Wall Street has spent the first quarter of 2026 systematically reducing DeFi’s claim on the future of the financial sector.
In January, ICE announced that NYSE was building a tokenized securities platform with 24/7 operations, instant settlement, dollar-based order size and stablecoin financing, with BNY and Citi providing tokenized deposits for clearinghouse financing outside of normal banking hours.
In February, WisdomTree launched 24/7 trading and instant settlement for tokenized money market fund shares under the backing of the SEC.
In March, the Fed, the FDIC and the OCC jointly said that eligible tokenized securities should receive the same capital treatment as their non-tokenized counterparts, calling the framework technology-neutral.
The SEC subsequently approved Nasdaq’s proposal to trade certain securities in token form, with settlement via DTC.
NYSE and Securitize pursued a partnership to build a digital transfer agent infrastructure around institutional operating standards.
That series did something concrete for the competitive position of DeFi. Regulated exchanges, broker-dealers and bank-backed clearinghouses can now package 24/7 trading and on-chain settlement within a controlled market structure, with associated capital treatment.
The base pool of on-chain capital targeted by these moves already exceeds $330 billion, including stablecoins at approximately $317 billion, tokenized US Treasuries at nearly $13 billion, and tokenized equities at $1 billion.
That pool will attract institutional capital regardless of which track it flows through.
Why this is important: the battle is no longer over whether the financial sector will move in the chain. It’s about who takes the capital when that happens. If regulated platforms can offer blockchain-based trading and settlement without the risks of DeFi’s governance and control layer, open protocols must prove why institutions should accept the additional exposure.
Composibility is the clear advantage of DeFi: the ability to build interconnected financial products on a shared, permissionless infrastructure, where any protocol can connect directly to any other protocol under open conditions.
It is a truly DeFi-native feature. Nasdaq-approved tokenized securities continue to be settled via DTC, subject to exchange supervision, and operate under existing order types and reporting frameworks.
WisdomTree’s tokenized fund is part of a broker-dealer model. NYSE designed its tokenized platform around transfer agents and institutional operating standards. All of these architectures require a central gatekeeper to approve downstream connections.
Drift and the control layer problem
The value of Composability as a lock depends entirely on whether capital allocators believe the surrounding controls are mature enough to limit local failures.
Drift’s exploit exposed that dependency in the most direct way. Drift confirmed that the attack used durable nonces and a takeover of the Security Council’s administrative powers through a compromise of the access control layer.
DefiLlama classified the incident as a $285 million hack caused by compromised administrative access and price manipulation. Drift’s total value dropped from about $550 million to less than $250 million.
The contamination framework from the post-incident analysis is where the competitive argument becomes sharpest.
Because Drift’s infrastructure is connected to downstream vaults, yield strategies, wrappers, and collateral positions in Solana DeFi, the administrative compromise radiated out before the exposure map was clear.
Chaos Labs publicly said that hidden dependencies continued to surface in real time, leaving the final exposure figures open. Composability, which functions as a transmission channel for losses, actually drives institutional capital allocators toward permissioned tokenization infrastructure via open protocol stacks.
The Drift incident fits a pattern that extends far beyond Solana.
Chainalysis found that private key compromises were responsible for 43.8% of stolen cryptocurrencies in 2024, the largest attack category it tracked.
TRM Labs said attackers stole $2.87 billion through nearly 150 hacks in 2025, with infrastructure attacks targeting keys, wallets and access control planes causing the majority of losses and surpassing smart contract exploits.
TRM also noted that the top 10 incidents were responsible for 81% of hacking losses in 2025.
Empirical data shows that the control layer, the governance layer, and the access management layer now pose more systemic risks than contract code alone. DeFi’s security culture is still catching up to that empirical record.
What DeFi needs to do
Open composability must apply the correction in order to compete for the institutional capital that is now pooled in the chain.
Drift’s post-incident analysis and the broader Chaos Labs framing converge on the same operational list: stricter standards for signers, time slots for privileged transitions, segmented permission structures so that one compromised key can’t reach the entire control surface, explicit dependency maps so that downstream integrations are visible before a failure occurs, and faster public disclosure that allows the broader network to act before contagion spreads.
Post-mortems show that Drift’s administrative transition used a 2-of-5 multisig without a time slot. This configuration shortened the approval window for a catastrophic change to the point where detection and intervention no longer had time to operate.
These solutions are not glamorous. They build the operational credibility that allows a CFO or risk committee to route institutional capital through an open infrastructure.
ICE, Nasdaq and NYSE compete for the same pool. The protocols that deserve a share of this will be the ones that can demonstrate composability with contained, visible risks, where an interconnection means greater utility.
Two ways forward
The on-chain capital base is currently above $330 billion and will grow as tokenized securities and stablecoin adoption increases.
The battle is over what portion of that pool flows through open, composable DeFi versus permissioned or semi-permissioned tokenization infrastructure.
On the upside, DeFi protocols are delivering a visible, sustainable upgrade to governance discipline: time slots become the standard for privileged transitions, signer hygiene improves across key protocols, teams publish dependency maps that allow third-party allocators to assess integration risk before allocating capital, and disclosure delays shorten from days to hours.
Institutional allocators are beginning to selectively use open composability for structured collateral, cross-protocol hedging and yield strategies where the control layer is demonstrably stronger than before.
Open DeFi captures 5% to 10% of the on-chain capital pool, or approximately $16 billion to $33 billion. Composability becomes the premium layer on top of the tokenization rails that traditional finance is building, alongside a controlled market structure.
In the bear scenario, each successive incident at the control layer increases the perceived risk premium on open composability faster than the industry can close the governance gap.
Tokenized securities, tokenized funds, and stablecoin settlement volumes have expanded, while capital remains within exchanges, broker-dealers, and authorized custodian structures.
Open DeFi takes up less than 1% of the pool, with total assets under $3 billion. Traditional finance leverages the benefits of blockchain through tokenization, faster settlement and extended hours, while open composability captures retail flows and reflexive capital seeking returns on open infrastructure.
Wall Street proved in 2025 and early 2026 that blockchain rails can transport institutional assets within controlled frameworks.
The path to DeFi victory requires proving that open interconnection is worth the additional governance, disclosure, and control overhead imposed by regulatory mandates in supervised venues.