The Resolv incident in March 2026 led to a stablecoin losing around 70% of its value, preceding a wave of notable DeFi exploits that included the Drift and KelpDAO incidents in April.

Direct financial losses aside, so many failings happening in such short order is a signal of a broader problem — and no, it's not that DeFi protocols are broken, like some loudly worry. The real issue is how the industry defines what "DeFi" actually is.

The Resolv case showed a pattern that just keeps repeating: systems marketed as "decentralized" still in truth rely on centralized control points, and that's where the failure occurs.

The Illusion of Decentralization

Many protocols labeled as DeFi still depend on admin keys, upgradeable contracts, or multisig governance structures. These mechanisms are often introduced as safety features — a way to fix bugs or respond to emergencies. There is nothing inherently wrong about this desire, but the problem is that, in practice, such measures only end up creating risks of a different type.

If a small group of actors can change critical protocol parameters, introduce new collateral, or modify contracts, they effectively control the system. That is not decentralization in its true state. It is closer to a hybrid model (what the market often calls "CeDeFi") where trust is still placed in people rather than in code.

Any system that allows value extraction through privileged access should not be treated as trustless. The problem is that an average user often does not really see this difference until something breaks.

Audits Don't Solve Governance Risk

There is a common belief that audits are the primary line of defense in DeFi. That is only partially correct. Yes, they are important, and no protocol serious about its safety should ever neglect them — but audits by themselves are not sufficient.

The fact is, the biggest critical failures we've seen since the beginning of the year were not pure code bugs. They were the result of fundamental design decisions: about how governance operates or how control is distributed. If the very operational model of a protocol introduces centralized points of failure, then even a perfect audit doesn't do much in terms of safety.

Take timelocks as a more specific example. They are a mechanism meant to protect projects from bad decisions and human error — so that, when a change is queued to happen, other participants can see it and react in advance. If something looks wrong, there is time to raise concerns during the waiting period.

But removing timelocks means that everything happens instantly. A small group of signers can approve a decision, and the system executes it right away. Maybe that transaction is legitimate; maybe it's a mistake. But either way, once it's done, it's usually irreversible. Whether there are any negative consequences depends entirely on humans making the right decision.

The problem is, humans simply don't work like that — they can make mistakes just as they can have malicious intentions. If the system gives them the ability to move funds or change critical protocol parameters instantly, then one bad moment is enough to do serious damage.

That's why concentrating too much power in human hands is a bad idea. Good DeFi security is the kind where relying on the code is enough. There is no need to trust humans or try to fix things after something has gone wrong when the system is robust enough not to be broken in the first place.

CeDeFi as a Hidden Risk Layer

CeDeFi systems add complexity to the market because they often look like decentralized protocols on the surface, but rely on off-chain processes, human coordination, or discretionary control behind the scenes.

This becomes an inherent vulnerability, since people themselves become potential points of failure. Even without ill intent, errors in judgment can happen, and social engineering attacks are still very much a thing that happens in DeFi. The Drift exploit was precisely one such case, after all.

If a protocol's operational security relies on a small group of people with control mechanisms, then compromising even just one of them can have catastrophic outcomes for the protocol on the whole.

Not to mention that it actually makes things easier for criminals. If control over a protocol can be seized by compromising a handful of keys, then the target and the way of attacking become a lot clearer, exposing people to greater danger.

CeDeFi can still be meaningfully more secure than CeFi if the centralized points of failure are secured with all the best practices the financial industry has. But one should not turn a blind eye on those!

What Actually Qualifies as DeFi

Given everything said this far, it becomes clear that not every failure in crypto should be labeled as a failure of "DeFi." For this industry to have long-term credibility, more people need to learn to pay attention to this difference.

A useful way to think when assessing a protocol is to ask several simple questions. Can someone unilaterally take or redirect user funds? If yes, then it's not truly decentralized. Would the system continue to function if its developers disappeared? If not, then it still depends on human control.

In short, DeFi itself is not broken; what is broken is the assumption that anything built on-chain automatically becomes "DeFi." Until the market starts defining decentralization correctly, these failures will keep happening — because participants continue making wrong assumptions about the risks they're facing.

Benzinga Disclaimer: This article is from an unpaid external contributor. It does not represent Benzinga’s reporting and has not been edited for content or accuracy.