Security has long been one of DeFi’s key promises, but the industry is increasingly struggling to keep pace with its complexity. Losses notably increased in May, bringing the year-to-date figures to almost $770 million after a contained figure of $169 million in the first quarter.
The month of April alone generated more than $600 million across nearly 30 incidents, signaling a shift from sporadic violations to sustained pressure. What is striking is the concentration of risk: massive exploits such as Kelp DAO ($293 million) and Drift Protocol ($285 million) now dominate the landscape. Moreover, such incidents show that fewer, but far more damaging, events shape the narrative.
This change reflects deeper structural changes. Additionally, composability has improved efficiency, but it has also increased interdependence between protocols, extending vulnerabilities beyond code to oracles and operational layers. What makes this trend more concerning is that the weakness no longer lies solely in smart contracts.
Ivan Patricki, co-founder of Quantmap, noted:
What’s striking me lately is that most of the problems aren’t even about the code anymore. Teams still assume that auditing a contract ensures their security, but that assumption is no longer true.
Even though institutional flows build trust, they also amplify risk, suppressing liquidity deployment and weakening DeFi market dynamics.
DeFi innovation is evolving, and so are the flaws
This growing fragility does not exist in isolation; this reflects how DeFi is built beneath the surface. The picture becomes clearer as operating patterns repeat themselves rather than emerging as rare anomalies.
Forked architectures present the same vulnerabilities across deployments, allowing flaws to propagate faster than patches while amplifying systemic risk under interconnected protocols. As Ivan Patricki observed,
Protocols trust too many external elements…hoping none of them sneeze.
The persistence of this fragility goes back to design. Efficiency has improved, but dependencies have deepened between oracles, bridges, and access layers. At the same time, code reuse lowers barriers to entry and fuels rapid growth, a trade-off that encourages manufacturers to pursue it despite the risks.
However, the implication is changing. As vulnerabilities multiply, trust weakens, capital becomes cautious, and liquidity deployment slows, leaving DeFi’s growth increasingly tied to its ability to contain its risks.
Governance lag turns exploits into crisis
When things go wrong in DeFi, the real vulnerability isn’t always the exploit; This is the slow response time of the system.
This gap is increasingly difficult to ignore. Attacks like the Drift Protocol compromise and the Kelp DAO exploit happened in minutes, but governance responses crossed quorum thresholds and voting cycles. As a result, the exhibition remained open while decisions were delayed.
So structure is why this persists. In many protocols, the largest 10% of holders control 70-80% of the voting rights, with ownership remaining below 15%. These systems remain stable under normal conditions but become inert when subjected to stress.
Complicating this tension is that growing institutional participation does not always align with DeFi’s decentralized ideals. As Andrew Nalichaev, Blockchain expert and DeFi analyst at Innowise, observes,
Big players like BlackRock or big banks don’t really care about decentralization. Their goal is profit, its creation and extraction, rather than the preservation of the ideals of the system.
This tension now defines outcomes, as delayed action weakens trust, slows liquidity deployment, and forces DeFi to choose between speed and control.
What makes this pressure more significant is that it no longer stops at DeFi; it is now surfacing in the security layer that underpins the broader crypto market.
Bitcoin’s Incentive Model Shows Cracks
Bitcoin (BTC) security has always relied on incentives. Today, these incentives are starting to weaken. The change becomes clearer through the mining economy. After the halving, the subsidy fell to 3.125 BTC, while compressed hash price to $28-36 per PH/s/day in the first quarter, bringing daily revenue to $35-42 million.
With production costs often exceeding $80,000-$90,000 per BTC and transaction fees representing only 1-15% of revenue, miners are operating on ever-shrinking margins. The economics of the mining sector are changing and the pressure is starting to be felt.
Some are dying out, while others are moving into AI and high-performance computing, where returns seem more stable.
The implications extend beyond minors. Lower hash rates reduce attack costs while weaker operators withdraw, accelerating concentration on the network. Commenting on this trend, James Carter, senior crypto analyst at TokenEcho, told AMBCrypto:
“The risk to watch out for is concentration. If three or four state-owned companies control 30-40% of the network’s hash rate and they all run parallel AI activities, the network will face a coordination problem that Satoshi’s design did not anticipate.”
Therefore, Bitcoin must strengthen miner incentives or risk a decline in security, as low participation and increasing concentration tests the long-term resilience and integrity of the network.
So the lesson here is the same: whether in DeFi or Bitcoin, innovation without resilient design amplifies fragility, and the next phase of growth will depend on how quickly these systems can adapt.
Final Summary
- DeFi vulnerabilities evolve with governance delays and repeated exploits, weakening trust in interconnected crypto markets.
- Bitcoin (BTC) faces increasing security pressure as weakening incentives for miners reduces the hash rate and increases network concentration.
