Capital outflows following a cyberattack: DeFi faces its next maturity test

The DeFi sector is once again under pressure. Following a major cyberattack, substantial capital flowed out of decentralised finance applications within a short period of time. DeFi, short for decentralised finance, refers to financial applications that are implemented directly on the blockchain via smart contracts. These include lending, trading and asset management, among other use cases.

A key indicator of activity in this sector is Total Value Locked, or TVL. It describes the capital tied up in DeFi applications. Following the most recent major DeFi hack, TVL across the DeFi universe fell by around 14 billion US dollars to approximately 85 billion US dollars within just 48 hours. Aave, one of the leading DeFi lending platforms, recorded a decline in deposits of around 10 billion US dollars.

The trigger was an attack on Kelp DAO, a protocol in the liquid restaking sector. Via the LayerZero-based cross-chain bridge, attackers managed to steal rsETH tokens worth around 292 million US dollars. Some of these assets were subsequently used as collateral on Aave. As a result, the incident spread rapidly across several connected DeFi markets.

AI as an additional source of risk?

While various affected Layer 1 and Layer 2 solutions are focused on damage control, many observers are asking a broader question: is this just another major attack causing short-term uncertainty, or is the DeFi world facing a structural reassessment of its risks?
 
Some market participants see the recent events as more than the consequences of a single incident. They argue that rapid advances in artificial intelligence could also change the security landscape. The concern is that the more powerful AI models become, the faster potential vulnerabilities in complex smart contracts or DeFi protocols can be identified and exploited.

_{Chart: Since June 2025, 1.56 billion US dollars has been stolen through DeFi exploits. Over a similar period, the coding capabilities of leading AI models, measured by SWE-bench, have nearly doubled. Particularly striking was January 2026, with 282 million US dollars lost in the largest social engineering attack in Web3 history to date. | Source: phylax.systems}

These concerns have recently come to the fore. One reason is the decision by AI company Anthropic not to make Claude Mythos Preview generally available. According to Anthropic, the model has particularly strong capabilities in cybersecurity, especially in identifying vulnerabilities and analysing complex software. It is therefore being made available only to selected partners as part of a controlled security programme.

Does DeFi face a structural threat?

The rapid development of AI models is undisputed. Increasingly powerful language models can help review smart contracts more quickly and thoroughly. Significantly more code can be analysed in a shorter period of time than was previously possible. However, the same tools can also be used by attackers to identify vulnerabilities and potential entry points more efficiently.

At the same time, these tools are also available to smart contract developers and security firms. They can be used to make protocols more robust from the outset, identify vulnerabilities earlier and improve existing security processes. Absolute security does not exist, including in DeFi. The situation remains a dynamic arms race between attackers and defenders. However, this does not mean the sector is defenceless.

On the contrary, current data suggests that the security landscape is becoming more professional in some areas. According to DeFiLlama, DeFi hack losses in the first quarter of 2026 fell by 89 percent compared with the same period last year. At the same time, security reports show that attack vectors are shifting. Exploits involving protocol logic have also declined significantly. Their share fell from 37 percent in 2021 to around 5 percent in 2024. Audits, formal verification, fuzz harnesses and bug bounty programmes are proving effective.

_{Chart: Comparison of DeFi hacks from 2020 to 2026: while code vulnerabilities, including protocol logic, have become less significant as an attack vector, attacks involving keys, infrastructure and supply chains increasingly dominate the picture. In 2026, all of the 290 million US dollars stolen to date has been attributed to this category. | Sources: Chainalysis, SlowMist, Halborn, Immunefi, DefiLlama, REKT DB, Checkpoint Research, CoinDesk}

Is the human factor the weak link?

Why are millions still being stolen despite improved technical verification procedures? The answer often lies not in the smart contract code itself, but in human behaviour and centralised dependencies.

According to Hacken’s security report, phishing and social engineering caused 306 million US dollars in losses across the broader Web3 sector in the first quarter of 2026. This accounted for almost two-thirds of total losses. A single social engineering attack in January resulted in losses of 282 million US dollars, without the need to exploit a vulnerability in smart contract code. A fake support call and the disclosure of login credentials were sufficient.

The fact that total losses did not fall more sharply points to an important reality: many DeFi protocols are, in practice, less decentralised than they may appear at first glance. Where centralised keys, cloud services, administrator rights or external communication bridges exist, additional attack vectors arise. The weakest link is then often not the smart contract itself, but a centralised dependency in the background.

Important legal information

_{This publication is intended for information and marketing purposes only, and does not constitute investment advice or a specific individual investment recommendation. It is not a sales prospectus and does not constitute a request, an offer, or a recommendation to buy or sell investment instruments or investment services, or to engage in any other transaction. Maerki Baumann & Co. AG does not provide legal or tax advice. Investors are therefore advised to obtain independent legal or tax advice concerning the suitability of such investments, since their tax treatment depends on the personal circumstances of the investor in question and is subject to change at any time. ­Maerki Baumann & Co. AG holds a Swiss banking licence issued by the Financial Market Supervisory Authority (FINMA). This publication is expressly not intended for persons domiciled in Germany or so-called U.S. persons.}
 

Editorial deadline: 27 April 2026

Maerki Baumann & Co. Ltd.
Dreikönigstrasse 6, CH-8002 Zurich
T +41 44 286 25 25, info@maerki-baumann.ch
maerki-baumann.ch | archip.ch