DeFi Hacks Reach $7.7B as Insurance Fails to Keep Up

iconChainGPT
Share
AI summary iconSummary

DeFi users are choosing eye-popping yields over safety — and hackers are cashing in. What started as the idealistic “DeFi Summer” in 2020 — a promise of permissionless, intermediary-free finance — has turned into a multi-billion-dollar experiment with remarkably little insurance backing it. Since the phrase entered the crypto lexicon six years ago, uninsured lending protocols have lost about $7.7 billion to exploits, according to DeFiLlama. April 2026 alone saw more than $600 million wiped out in security incidents, led by high-profile breaches at Drift and Kelp DAO. Those hacks exposed a deeper fault line: the DeFi insurance market is tiny and ill-suited to today’s threats. Less than 2% of DeFi’s total value locked (TVL) is covered by insurance, Nexus Mutual founder Hugh Karp told CoinDesk. DeFiLlama lists 28 insurance protocols, but Nexus Mutual represents nearly the whole sector’s $123.5 million in TVL — just 0.14% of the broader $83 billion DeFi ecosystem. A shifting attack surface Early insurance offerings were priced around smart-contract bugs — failures that are reasonably straightforward to audit and quantify. But attackers have evolved. Many of the largest losses now come from off-chain failures: compromised private keys, phishing, social engineering and broken bridge logic. DeFiLlama’s breakdown of attack methods shows private-key compromises as the biggest single slice, followed by phishing attacks targeting multisig wallets. “Many of the largest hacks have originated offchain from operational security failures,” Karp said. Those scenarios are far harder for insurers to underwrite because teams often lack standardized operational-security practices. Without clear standards, insurers can’t price risk reliably — and premiums climb to levels users won’t accept. Case in point: the Kelp DAO exploit. Criminals manipulated a bridge to seize real assets and then used those assets as collateral on Aave. Karp says the “core failure of bridge risk” wouldn’t have been covered by typical DeFi insurance products, which sometimes only pay out for downstream effects — for example, bad debt caused by frozen oracles — rather than the root operational breach. Why users don’t buy cover A large part of the problem is behavioral economics: DeFi users are yield-driven. Paying 2%–3% in insurance premiums can erase returns on tight strategies, so many forego protection altogether. “Most DeFi users are yield-driven and do not want to give up several percentage points of return for cover,” said Dan She, senior audit partner at CertiK. Structural fragility compounds the issue. The first generation of decentralized insurers often shared the same infrastructure risks they were meant to cover, creating circular exposure. The sector ballooned in the early DeFi days — from about $3 million in early 2020 to roughly $1.89 billion in November 2021 — with players like Nexus Mutual, Cover Protocol, InsurAce, Tidal Finance and Bridge Mutual leading the charge. But many of those protocols either failed, were hacked, or otherwise collapsed between 2021 and 2024 amid unsustainable tokenomics and conflicts of interest. Cover Protocol was itself hacked and imploded; Armor.fi, Bridge Mutual and Tidal largely vanished. Nexus Mutual, which has been operating since 2019, remains one of the few survivors. Karp says Nexus has covered more than $6.5 billion in value and paid out just over $18.5 million — useful but tiny relative to market exposure. Critics argue the old model was inherently flawed. “You were just stacking counterparty risk on top of counterparty risk,” said Gaspard Peduzzi, founder of Spectra Finance, describing how DeFi insurance often relied on the same decentralized constructs it insured. Matthew Pinnock, COO at Altura, noted that the capital backing insurance pools was frequently exposed to the exact vulnerabilities they were supposed to hedge against — so the protection evaporated right when it was needed. When protection fails, it’s often retail users who suffer. Karp outlined the typical post-exploit sequence: protocol safety modules absorb the first blow, treasuries are raided next, and if those resources aren’t enough, ordinary depositors face losses. “In practice, when there's no cover, the cost falls disproportionately on the least sophisticated participants,” he said. What comes next? The market is reacting. Some teams are embedding insurance directly into DeFi products so cover is automatic rather than optional. Others argue for narrower, more tightly defined policies — or for bringing traditional insurers into the fold to tackle operational and custody risks off-chain. But the core challenge remains: DeFi’s risk profile is complex and quickly evolving, and the insurance industry still lacks robust tools and standards to price it. Until underwriting catches up, the sector will likely remain exposed — and incentives will keep pushing users toward yield-first decisions that leave billions on the line. As hacks pile up and losses mount, pressure is rising to close this protection gap. If insurers, protocols and users don’t find workable compromises on coverage and cost, DeFi’s growth could slow — and future “summers” will likely come with higher bills for the unwary.

Disclaimer: The information on this page may have been obtained from third parties and does not necessarily reflect the views or opinions of KuCoin. This content is provided for general informational purposes only, without any representation or warranty of any kind, nor shall it be construed as financial or investment advice. KuCoin shall not be liable for any errors or omissions, or for any outcomes resulting from the use of this information. Investments in digital assets can be risky. Please carefully evaluate the risks of a product and your risk tolerance based on your own financial circumstances. For more information, please refer to our Terms of Use and Risk Disclosure.