DeFi users are still chasing yield while most of their capital remains exposed to hacks, phishing attacks, and private key failures. According to Nexus Mutual founder Hugh Karp, less than 2% of DeFi’s total value locked has insurance coverage, even as billions continue moving through lending markets, bridges, and staking protocols.
The gap has become harder to ignore after years of major exploits. shows uninsured lending protocols have lost $7.7 billion to attacks over six years, while April 2026 alone saw more than $600 million lost in security events.
DeFi insurance began with large expectations during the 2020 boom, when protocols promised a safer version of open finance. However, the sector remains tiny compared with the market it is supposed to protect.
DeFiLlama lists 28 insurance protocols, yet Nexus Mutual accounts for nearly all of the sector’s $123.5 million in total value locked. That figure represents only 0.14% of DeFi’s wider $83 billion market.
This mismatch shows that coverage has not kept pace with user deposits. Billions sit in lending markets and liquidity pools, while most users carry the risk themselves.
Early coverage products mostly focused on smart contract bugs. Those risks were easier to audit and price. Attackers have since moved toward harder areas, including phishing, private key theft, social engineering, and operational security failures.
The chart on total value hacked shows how much the threat landscape has changed. Private key compromise accounts for the largest share of hacked value, while Safe multisig wallet phishing also represents a major category at nearly 10%.
Other attack types include access control exploits, proof verifier bugs, flash-loan oracle attacks, signature exploits, bridge exploits, spoof token attacks, math mistakes, and database attacks. The broad spread makes pricing risk more difficult for insurers.
Source: (DeFiLlama)
Karp said many large now begin outside smart contracts, through operational failures. That creates a problem for DeFi insurance, as protocols cannot easily price human security lapses or weak infrastructure controls.
The Kelp DAO exploit also showed the limits of existing coverage. According to the report, attackers manipulated a bridge mechanism, accessed real assets, and then used them as collateral. Karp said the core bridge risk would not have been directly covered.
(adsbygoogle = window.adsbygoogle || []).push({});Many DeFi users avoid insurance as it reduces returns. CertiK senior audit partner Dan She said users focused on yield often do not want to give up several percentage points for cover.
That trade-off leaves ordinary depositors exposed when losses exceed protocol reserves. In major exploits, safety modules may absorb the first hit, and then treasuries take damage. If those buffers fail, regular users can face reduced balances.
Nevertheless, experts say the model may still evolve. Some argue that protection should be embedded directly into DeFi products instead of sold as a separate option. Others prefer narrower policies that cover specific risks, while some see room for traditional insurers to enter the market.
Meanwhile, DeFi insurance remains small while the threats keep changing. The sector does not lack demand in theory, but users, insurers, and protocols have not yet found a structure that balances yield, cost, and real protection.
Related:
