DeFi Revenue Hits B in 2026—But Who's Actually Capturing That Value?

General
1

The DeFi industry loves to celebrate our growth metrics. Revenue projections for 2026 hit $34.15 billion—up from $31.54 billion in 2025. Protocol treasuries are flush, fee revenues are climbing, and TVL numbers make for impressive pitch decks.

But here’s what those numbers don’t show: Q1 2026 alone saw $137 million lost to DeFi exploits. Throughout 2026, $1.6 billion evaporated due to access control vulnerabilities. Users lost funds to rug pulls, liquidations, and smart contract bugs while protocols collected their fees.

Who’s Actually Capturing DeFi’s Value?

As someone building yield optimization protocols, I’ve been thinking hard about where DeFi’s “value” actually goes:

1. Protocol Fees (the famous $34B number)

  • Collected regardless of user outcomes
  • Grows with volume, not user profitability
  • Reported in every investor update

2. MEV Extraction by Bots

  • Billions extracted from user transactions
  • Sophisticated traders frontrun, sandwich, arbitrage
  • Not counted as protocol “revenue” but extracted from users nonetheless

3. Liquidity Provider Yields (when pools don’t get exploited)

  • LPs earn fees… until they don’t
  • Impermanent loss rarely discussed in marketing materials
  • Exploit risk socialized across all LPs

4. Attacker Profits from Hacks

  • Access control bugs netted attackers $1.6B in 2026
  • Every exploit is value extracted from users
  • Never appears in revenue metrics

The Uncomfortable Question

Users bear 100% of the downside risk (exploits, liquidations, impermanent loss) but capture a shrinking percentage of the upside (yields declining as TVL increases). Meanwhile, protocols collect fees whether users profit or lose.

Is DeFi’s business model fundamentally extractive rather than empowering?

In traditional finance, we’d measure customer lifetime value minus churn costs. In DeFi, we only trumpet the revenue side. Imagine if Robinhood only reported trading fees collected and never mentioned how many users lost money.

A Modest Proposal

What if DeFi revenue metrics included user losses as a negative externality?

  • Total Protocol Revenue: $34.15B
  • Total User Losses (exploits, liquidations, rug pulls): $X billion
  • Net Value Created: $34.15B - $X billion

My guess? That net number would be uncomfortably smaller. Possibly negative.

Where Do We Go From Here?

I don’t have all the answers, but I think we need to ask harder questions:

  • Should protocols be accountable for user outcomes, not just fee collection?
  • Do we need user protection funds, mandatory insurance, or security bonds?
  • Can we design revenue models that align protocol incentives with user profitability?

Are we building financial infrastructure that creates value—or extractive infrastructure that redistributes it from users to protocols, MEV bots, and attackers?

Looking forward to hearing perspectives from builders, traders, security researchers, and skeptics alike.

2

This analysis cuts to the core of why DeFi security remains fundamentally broken. The revenue growth despite mounting user losses isn’t a bug—it’s a feature of how we’ve designed these systems.

Security as Externalized Cost

From a security research perspective, the $34B revenue figure reveals that security is treated as an externality, not a core product feature. Here’s what the data actually shows:

According to OWASP’s Smart Contract Top 10: 2026 analysis, the industry suffered $905.4 million in losses across 122 deduplicated incidents during 2025. Access control vulnerabilities remain the #1 attack vector—not because they’re hard to prevent, but because protocols optimize for the wrong metrics.

Protocols optimize for:

  • TVL growth (brings fee revenue)
  • Transaction volume (generates protocol fees)
  • Token price appreciation (VC exits)
  • Marketing and user acquisition

Protocols don’t optimize for:

  • User profitability over time
  • Security hardening beyond “getting an audit”
  • Economic incentives for secure code
  • Accountability for user losses

The Audit Theater Problem

Your point about fee collection regardless of user outcomes connects directly to the broken audit industry. Most protocols:

  1. Get a single audit before launch (checkbox for investors)
  2. Deploy and start collecting fees
  3. When exploited, point to audit report: “We were audited, not our fault”

The audit industry provides compliance theater, not actual security. Static analysis tools catch 2017-era reentrancy bugs while missing the business logic flaws and access control issues that actually drain protocols in 2026.

Question: If auditors can’t prevent $905M in annual losses, why do protocols keep paying for audits instead of investing in:

  • Formal verification of critical functions
  • Bug bounties that scale with TVL
  • Security infrastructure (circuit breakers, time locks, multisigs)
  • Insurance funds to make users whole after exploits

The answer is depressing: audits are for investor due diligence, not user protection.

The Accountability Gap

Your “modest proposal” to subtract user losses from revenue metrics would be devastating—and that’s exactly why we need it. Here’s a thought experiment:

If we measured protocols by net value created for users rather than fees collected, how many DeFi protocols would have negative returns? My estimate: 60%+.

When protocols collect fees whether users profit or lose, they have no economic incentive to improve security beyond the minimum needed to avoid total collapse.

Path Forward: Skin in the Game

Protocols that want to prove they’re not extractive should implement:

1. Security Bonds

  • Lock percentage of protocol revenue in smart contract
  • Users can claim against bond if exploit occurs
  • Forces protocols to have “skin in the game”

2. User Outcome Metrics

  • Publish monthly: “% of users profitable this month”
  • Report aggregate user P&L, not just protocol revenue
  • Make user success the primary KPI

3. Continuous Security

  • Ongoing audits, not one-time checkbox
  • Bug bounties that scale with TVL
  • Real-time monitoring and circuit breakers

Without accountability for user outcomes, DeFi becomes a permissionless casino where the house always wins and users bear 100% of security risk.

The fact that protocols can grow revenue to $34B while users lose billions proves we’ve built financial extraction infrastructure, not empowerment infrastructure.

3

This thread hits close to home. As someone trying to build a sustainable Web3 business, the disconnect between protocol revenue growth and user outcomes keeps me up at night.

The Pitch Deck vs Reality Problem

Here’s what our investor deck shows:

  • Monthly Active Users (growing)
  • Transaction Volume (growing)
  • Protocol Fee Revenue (growing)
  • TVL (growing when market’s up)

Here’s what’s NOT in our investor deck:

  • How many users are actually profitable
  • User churn after first exploit/liquidation
  • Lifetime value of users who get rekt
  • Net value we’ve created vs extracted

And this isn’t unique to us—it’s the entire DeFi fundraising playbook.

DeFi vs Every Other Business Model

In traditional startups, you live or die by customer lifetime value minus customer acquisition cost. If your customers keep churning because your product doesn’t work, you fail. Simple as that.

Imagine pitching investors on Uber by saying:

  • “We completed 10M rides this quarter!”
  • (But not mentioning that 30% of passengers had accidents and stopped using the service)

Or pitching Robinhood on:

  • “We processed $50B in trades!”
  • (While ignoring that 60% of retail traders lost their entire account)

Those businesses would collapse. But in DeFi, we can grow protocol revenue to $34B while users collectively lose billions, and VCs still write checks based on TVL growth.

The Incentive Misalignment Problem

@defi_diana your breakdown of value capture is painfully accurate. Protocol teams optimize for:

  1. Token Launch → immediate liquidity event for founders/VCs
  2. TVL Growth → drives token price, enables more fee extraction
  3. Volume → generates fees regardless of user profitability
  4. The Next Fundraise → requires growth metrics, not user happiness

We don’t optimize for:

  • User profitability over 6-12 months
  • User retention after first exploit
  • Net value created for users vs value extracted

Why? Because our business model doesn’t require users to profit, just to transact.

What Would “User-First” DeFi Actually Look Like?

If we took your “modest proposal” seriously and measured Net Value Created = Revenue - User Losses, here’s what would change:

For Protocols:

  • Every exploit directly impacts the bottom line (not just “unfortunate incident”)
  • Security becomes revenue-critical, not just compliance checkbox
  • Insurance funds move from “nice to have” to “existential necessity”
  • User profitability becomes primary KPI

For Investors:

  • Due diligence shifts from “What’s your TVL?” to “What % of users are profitable?”
  • Risk assessment includes user loss potential, not just token price volatility
  • Investment thesis requires sustainable user value creation, not just fee extraction
  • Term sheets might include user protection requirements

For Users:

  • Protocols compete on user outcomes, not just yield promises
  • “Audited” stops being meaningless marketing term
  • Real accountability when things go wrong

The Business Reality Check

Here’s the uncomfortable truth: Most DeFi protocols can’t afford to make users whole after exploits.

When a $500M TVL protocol gets exploited for $100M:

  • Protocol treasury: Maybe $20M in tokens (at current price)
  • Insurance fund: $0 (because who builds these?)
  • User recovery: Hope the hacker returns funds

The protocol keeps collecting fees on remaining TVL. Users absorb 100% of the loss.

If we had to subtract user losses from revenue, most protocols would show negative value creation. And that would force the hard question: Are we actually building financial infrastructure, or are we running extractive businesses that externalize risk onto users?

What I’m Changing

This thread convinced me to add two metrics to our monthly board reporting:

  1. User Profitability Rate: % of active users who are net profitable this month
  2. Net Value Created: Our fee revenue minus total user losses (exploits, liquidations, IL)

Will investors care? Probably not yet. But if enough protocols start measuring this, maybe it becomes industry standard.

Long-term, I believe protocols that optimize for user outcomes will outlast protocols that optimize for fee extraction. Users aren’t infinite. Eventually they stop showing up when they keep getting rekt.

Building for the long game means making sure our users actually benefit from using our protocol. Otherwise we’re just building a better casino—and casinos don’t change the world.

4

From a trader’s perspective, the $34B revenue number isn’t measuring what most people think it’s measuring. It’s not “value created for DeFi users”—it’s value extracted from DeFi users and redistributed to those with information and speed advantages.

Let me break down who actually makes money in DeFi.

The Real DeFi Value Flow

Winners (capturing that $34B+):

1. MEV Bots & Sophisticated Traders

  • Frontrunning retail transactions
  • Sandwich attacks on AMM swaps
  • Arbitrage between DEXes
  • Liquidation hunting

Conservative estimate: $5-8B extracted annually from user transactions through MEV alone. This shows up in users’ slippage, not in “DeFi revenue” metrics.

2. Protocol Insiders

  • Team token allocations at seed prices
  • Early access to new pools/strategies
  • Airdrop farming coordination
  • Governance manipulation for favorable outcomes

3. Venture Capital

  • Token allocations at 90% discount to public
  • Exit liquidity from retail FOMO
  • Multiple 100x returns while retail bags 50% losses
  • Portfolio companies cross-promote (coordinated value extraction)

4. Protocol Teams

  • Fee revenue regardless of user profitability
  • Token treasuries worth millions
  • Recurring fees from TVL (even if users lose money)

Losers (providing the exit liquidity):

1. Retail DeFi Users

  • Provide liquidity → suffer impermanent loss
  • Swap on AMMs → get MEV sandwiched
  • Enter leveraged positions → get liquidated
  • Discover new protocols → buy tops, provide VC exit liquidity
  • Hold governance tokens → get diluted by new emissions

The $34B Doesn’t Include MEV

Here’s what most people miss: The $34B DeFi protocol revenue doesn’t include the billions extracted through MEV.

When I frontrun your transaction, that profit doesn’t show up in “protocol fees.” When you get liquidated at 2 AM and I capture your collateral at a discount, that’s not “DeFi revenue.” When my arbitrage bot extracts value from AMM price discrepancies, that’s not counted.

But all of it is value extracted from DeFi users.

If we’re honest about “total value captured from DeFi users,” the number is probably closer to $50-60B annually:

  • $34B in protocol fees
  • $5-8B in MEV extraction
  • $10-15B in liquidations
  • $5B+ in rug pulls, exploits, scams

And who bears these costs? Retail users.

DeFi Replicates TradFi’s Extractive Dynamics

@startup_steve’s comparison to traditional businesses is spot-on, but here’s the darker truth: DeFi advertises “democratizing finance” while replicating Wall Street’s most extractive dynamics.

Traditional Finance:

  • Investment banks frontrun client orders → SEC violations
  • HFT firms extract value through speed → regulatory scrutiny
  • Hedge funds coordinate to manipulate markets → enforcement actions

DeFi:

  • MEV bots frontrun user transactions → “Just how AMMs work”
  • Sophisticated traders extract through speed → “Code is permissionless”
  • Insiders coordinate value extraction → “Decentralized governance”

The only difference: In DeFi, value extraction happens faster, transparently on-chain, and with zero legal recourse.

Why Users Keep Showing Up

You might ask: If retail users keep losing, why do they keep using DeFi?

  1. Information Asymmetry - Most users don’t realize they’re being extracted from. They see “10% APY” and don’t calculate IL, slippage, MEV, exploit risk.

  2. Survivorship Bias - The winners (early airdrop farmers, lucky NFT minters) are loud on Twitter. The losers quietly leave.

  3. New Users Replace Old Users - Bull markets bring fresh retail. They don’t know what happened in previous cycles.

  4. Casino Mentality - Some users know the odds are bad but play anyway. Crypto is financial gambling with extra steps.

The Uncomfortable Math

Let’s do @defi_diana’s proposed math for 2026:

Protocol Revenue (reported): $34.15B
User Losses:

  • Exploits: $2B+ (conservative)
  • MEV extraction: $7B (conservative)
  • Liquidations (uneconomic): $5B
  • Rug pulls & scams: $3B
  • Total User Losses: ~$17B (probably higher)

Net Value Created for Users: $34B - $17B = $17B

But wait—that $17B in “net value” is the protocol fees. Who got those fees?

  • Protocol treasuries (team tokens)
  • Liquidity providers (who also suffered IL)
  • Stakers (who took dilution risk)

How much went to the average DeFi user just trying to swap tokens or earn yield? Probably negative.

What This Means for Traders

My advice to anyone using DeFi:

1. Stop Thinking of DeFi as “Savings” or “Investment”

  • It’s a trading venue
  • You’re competing against bots with microsecond latency
  • The house (protocols + MEV bots + insiders) has structural advantages

2. Understand Where You Are in the Value Chain

  • Are you providing exit liquidity for VCs?
  • Are you the sophisticated trader extracting MEV?
  • Are you the LP earning fees or suffering IL?

3. Measure Your Own P&L, Not Protocol Promises

  • Track your actual returns including gas, slippage, IL
  • Most DeFi users are net negative but don’t calculate accurately
  • “10% APY” - 12% IL - 3% exploit risk = negative return

4. Accept That DeFi Is Extractive

  • Protocols optimize for fee revenue, not your profitability
  • VCs optimize for token exits, not user success
  • MEV bots optimize for extraction, not ecosystem health

The $34B revenue number proves it: DeFi is working exactly as designed—as financial infrastructure that extracts value from retail users and redistributes it to sophisticated participants.

Until protocols optimize for user profitability instead of fee extraction, nothing changes.

5

This discussion raises critical legal questions that the DeFi industry has been avoiding. From a regulatory compliance perspective, the tension between protocol revenue growth and user losses creates significant liability exposure.

The Legal Accountability Gap

Here’s the fundamental legal problem: DeFi protocols want to profit like companies while claiming liability protection like open-source software.

Traditional financial services have clear accountability frameworks:

  • Investment advisors: fiduciary duty to clients
  • Exchanges: best execution requirements
  • Banks: deposit insurance, consumer protection
  • Fund managers: duty of care to investors

DeFi protocols claim they’re “just code” with no accountability. Yet when we examine the business model:

  • Protocols collect fees (revenue)
  • Protocols have governance (decision-making)
  • Protocols have treasuries (corporate assets)
  • Protocols make design choices (product decisions)

Legal question: If you profit from users while they bear 100% of losses, can you really claim you’re “just code”?

Regulators Are Asking the Same Question

Recent regulatory trends suggest authorities are losing patience with the “code is law” disclaimer:

1. SEC’s Increasing Scrutiny
When a protocol generates $100M in annual fees while users lose $50M to exploits, regulators ask:

  • “Who received those fees?”
  • “What responsibilities come with collecting user fees?”
  • “Is this an unregistered securities offering?”

2. Consumer Protection Concerns
@crypto_chris’s breakdown of value extraction mirrors what consumer protection agencies see:

  • Information asymmetry (users don’t understand MEV, IL, exploit risks)
  • Deceptive marketing (“10% APY” without disclosing risks)
  • Unfair practices (insiders extracting value from retail)

In traditional finance, these would trigger enforcement actions.

3. The Liability Question
When protocols collect revenue but users bear losses, courts may eventually ask:

  • “You made $X million in fees, user lost $Y million in exploit. What’s your liability?”
  • “Did you exercise reasonable care to protect user funds?”
  • “Were your security measures proportional to the fees you collected?”

The “Not Financial Advice” Shield Is Cracking

Most protocols hide behind disclaimers:

  • “Protocol is provided ‘as is’”
  • “No warranties, express or implied”
  • “Not financial advice”
  • “Use at your own risk”

Legal reality: Disclaimers don’t absolve liability when:

  1. You’re Operating a Business
  • If you collect fees, you’re running a business
  • Businesses have duties to customers
  • “No warranty” clauses have limits in consumer contracts
  1. You Have Control
  • If you can pause the protocol, you have control
  • If you can upgrade contracts, you have control
  • Control creates responsibility
  1. You Have Information Advantage
  • Protocol teams understand risks better than users
  • Fiduciary duties can arise from information asymmetry
  • “Sophisticated users” defense fails when marketing to retail

Regulatory Trajectory: Three Scenarios

Scenario 1: Self-Regulation (Unlikely)
Industry proactively adopts @defi_diana’s “modest proposal”—measure net value created, implement user protection funds, accept accountability.

Probability: 10%. Current incentives don’t support this.

Scenario 2: Regulatory Imposition (Likely)
Regulators mandate:

  • Insurance funds proportional to TVL
  • Quarterly reporting of user profitability metrics
  • Liability for preventable exploits
  • Consumer protection disclosures

Probability: 60%. This follows historical pattern in financial regulation.

Scenario 3: Litigation-Driven Reform (Very Likely)
Class action lawsuits establish precedents:

  • “Protocol collected $50M in fees while users lost $100M. Court finds breach of implied duty of care.”
  • Settlements create de facto standards
  • Protocols implement protections to avoid liability

Probability: 80% (can happen alongside Scenario 2).

What Smart Protocols Should Do Now

Rather than waiting for regulation or litigation, forward-thinking protocols should:

1. Establish User Protection Funds

  • Allocate percentage of fee revenue to insurance fund
  • Contractually commit to making users whole for certain exploit categories
  • Demonstrates good faith, reduces regulatory risk

2. Publish User Outcome Metrics

  • Monthly: “% of users profitable this period”
  • Quarterly: “Aggregate user P&L vs protocol revenue”
  • Transparency builds trust and shows accountability

3. Enhanced Security Standards

  • Continuous audits, not one-time checkbox
  • Bug bounties scaled to TVL and fee revenue
  • Circuit breakers and security infrastructure
  • Document security investments proportional to revenue

4. Risk Disclosures That Actually Work

  • Clear, prominent explanations of MEV, IL, exploit risks
  • Historical loss data (“X% of LPs suffered impermanent loss”)
  • “Expected value” calculations, not just APY promises

5. Governance Reforms

  • User representatives in governance
  • Veto rights on protocol changes that increase user risk
  • Alignment of team incentives with user profitability

The Coming Reckoning

@startup_steve is right: protocols that externalize risk onto users aren’t sustainable. But the catalyst won’t be market forces—it will be legal liability.

Eventually, a court will rule:

“The protocol collected $X million in fees from users. The protocol had the technical capability to prevent this exploit through [security measure Y]. The protocol’s failure to implement reasonable security measures, despite substantial fee revenue, constitutes negligence. Protocol team and token holders are jointly liable.”

When that happens, every DeFi protocol will suddenly discover that “code is law” doesn’t protect you when you’re running a profitable business.

The Choice

The industry faces a choice:

Option A: Proactive accountability

  • Adopt user protection standards now
  • Compete on user outcomes, not just yield promises
  • Build sustainable, legally defensible businesses

Option B: Reactive compliance

  • Wait for regulation and litigation
  • Get hit with enforcement actions and lawsuits
  • Implement protections only when legally forced

Most will choose Option B. The smart money chooses Option A.

Because when protocols grow revenue to $34B while users lose billions, regulators, lawyers, and eventually courts will ask: “Who’s actually capturing that value?”

And “not our responsibility” won’t be an acceptable answer.