DeFi users are still chasing returns while most of their capital remains exposed to hacks, phishing attacks, and failed private keys. According to Nexus Mutual founder Hugh Karp, less than 2% of DeFi’s total value is covered by insurance, even as billions continue to move through the credit markets, bridges and staking protocols.
The rift has become harder to ignore after years of major exploits. DeFiLlama data cited in the report shows that uninsured lending protocols lost $7.7 billion to attacks in six years, while more than $600 million was lost to security events in April 2026 alone.
DeFi cover remains thin
DeFi insurance started with great anticipation during the 2020 boom, when protocols promised a more secure version of open finance. However, the sector remains small compared to the market it is supposed to protect.
DeFiLlama lists 28 insurance protocols, but Nexus Mutual is responsible for almost the entire $123.5 million value of the industry. That figure represents just 0.14% of DeFi’s broader $83 billion market.
This mismatch shows that coverage has not kept pace with user deposits. Billions are in the credit markets and liquidity pools, while most users bear the risk themselves.
Early coverage products focused primarily on bugs in smart contracts. These risks were easier to control and price. Attackers have since moved into more difficult areas, including phishing, private key theft, social engineering and operational security flaws.
Hacks go beyond code bugs
The total hacked value graph shows how much the threat landscape has changed. Compromise of private keys accounts for the majority of hacked value, while phishing in secure multisig wallets also represents a significant category at almost 10%.
Other types of attacks include access control exploits, proof verification bugs, flash loan oracle attacks, signature exploits, bridge exploits, spoof token attacks, math errors, and database attacks. The wide spread makes price risk more difficult for insurers.
Source: (DeFiLlama)
Karp said many major hacks are now starting outside of smart contracts, due to operational glitches. That creates a problem for DeFi insurance because protocols can’t easily price human security or weak infrastructure controls.
The Kelp DAO exploit also showed the limits of existing coverage. According to the report, attackers manipulated a bridging mechanism, accessing real assets and then using them as collateral. Karp said the core bridge risk would not be covered immediately.
Users still choose the yield first
Many DeFi users avoid insurance because it reduces returns. CertiK senior audit partner Dan She said users who focus on returns often don’t want to give up multiple percentage points for coverage.
This trade-off leaves ordinary savers exposed when losses exceed protocol reserves. In major exploits, security modules can take the first hit, after which the treasure chests take damage. If these buffers fail, regular users may experience reduced balances.
Nevertheless, experts say the model can still evolve. Some argue that protection should be embedded directly into DeFi products rather than sold as a separate option. Others prefer narrower policies that cover specific risks, while some see room for traditional insurers to enter the market.
Meanwhile, DeFi insurance remains small while threats continue to evolve. In theory, the sector does not lack demand, but users, insurers and protocols have not yet found a structure that balances returns, costs and real protection.
Related: North Korean hackers stole $2 billion worth of cryptocurrency in 2025