DeFi Isn't Dying, It's Dividing
·
4
MINUTES
·
By:
Ari Pingle
Over the past week, Aave's TVL has dropped from $26.4B to $14.4B, more than $12B pulled out in withdrawals.
It started with an exploit on KelpDAO’s rsETH: a different protocol, a different team. But rsETH has no off-chain anchor, nothing outside the chain to price against, so once the peg broke there was no floor to catch it. Depositor confidence in anything rsETH backed went with it. This has called DeFi’s longevity into question.
DeFi itself isn’t going anywhere. But its TVL is going onchain elsewhere.
What’s emerging is a split: DeFi will continue to capture speculative users and those who want zero ties to the traditional world, while most users will migrate toward RWAs and loosely centralized assets that offer built-in failsafes and protection against catastrophic drawdowns.
Composability is a superpower (until it isn’t)
Through April 22, 2026, DeFi has lost $786M to hacks across 50 incidents. April alone accounts for $621M across 15 of those. The two largest:
Even though Aave wasn't directly exploited, confidence in deposits was. Just this week, ~$12B in TVL has left DeFi, close to 13% of total TVL.
The capital leaving DeFi isn't leaving because the product got worse; it's leaving because the product was never built for it.
Two incidents inside the last ~3 weeks account for >75% of the total TVL compromised in 2026.
The thesis for DeFi was always "composability is a superpower." Theoretically compelling, but flawed in practice. In its previous state, DeFi suffered from collapsing 3 distinct user profiles:
Speculators who want leverage and composable yield.
Savers who want predictable, high-duration yield with real backing.
Sovereignty users who want onchain rails precisely because they don't want regulated counterparties.
These three profiles want different things from the broad categorization of “DeFi”. The last cycle tried to serve them with one product, creating a fragile system. Each profile needs its own risk topology.
Seams between systems
Both of 2026's largest incidents trace to Lazarus Group. Chainalysis put North Korean theft at north of $2B in 2025, up 51% YoY. For anyone building financial products onchain, this is a structural threat: a state directed operation running at institutional scale against small anonymous teams.
2026's incident profile looks nothing like 2021's. Reentrancy used to dominate. Now it's the seams between systems.
Oracle manipulation and cross-chain bridges account for $600M of the $786M lost YTD across just 11 incidents. Smart contract bugs are higher in quantity (23 incidents), but account for a much smaller total TVL ($78M). The attack surface has moved from code to architecture.
Since 2022, cross-chain verification alone is responsible for $2.8B in losses. Drift's attackers spent six months socially engineering and information gathering before pulling the trigger. Traditional audits are still a necessity, but they're no longer sufficient on their own.
AI has collapsed the timeline on vulnerability discovery. Issues that used to take sophisticated teams weeks are surfacing in hours, and "anyone can audit" and "anyone can attack" are increasingly the same sentence.
The asymmetry that used to favor defenders is gone.
The new attack surface is cross-chain and oracle-based.
Contagion is universal, but recovery is not
These hacks are harrowing enough for allocators and builders alike, but the real issue they pose is contagion.
Any token inside a composable pool carries transmission risk, including RWAs. When a DEX or lending market holding a token gets compromised, effects propagate throughout all applicable ecosystems.
Where RWAs pose a more digestible (and investable) backdrop is when things go wrong.
When Kelp's bridge minted 116,500 unbacked rsETH, there was no offchain source of truth to reconcile against. The underlying (restaked ETH) sits onchain too, so when the bridge produced fake supply, no ledger outside the system could distinguish real from fake. The only resolutions were socialized losses or a permanent depeg.
Real-asset-backed markets have a different recovery path. The underlying (a Treasury bill, allocated gold) sits with a regulated custodian who knows exactly how much supply should exist onchain. An exploit that mints unbacked tokens creates a known discrepancy. The issuer can identify the bad supply, cancel it, and reissue clean tokens from reserves. Losses cap at onchain pool/lending liquidity, not at total exposure.
Saver’s calculus
When you borrow against tokenized gold, your exposure is enumerable:
price: real-world market price (LBMA gold fix, Treasury auction)
counterparty: named regulated entities (Standard Chartered, Wellington in our case)
custody: allocated reserves with known auditor
wrapper: the smart contract issuing the token
leverage: pool leverage where you're borrowing
Five known variables, all of which are priceable.
Tokenized gold borrow: Risk = price + counterparty + custody + wrapper + leverage
Rehypothecated DeFi borrow: Risk = price + oracle + bridge + pool + chain + wrapper + counterparty + leverage + ... + ?
There's a reason the second equation is open ended.
When you borrow against a rehypothecated synthetic on a composed position, every variable decomposes into more variables. There's no offchain authoritative record that terminates the recursion.
Underwriters can only price what they can name. Auditors can only verify what they can isolate. Neither is true for a risk stack that keeps recursing. This is what the saver archetype can't underwrite: unknowable risks, not fewer risks.
Onchain capital will increasingly flow into RWAs — real-world assets like Treasuries, credit, commodities, and equities that have been tokenized. These assets inherit the benefits of crypto rails (24/7 settlement, composability, global access, programmable compliance) while keeping the failsafes, circuit breakers, and max drawdowns that traditional finance has spent decades building in.
The data reflects this. RWAs crossed $27.6B in TVL last month, up 300% YoY. Seven asset classes past $1B. Tokenized Treasuries went from $380M in Q1 2023 to $14B in Q1 2026. 37x in three years.
Two charts show one story: DeFi is losing capital it was never built for and Onchain Finance is catching it.
Theo assets are an example of this. Users hold, trade, and compose fully onchain. The backing sits offchain in hard assets, regulated custody, and CME collateral.
This is bifurcation between user types, not flight. Capital is reallocating to products with risk parameters it understands rather than leaving.
How we build at Theo
All of these considerations are baked into how we built at @theo_network. Some relevant details:
Minting gated to whitelisted counterparties. Transfers cannot route to non-whitelisted parties.
Mints enforce ratio checks against transferred collateral before any new supply is issued.
Bridge security on 4/4 DVNs. Compromising one does nothing. Compromising all four is a different class of event entirely. (The exact setup the Kelp exploit depended on not being enforced.)
Markets are isolated, not pooled. Failure in one cannot cascade.
Redemptions size-capped and KYC-gated at scale. Attack surface bounded by design.
Counterparties are regulated and externally auditable: Standard Chartered, Wellington, FundBridge, CME.
We've moved slower for it, but the tradeoff is allocator appetite on long time horizons.
Two trains, One rail
Institutions will keep doing what they've always done (custody, compliance, capital preservation) because the market wants those jobs done by entities with legal accountability.
Alongside them, a sharper DeFi will serve users who want composability and independence from any regulated counterparty. For that user, an onchain product routed through Standard Chartered is the exact thing they were trying to route around. That demand is durable.
But the scope is changing. DeFi's future is narrower than its branding, and more honest about what it is. Expect this moment to accelerate the shift, and serve as a catalyst for RWAs.
Original X article by Ari Pingle.