The trade everyone keeps pitching is simple enough: put real-world assets onchain, cut friction, print efficiency. The catch is nastier. Wall Street likes throughput, but it really likes not getting robbed.
Banks and asset managers are still eyeing blockchain rails for tokenized funds, settlement, and collateral movement. Yet security remains the obvious choke point, with blockchain security firm CertiK arguing that the current exploit cycle is serious enough to stall institutional adoption even as interest in onchain finance grows. [1]
Register for free and get unlimited access to all articles.
Near-daily exploits are the real adoption tax
CertiK co-founder and CEO Ronghui Gu described April as DeFi's worst month for exploits in four years, with attacks recorded on 27 of 30 days. That is not a backdrop a large bank can comfortably wave through a risk committee. [2]
The issue is no longer just the occasional smart contract bug that wipes out a small protocol no one in Canary Wharf has heard of. The threat surface has widened across smart contracts, price oracles, private key management, and especially cross-chainbridges, which remain one of crypto's favourite own goals. For institutions considering moving large pools of capital onchain, each extra dependency adds another place for value to leak. [3]
AI is making the attacker side sharper. Gu's argument is that machine learning tools are helping hackers scan code faster, identify patterns in vulnerabilities, and industrialise phishing and social engineering. Defenders, meanwhile, still face budget limits, fragmented tooling, and the rather awkward reality that they must secure everything while attackers need only one opening. [4]
Recent exploits have done little to calm nerves. Among the headline incidents cited is the roughly $1.46 billion Bybit$0.9924 hack, alongside separate losses in the hundreds of millions involving Drift Protocol$0.01391 and Kelp DAO. Different attack paths, same message: capital onchain can move very quickly, including straight out the door. [5]
That matters because traditional finance is not debating whether blockchain can process assets. It is debating whether blockchain can do so at institutional scale without turning operational risk into a standing headline. A tokenized treasury fund is compelling. A tokenized treasury fund sitting one integration away from an oracle failure or bridge exploit is less charming.
There is also a liquidity problem hidden inside the security story. Many DeFi venues look deep until stress hits, then spreads widen, liquidity fragments, and exits become more expensive. For a bank, that compounds the loss model. A hack is one problem. A forced unwind into thin markets is another.
Why banks still have not gone all-in
The hesitation is not ideological. It is procedural. Large financial firms can tolerate complexity, but they do not tolerate undefined liability well. Public blockchains still struggle to offer the kind of finality around recourse, insurance, governanceaccountability, and operational controls that regulated institutions expect. [6]
That does not mean Wall Street is walking away. It means the likely path is narrower than crypto's louder evangelists hoped. Permissioned systems, heavily audited tokenization platforms, limited product rollouts, and ring-fenced pilots look far more plausible than wholesale migration into open DeFi.
What to watch next
Whether exploit frequency cools meaningfully over the next two quarters
If AI$0.0000104-assisted security tooling starts closing the gap rather than just helping attackers
Whether institutions choose permissioned onchain rails over open protocols
How insurers price smart contract, oracle, and bridge risk
Whether major tokenization projects can prove resilience under real stress, not just in tidy pilot programs
The broad thesis for onchain finance is still alive. The inconvenient detail is that banks do not deploy trillions on vibes, and right now the hack rate is doing a very effective job of keeping them on the sidelines.
Your reviews help us improve the quality of both current and future articles. All reviews are public and visible to other readers. We use both ratings and comments to improve future articles and to revise any articles that do not meet our standards.