JPMorgan Chase: KelpDAO bug wipes out $20 billion in DeFi TVL, institutional appeal damaged

A JPMorgan research team led by analyst Nikolaos Panigirtzoglou said in a report published on April 23 that persistent security vulnerabilities and a stagnating total value locked (TVL) are eroding the appeal of decentralized finance (DeFi) to institutional investors. The report emphasized that the KelpDAO vulnerability wiped out roughly $20 billion in DeFi TVL within days, exposing structural risks.

Key Findings From JPMorgan’s Report

According to JPMorgan’s report published on April 23, the analysts’ team noted that in 2026, losses from hacker attacks in the crypto market are expected to be on par with the 2025 level. Despite progress in smart contract audits, bridge and infrastructure vulnerabilities remain the main sources of risk.

The report directly quoted the analysts’ team: “Just as traditional investors shift to holding cash during uncertain times, crypto participants are also coping with the recent attacks by seeking stablecoins.”

According to the report, although DeFi TVL denominated in U.S. dollars has partially recovered, DeFi TVL denominated in ether (ETH) has basically remained unchanged. JPMorgan analysts said this indicates that DeFi’s natural growth is limited, raising questions about whether DeFi has the scalability to meet the needs of institutional users.

Technical Analysis of the KelpDAO Vulnerability

According to JPMorgan’s report, the attack path of the KelpDAO vulnerability was: the attacker compromised the cross-chain bridge infrastructure, minted unsecured rsETH with a value of about $292 million, and deposited it as collateral into a lending protocol, ultimately resulting in roughly $200 million in bad debt.

JPMorgan’s report said the impact of this attack spread beyond the directly affected platforms, highlighting how interoperability in the DeFi ecosystem can amplify the reach of a single vulnerability. The report also noted that cross-chain bridges—due to their complex design and architecture, shared underlying infrastructure, and sometimes weak verification mechanisms—have historically led to cumulative losses of billions of dollars across the industry.

Institutional Capital Flows: TVL Outflows and USDT “Flight to Safety” Demand

According to JPMorgan’s report, after the KelpDAO vulnerability incident, capital flowed from DeFi lending protocols into Tether’s USDT. With stronger liquidity and faster withdrawal speeds, USDT further strengthened its position as a safe-haven asset in the crypto market.

JPMorgan analysts said in the report that repeated attack events weaken market trust in DeFi systems that rely on code rather than intermediaries. Smart contract vulnerabilities, network phishing, and cross-chain bridge shortcomings are the key technical risks that lead to large amounts of locked assets being exposed.

Frequently Asked Questions

When was this JPMorgan DeFi report published, and who led the writing?

According to JPMorgan’s publicly available information, this DeFi security analysis report was released on Wednesday, April 23, written by a research team led by analyst Nikolaos Panigirtzoglou.

How does JPMorgan describe the impact of the KelpDAO vulnerability on DeFi TVL?

According to JPMorgan’s report, the KelpDAO vulnerability erased about $20 billion in DeFi TVL within days. The attacker minted $292 million of unsecured rsETH as collateral and ultimately caused about $200 million in bad debt, with the impact spreading beyond the directly affected platform.

How does JPMorgan interpret the issue of DeFi TVL stagnating when denominated in ETH?

According to JPMorgan’s report, while DeFi TVL denominated in U.S. dollars has partially recovered, DeFi TVL denominated in ETH has basically remained unchanged. The analysts said this indicates that DeFi’s natural growth is limited, and they raised questions about whether DeFi can meet institutional users’ needs.