Occasionally I might try a new protocol, lend tokens or add liquidity to a pool, but it’s almost never more than a few thousands dollars.
I asked a bunch of my friends and investors in the industry and this seems to be a recurring pattern. Most of them also have a very small percentage of their net worth in DeFi. Why?
We’re all scared of losing it all. Not because of price fluctuation. Because of hacks.
Many people are drawn in by higher than average APYs. “Oh yeah, I’ve been getting a 15% APY on that money I parked in that protocol, it’s awesome”.
In my view, even a rare 20% APY isn’t worth the risk of losing it all to a hack.
Eventually, it boils down to trust. I (and many others) don’t trust the security posture of many projects out there. After investigating crypto hacks for 4 years, I’ve seen many teams having poor security practices, using almost no security tools, and mostly outsourcing their security to auditors.
Even if they were audited by a top security firm, that’s one check someone did 6 months ago. What happened in the meantime? Did the developers ship new code? Are they using a vulnerable dependency?
If even people in the industry aren’t putting money where their mouth is, how can we expect institutions and newcomers to do it?
Security is the biggest obstacle to the growth of web3. Period. Not UX. Security.
To iterate on my point, let’s engage in a thought experiment: you have money in both Uniswap and JPMorgan and they both get exploited. Below is a timeline of what you can reasonably expect to happen.
Phase | Uniswap (DeFi) | JPMorgan (TradFi) |
Exploit | Logic bug in the AMM contract drains pools in a single block (similar to the $197 M Euler Finance hack, Mar 2023) (Euler Finance) | Core payment switch compromised; adversary sends fraudulent Fedwire messages and sweeps customer balances (cf. Bangladesh‑SWIFT template) (BankInfoSecurity) |
Immediate controls | No admin key → funds already in attacker wallet. Devs/DAO can only pause new pools. | JPM’s cyber team isolates payment rails and notifies the Fed; outbound wires halted. |
Asset‑freeze leverage | Hope attacker touches a compliant CEX so the exchange can freeze, or rely on court‑ordered address sanctions (slow, often ineffective). | Bank files SWIFT recall and reverses in‑house ledger entries; any residual loss booked as operating expense or against cyber‑insurance. |
Customer recourse | 1. Wait for a white‑hat negotiation (Euler: 90 % back in ≈3 weeks).2. Tolerate an IOU haircut (Bitfinex 2016: ‑36 % + BFX token, repaid after 8 months).3. Bankruptcy route (FTX: funds locked > 2 yrs, repaid at Nov 2022 prices, upside lost). (Euler Finance, Reuters, Reuters) | U.S. Reg E / EFTA §1005.11 forces JPM to issue provisional credit within 10 business days after you report the error. Liability to you ≤ $50–$500. (Consumer Financial Protection Bureau) |
Insurance / back‑stop | Protocol‑level insurance rare; most crypto insurers exclude smart‑contract exploits. Recovery odds and timing uncertain. | If the bank cannot claw funds back, it still credits your account. Loss sits with JPM and its cyber‑insurance syndicate; FDIC coverage applies only if the bank itself fails. (WIRED, lbwinsurance.com) |
Time to full usability | Best case ≈ weeks; realistic range months‑to‑years; sometimes 0 %. | Typically same day (if provisional credit) to ≤ 10 days for final resolution. |
Value recovered | Anywhere from 0 % → 100 %, often fixed to price at hack time (FTX users miss BTC 6 × rally). | 100 % of nominal balance plus any interest or fees refunded. |
Your prospects in the two scenarios are VERY different from each other.
So what needs to change? What would make me (and institutions) comfortable with investing more in DeFi?
Knowing the protocol I’m using has done the following would definitely help.
Layer | Current norm | Needed to unlock real capital |
Code reviews | One‑off audit pre‑launch | Continuous scanning on every merge (SAST + LLM‑based analyzers like Almanax), fuzzing and formal verification. |
Dependencies | Pin versions, hope | Automated SBOM + vuln alerts; wallet teams must treat supply‑chain risk as existential |
Monitoring | Manual dashboards | Realtime anomaly detection (Range, Hexagate, Hypernative, Guardrail, FailSafe) tied to circuit‑breakers |
Recovery | Ad‑hoc war rooms | Pre‑funded disaster recovery vaults (e.g., Station 70 model) |
Insurance | Sparse, cap‑limited | Data‑driven underwriting beyond “passed audit” PDFs |
Insurance is tricky. Providers still rely on audit reports because they often don’t have the internal capabilities to assess the cyber risk of a DeFi app. They generally understand the limitations, so coverage remains shallow or unavailable.
I’m not a doomsday-type guy. I’m generally optimistic and the industry has matured a lot since I started in 2019. Tooling is trending the right way. Companies are upping their security budgets and implementing rigorous internal processes. Insurance products are being worked on. AI is showing promising results from a defensive standpoint (we're using LLMs extensively at Almanax).
We’re moving in the right direction, it just takes time. I look forward to the day in which I'll be comfortable investing large amounts in DeFi.
Until then, the asymmetric downside dominates, and my capital stays mostly elsewhere.
Francesco Piccoli
Why I Don’t Invest (Much) in DeFi Six years in crypto, yet DeFi still holds less than 1 % of my portfolio. Occasionally I might try a new protocol, lend tokens or add liquidity to a pool, but it’s almost never more than a few thousands dollars. I asked a bunch of my friends and investors in the industry and this seems to be a recurring pattern. Most of them also have a very small percentage of their net worth in DeFi. Why? 👇 I published the full blog on @paragraph https://paragraph.com/@francesco/why-i-dont-invest-much-in-defi