in DeFi caused by hacker attacks over the past 12 months have exceeded $1.1 billion. In April 2026 alone, two staggering security incidents occurred: Drift Protocol was attacked by Lazarus Group, losing about $285 million; in the same month, liquidity staking protocol KelpDAO was hit again, losing approximately $292 million.

The common features of these two attacks are deeply concerning. Both attackers exploited covert vulnerabilities in smart contract logic, and prior to the attacks, the code of the related protocols had been audited by at least two firms. Lazarus Group demonstrated a profound understanding of cross-chain messaging mechanisms, bypassing multi-signature verification steps and directly manipulating the protocol’s fund collection contracts.

More alarmingly, OpenZeppelin co-founder Manuel Aráoz publicly warned in May 2026: AI programming agents have substantially surpassed human auditors in vulnerability detection capabilities. This means that attackers using AI tools to scan unreviewed code are increasing their efficiency exponentially, while defensive measures have yet to evolve in tandem.

DeFi security in 2026 is no longer a point risk but a systemic survival challenge.

Hundreds of Billions in Trust Cracks

Data does not lie. According to public on-chain statistics, the total value locked (TVL) in DeFi has fallen by over $200 billion since the beginning of 2026. Behind this figure is a continuous migration of funds from permissionless protocols to more controllable environments.

The structural reasons for this trend can be summarized into three levels. First, ongoing large-scale security incidents have destroyed some users’ fundamental trust in decentralized protocols. When users cannot be confident in the security of code logic, their willingness to deposit funds declines. Second, AI-driven attack methods are lowering the barrier to malicious activity. Logic vulnerabilities that previously required top hacking teams to discover are now easier to identify and exploit with AI assistance. Third, the declining on-chain yields weaken DeFi’s attractiveness compared to traditional financial instruments. As risks rise, returns have not kept pace, and the risk-reward ratio continues to deteriorate.

It’s worth noting that the decline in TVL is not uniform. Liquidity concentration in leading protocols is actually increasing, while small and medium protocols are being rapidly phased out. This points to a key judgment: what DeFi is experiencing is not industry decline but a fierce process of natural selection and structural reshaping.

Diverging Opinions and Controversies

Public discourse around DeFi’s future shows clear factional divides.

One camp comprises professionals from auditing and security sectors. Their core view is that current DeFi security models are built on the ideal of “code is law,” but in reality, code always contains vulnerabilities. The involvement of AI further tilts the balance of attack and defense. This faction calls for a halt to deploying complex protocols without formal verification and advocates introducing manual intervention nodes at critical modules.

The other camp consists of decentralization purists. They insist that security issues are not unique to DeFi but are common pains in early-stage financial systems. Traditional finance also suffers from internal fraud and systemic vulnerabilities, but losses are often absorbed by regulators and insurers, rather than being fully transparent and exposed on-chain. They believe the solution is not to introduce centralized control but to accelerate the adoption of formal verification tools and on-chain insurance mechanisms.

Another group focuses on institutional behavior. They point out that the real driver behind the shifting flow of DeFi funds is not retail sentiment but strategic adjustments by institutional capital. Institutions are moving from “pursuing pure decentralization narratives” to “seeking compliance, security, and stable yields.” This shift is reflected in the emerging three-way pattern of stablecoins, RWA (real-world assets), and permissioned DeFi.

It must be acknowledged that no unified consensus has yet formed within the industry. The very existence of divergence indicates that DeFi is standing at a critical crossroads.

Can Institutional Narratives Hold?

The true destination of institutional funds is an objective measure to test these debates.

Stablecoins have become the foundational infrastructure for institutional participation in on-chain economies. Unlike highly volatile governance tokens, stablecoins provide predictable settlement media and yield tools. Since 2026, the total supply of major stablecoins has generally increased, contrasting with the weak performance of protocol tokens. This trend indicates that institutions have not exited the chain but are adjusting their asset allocation structures.

On-chain real-world assets are rapidly becoming one of the fastest-growing sub-sectors. Products like sovereign bond tokenization, private credit on-chain, and commodity-backed tokens have attracted significant capital from traditional finance in 2026. The core appeal of RWA lies in bringing stable returns from traditional assets into the on-chain environment, while tokenization enhances liquidity and divisibility. For risk-adjusted return-seeking institutions, RWA offers a more competitive alternative to purely on-chain yields.

Permissioned DeFi is the third key direction. Unlike open permissionless protocols, permissioned DeFi adds identity verification and compliance checks at the smart contract layer, enabling regulated entities to participate in on-chain financial activities without violating AML laws. This mode sacrifices some decentralization but grants access to institutional capital. Since 2026, several permissioned DeFi protocols have shown a clear upward trend in institutional adoption.

The internal logic of these three directions is consistent: institutions are voting with their feet, choosing intermediate paths that balance on-chain efficiency with compliance and security.

Rebuilding the Underlying Logic

These trends are not short-term risk avoidance behaviors but signals of a fundamental reconstruction of DeFi’s underlying logic.

From a protocol design perspective, the priority of security is being re-ranked. Previously, the core dimensions of protocol competition were yield and token incentive design. The multiple incidents in 2026 demonstrate that protocols neglecting security, even if they attract large liquidity in the short term, will ultimately lose user trust after an attack. Increasingly, development teams are integrating formal verification, runtime monitoring, and bug bounty programs into the core architecture rather than treating them as optional add-ons.

From a capital allocation perspective, institutional risk management frameworks are expanding to cover on-chain assets. Traditional asset management firms are improving their ability to price “code risk,” a new category of risk. They no longer see DeFi as a homogeneous asset class but differentiate protocols based on security levels, audit histories, and governance structures, setting varied risk exposures accordingly. This refined capital allocation will further accelerate liquidity concentration into top, secure protocols.

From a regulatory outlook, frequent security incidents are accelerating the implementation of regulatory frameworks. Many jurisdictions have incorporated DeFi security standards into policy discussions. It is reasonable to expect that mandatory standards for smart contract audits may be implemented in some jurisdictions within the next 12 to 18 months.

Conclusion

Whether DeFi remains worth investing in depends on what “DeFi” the investor refers to. If it’s based on the pure ideals of decentralization and fully permissionless open protocols, the security risks have indeed reached unprecedented levels in 2026. But if the broader decentralized financial ecosystem—including stablecoin infrastructure, real-world asset on-chain, and compliant on-chain financial services—is considered, the flow of institutional capital already provides a clear signal.

The security crisis has not ended DeFi but has accelerated its coming of age. Protocols and sectors that can find a new balance between openness and security are absorbing capital retreating from old narratives. For participants, understanding this structural differentiation is far more meaningful than simply asking whether it’s “worth investing.”