Jack Paul 
A persistent gap in decentralized finance insurance is leaving most user funds unprotected, even as hacking incidents continue to rise. According to Hugh Karp, founder of Nexus Mutual, less than 2% of DeFi’s total value locked has any insurance coverage. This comes as billions of dollars flow through lending markets, bridges, and staking protocols with minimal safety nets.
Coverage Remains Thin Despite Growing Losses
The disconnect between risk and protection has become harder to ignore after years of major exploits. Data from DeFiLlama indicates that uninsured lending protocols have lost $7.7 billion to attacks over the past six years. April 2026 alone saw more than $600 million lost in security events. Yet the insurance sector remains tiny compared to the market it is supposed to protect.
DeFiLlama currently lists 28 insurance protocols, but Nexus Mutual accounts for nearly all of the sector’s $123.5 million in total value locked. That figure represents only 0.14% of DeFi’s wider $83 billion market. This mismatch suggests coverage has not kept pace with user deposits. Billions sit in lending markets and liquidity pools, while most users carry the risk themselves.
Early insurance products mostly focused on smart contract bugs. Those risks were easier to audit and price. Attackers have since moved toward harder areas, including phishing, private key theft, social engineering, and operational security failures.
Hacks Shift Beyond Code Bugs
The threat landscape has changed considerably. Private key compromise now accounts for the largest share of hacked value. Safe multisig wallet phishing also represents a major category at nearly 10%. Other attack types include access control exploits, proof verifier bugs, flash-loan oracle attacks, signature exploits, bridge exploits, spoof token attacks, math mistakes, and database attacks. The broad spread makes pricing risk more difficult for insurers.
Karp noted that many large hacks now begin outside smart contracts, through operational failures. This creates a problem for DeFi insurance, as protocols cannot easily price human security lapses or weak infrastructure controls. The Kelp DAO exploit also showed the limits of existing coverage. Attackers manipulated a bridge mechanism, accessed real assets, and then used them as collateral. Karp said the core bridge risk would not have been directly covered.
Users Still Prioritize Yield
Many DeFi users avoid insurance as it reduces returns. CertiK senior audit partner Dan She said users focused on yield often do not want to give up several percentage points for cover. That trade-off leaves ordinary depositors exposed when losses exceed protocol reserves. In major exploits, safety modules may absorb the first hit, and then treasuries take damage. If those buffers fail, regular users can face reduced balances.
Experts say the model may still evolve. Some argue that protection should be embedded directly into DeFi products instead of sold as a separate option. Others prefer narrower policies that cover specific risks. Some see room for traditional insurers to enter the market.
For now, DeFi insurance remains small while threats keep changing. The sector does not lack demand in theory, but users, insurers, and protocols have not yet found a structure that balances yield, cost, and real protection.