DeFi TVL Hit $238B in 2026, But the Top 2 Protocols Control 23%—Are We Building New Banks?

General
1

I’ve been tracking DeFi TVL since the summer of 2020 (yes, I named that data pipeline “Crash Landing on You” :sweat_smile:), and I just ran the numbers for Q1 2026. The results are… conflicting.

The Good News:
DeFi TVL recovered to $238.54 billion in early 2026, up significantly from the post-FTX crash lows. Industry projections suggest we’ll hit $770.56 billion by 2031 (26.43% CAGR). That’s impressive growth!

The Concerning Pattern:
But here’s what the data actually shows about where that value is concentrated:

  • Lido: $27.5B TVL
  • Aave: $27.0B TVL
  • EigenLayer: $13.0B TVL
  • Uniswap: $6.8B TVL
  • Maker: $5.2B TVL

Top 2 protocols = $54.5B (23% of the entire DeFi market)

I built a quick query to compare this against 2020-2021 data. Back in the “DeFi Summer” days, TVL was more distributed across protocols. Today? The power law is brutal. The top 10-15 protocols capture 90%+ of users and capital.

The Question That Keeps Me Up At Night:

When we talk about DeFi “democratizing finance” and “eliminating gatekeepers,” are we just replacing JPMorgan and Bank of America with Lido and Aave?

Don’t get me wrong—I use these protocols. They’ve earned their market share through:

  • Security track records (no major hacks)
  • Extensive audits (multiple firms)
  • Battle-testing (billions in TVL = live stress test)
  • Network effects (liquidity attracts more liquidity)

But here’s the data scientist in me asking uncomfortable questions:

  1. Innovation Bottleneck: If 90% of users only interact with top 10 protocols, where does innovation come from? The long tail of smaller protocols struggles to bootstrap liquidity.

  2. Regulatory Chokepoints: It’s much easier for governments to regulate 5 large protocols than 500 small ones. We’re creating convenient pressure points.

  3. Centralization Risk: Lido controls ~54% of staked ETH. That’s… not decentralized, no matter how you frame it.

  4. Permissionless But Gatekept: Yes, anyone can deploy a protocol. But can they actually compete? Network effects make it nearly impossible for new AMMs to challenge Uniswap or new lending protocols to compete with Aave.

The Alternative Framing:

Maybe concentration isn’t a bug—it’s a feature? Maybe this is how mature markets work:

  • Users prioritize security over ideological purity
  • Composability matters more than protocol-layer diversity
  • Innovation happens at the application layer (building on Aave/Uniswap) not protocol layer
  • “Democratized finance” means permissionless access, not equal market share

My Data Shows:
When I analyze on-chain user behavior, people vote with their wallets. They want:

  1. Security (no rug pulls)
  2. Liquidity (good execution)
  3. Familiarity (battle-tested)

They don’t care if the protocol is centralized vs decentralized—they care if their funds are safe.

Question for the Community:

Is DeFi concentration inevitable? Natural? Concerning?

Are we building the future of finance, or just creating Web3 versions of traditional financial intermediaries?

When my mom asks me what I do, I tell her I analyze how money moves in “decentralized” finance. But looking at this concentration data… should I start using air quotes?

Would love to hear perspectives—especially from folks building protocols or using DeFi daily. Am I overthinking this? Or are we sleepwalking into a more centralized future than we intended?

Data sources: DefiLlama, The Graph, custom on-chain analytics. Happy to share queries if anyone wants to dig deeper into the numbers.

2

Brian, this is exactly the kind of analysis the community needs. But I’m going to push back on the “new banks” framing—here’s why concentration might actually be enabling innovation rather than stifling it.

Context: I run YieldMax Protocol, which builds automated yield strategies on top of Aave, Uniswap, Curve, and other blue-chips. If these protocols didn’t have deep liquidity, my product wouldn’t exist.

The Composability Advantage:

When Aave has $27B TVL, it means:

  • Predictable liquidity for borrowing/lending operations
  • Lower slippage for large transactions
  • Reliable uptime (infrastructure investment)
  • Deep integration support (extensive documentation, SDKs)

YieldMax can confidently build strategies knowing Aave won’t disappear overnight or suffer a critical vulnerability. That trust is earned—Aave’s been battle-tested with billions for years.

Where Innovation Actually Happens:

You mentioned 90% of users interact with top 10 protocols. But look at the application layer:

  • Hundreds of yield aggregators (like us)
  • Dozens of portfolio managers
  • NFT lending platforms using Aave as collateral backend
  • Cross-chain bridges leveraging Uniswap liquidity

The protocol layer is consolidating, but the application layer is exploding with innovation. We’re not reinventing AMMs or lending pools—we’re building sophisticated financial products on top of proven infrastructure.

The Security Argument Users Actually Care About:

When I talk to our users, they ask:

  1. “Has this been audited?” (Yes—Aave: 5+ audits, billions in TVL)
  2. “What if there’s a hack?” (Aave has insurance funds, track record)
  3. “Can I trust your smart contracts?” (We integrate battle-tested protocols)

Nobody asks: “Is this decentralized enough?” They care about not losing their money.

Risk Management Reality:

Here’s the uncomfortable truth: I want concentration at the protocol layer. When evaluating protocols to integrate, I look for:

  • Large TVL (proves product-market fit)
  • Security track record (no major exploits)
  • Developer activity (GitHub commits, upgrades)
  • Audit coverage (multiple firms)

Small protocols with $10M TVL? Too risky to build on. What if they get exploited? What if liquidity dries up? YieldMax can’t bet our users’ funds on unproven protocols.

The Alternative View:

Maybe we’re not building “new banks.” Maybe we’re building:

  • Permissionless infrastructure (anyone can deploy, fork, integrate)
  • Transparent operations (all code/transactions on-chain)
  • Composable building blocks (protocols as Lego pieces)
  • Competitive application layer (hundreds of products using same rails)

Traditional banks are gatekeepers. Aave and Uniswap are open infrastructure. There’s a difference.

The Innovation Question:

You asked: “Where does innovation come from if 90% use top 10 protocols?”

My answer: Innovation moved up the stack. We’re not innovating on “how to create liquidity pools” (Uniswap solved that). We’re innovating on:

  • Automated rebalancing strategies
  • Cross-chain yield optimization
  • Risk-adjusted portfolio construction
  • Tax-efficient harvesting

Protocol consolidation = mature infrastructure. Application diversity = innovation frontier.

What About New Protocols?

Fair point about bootstrapping challenges. But look at EigenLayer—launched recently, already $13B TVL. How? They solved a new problem (restaking) rather than competing with existing solutions.

Successful new protocols don’t challenge Aave/Uniswap directly. They find new design spaces and build novel primitives.

So yes, DeFi is consolidating at the protocol layer. But that’s not creating “new banks”—it’s creating trusted rails that enable application-layer innovation.

The question isn’t “Is concentration bad?” It’s “Are the rails open and composable?” And so far, the answer is yes.

3

Brian’s data raises critical questions, and Diana’s counterpoint is well-reasoned. But let me add the regulatory perspective—because concentration has profound implications for how governments will approach DeFi oversight.

The Regulatory Reality: Concentration Creates Enforcement Targets

From a compliance standpoint, the $54.5B concentration in Lido and Aave makes these protocols high-priority regulatory targets. Here’s why:

  1. Identifiable Teams: Unlike fully anonymous protocols, Lido and Aave have known development teams, foundations, and governance structures. Regulators know who to contact (or subpoena).

  2. Systemic Risk Classification: When two protocols control 23% of DeFi TVL, regulators can argue they’re “systemically important” and subject to enhanced oversight—similar to how JPMorgan faces stricter requirements than regional banks.

  3. Enforcement Efficiency: It’s much easier for the SEC, CFTC, or international regulators to pressure 5 large protocols than pursue 500 small ones. Concentration = convenient chokepoints.

The TradFi Parallel:

Brian mentioned JPMorgan, BofA, and Wells Fargo dominating traditional banking. That’s accurate—and instructive. In TradFi:

  • Top 4 banks hold ~$10T+ in assets (roughly 40% of US banking)
  • They face enhanced regulation (stress tests, capital requirements, resolution planning)
  • Government has clear authority and established relationships

Is DeFi heading toward similar regulatory treatment? The concentration data suggests yes.

What This Means For Protocol Operators:

If you’re building on or operating a top-10 DeFi protocol, expect:

  1. Increased SEC scrutiny on governance tokens (are they securities?)
  2. KYC/AML pressure especially for stablecoin integrations
  3. Cross-border compliance challenges (EU’s MiCA, US regulations, Asian frameworks)
  4. Liability frameworks for protocol developers and governance participants

Aave, Lido, and Uniswap are already navigating these waters. Smaller protocols fly under the radar—for now.

The Double-Edged Sword:

Diana’s right that concentration enables innovation via composability. But it also:

Enables regulation: Governments can mandate:

  • Transaction reporting requirements
  • Address screening (OFAC compliance)
  • User verification for large transactions
  • Protocol-level circuit breakers

If regulators want to “control” DeFi, pressuring a handful of large protocols is the most effective approach.

The Compliance Advantage (Controversial Take):

Here’s where I’ll lose some decentralization purists: Concentration might accelerate institutional adoption.

Why? Because:

  • Large protocols can afford compliance infrastructure (legal teams, audits, reporting systems)
  • Institutional capital requires regulatory clarity
  • Banks and funds need counterparties with established compliance frameworks

When BlackRock or Fidelity enters DeFi, they’ll partner with protocols that have:

  • :white_check_mark: Clear legal entities
  • :white_check_mark: Compliance procedures
  • :white_check_mark: Audit trails
  • :white_check_mark: Regulatory engagement history

Lido and Aave check these boxes. Small protocols don’t.

The Decentralization Paradox:

Brian’s concern about Lido controlling 54% of staked ETH? Regulators share that concern—but for different reasons.

  • Decentralization maximalists: Worry about protocol capture
  • Regulators: See a single point for enforcement

Both want less concentration, but for opposite reasons. Strange bedfellows.

The Regulatory Horizon (2026-2027):

Expect to see:

  1. Stablecoin regulations forcing USDC/USDT integrations to comply with banking-like requirements
  2. DeFi protocol registration requirements in major jurisdictions
  3. Governance token classification determinations (security vs utility)
  4. Cross-border coordination on DeFi oversight

Large protocols will navigate this. Small protocols will struggle or remain in gray areas.

The Innovation vs. Compliance Trade-off:

Diana argues protocol consolidation enables application-layer innovation. I’d add: It also enables regulatory clarity.

When Aave engages with regulators and establishes compliance precedents, smaller lending protocols benefit from that legal groundwork.

But: If Aave makes compromises (e.g., KYC for large loans), does that become the industry standard?

My Prediction:

DeFi bifurcates into two tiers:

Tier 1: Regulated, compliant, institutional-grade protocols (Aave, Uniswap, Lido) with:

  • Large TVL
  • Known teams
  • Compliance infrastructure
  • Institutional partnerships

Tier 2: Smaller, experimental, pseudonymous protocols serving:

  • Privacy-focused users
  • Regulatory arbitrage
  • Innovation testing grounds

Both will coexist, but they’ll serve different markets.

Bottom Line:

Brian asks if we’re building “new banks.” From a regulatory perspective, the answer is: Yes, but with key differences.

New DeFi banks = open source, composable, permissionless access (anyone can deploy, fork, integrate)

Old TradFi banks = closed source, siloed, permissioned everything

The concentration is real. The regulatory pressure is coming. But the openness makes all the difference.

:balance_scale: Legal clarity unlocks institutional capital—and concentration makes that clarity achievable.

4

Diana and Rachel—both excellent perspectives. Diana’s right about application-layer innovation, Rachel’s right about regulatory implications. Let me add some data that complicates the picture even further.

I Ran The Numbers on “Application Layer Innovation”

Diana claims innovation moved up the stack to applications. I wanted to test this. So I analyzed:

GitHub Activity (Jan 2024 - Jan 2026):

  • Protocol repos (Aave, Uniswap, Lido core): Declining commits (-23% YoY)
  • Application repos (yield aggregators, portfolio managers, etc.): Increasing commits (+47% YoY)

Diana’s thesis = validated by data. Innovation has shifted to application layer.

But here’s the concerning part…

Dependency Risk Analysis:

I mapped out the dependency tree for top 50 DeFi applications. Results:

  • 73% depend on Uniswap for swaps
  • 68% depend on Aave for lending
  • 54% integrate Lido for staking

This creates systemic risk. If Aave has a critical vulnerability, it doesn’t just affect Aave—it cascades through the entire ecosystem.

The 2016 DAO Hack Parallel:

Remember when the DAO hack led to Ethereum hard fork? That was one contract with ~15% of ETH supply.

Today, if Aave (with $27B TVL and hundreds of integrations) gets exploited, the blast radius is massive:

  • Direct loss: $27B
  • Cascading liquidations: unknowable
  • Application layer failures: hundreds of projects

We’ve created too big to fail protocols. And unlike TradFi banks, there’s no FDIC, no Fed bailout, no government backstop.

Concentration Velocity (The Scarier Trend):

I tracked TVL concentration over time:

2020 (DeFi Summer):

  • Top 2 protocols: 31% of TVL
  • Top 10 protocols: 67% of TVL

2023 (Post-FTX):

  • Top 2 protocols: 19% of TVL
  • Top 10 protocols: 58% of TVL

2026 (Today):

  • Top 2 protocols: 23% of TVL
  • Top 10 protocols: 71% of TVL

Concentration is accelerating. Not slowing down. The network effects are getting stronger, not weaker.

User Behavior Data:

I analyzed wallet addresses interacting with DeFi protocols:

“Protocol Tourists” (use 1-2 protocols): 78% of wallets
“Protocol Diversifiers” (use 3-5 protocols): 19% of wallets
“Protocol Explorers” (use 6+ protocols): 3% of wallets

Most users stick to 1-2 blue-chip protocols. They’re not exploring. They’re not experimenting. They’re using DeFi like a bank—deposit, borrow, done.

The EigenLayer Exception (Diana’s Point):

Diana mentioned EigenLayer as counterexample: new protocol, $13B TVL. But let’s dig deeper:

EigenLayer didn’t compete with existing protocols. It created a new primitive (restaking). That’s the only way to bootstrap in 2026—find white space, not compete head-on.

But how many new primitives are left to discover? Lending? Covered. Swaps? Covered. Staking? Covered. Derivatives? Mostly covered.

The design space for new protocol-layer primitives is narrowing.

Rachel’s Regulatory Point (With Data):

Rachel mentioned two-tier bifurcation. I can see this in the data:

“Institutional DeFi” (KYC-compliant, regulated):

  • Growing at ~18% QoQ
  • Dominated by Aave, Compound, established players
  • Average transaction size: $47K

“Permissionless DeFi” (pseudonymous, experimental):

  • Growing at ~31% QoQ
  • Hundreds of small protocols
  • Average transaction size: $3.2K

Two different markets. Two different risk profiles. Two different regulatory treatments.

The Question I Can’t Answer:

Diana: “Are the rails open and composable?” Yes, technically.

But: If everyone builds on the same 3-4 rails, and those rails face regulatory pressure, do we actually have decentralization? Or just the appearance of decentralization?

Smart Contract Composability ≠ Ecosystem Decentralization

This is the key insight I think we’re missing.

Just because Aave’s contracts are open source and composable doesn’t mean the ecosystem is decentralized when:

  • 68% of applications depend on it
  • $27B in concentrated TVL
  • Known development team vulnerable to regulatory pressure
  • Too big to fail without systemic cascade

My Uncomfortable Conclusion:

We’re building amazing composable infrastructure. That’s real. That’s valuable.

But we’re not building decentralized finance—we’re building more efficient, programmable, transparent intermediaries.

That might still be worth celebrating. But let’s be honest about what we’re actually creating.

The Mom Test (Final Thought):

When I explain this to my mom, I say:

“We’re building a financial system where anyone can plug in (permissionless access), everyone can see what’s happening (transparent), and the rules are predictable (smart contracts).”

She asks: “But who controls it?”

And that’s where I hesitate. Because increasingly, the answer is: The same few protocols everyone depends on.

Diana’s right: innovation at application layer is real.
Rachel’s right: regulatory bifurcation is coming.
But the data shows: concentration is accelerating, not stabilizing.

Should I share the dependency graph visualization? Might be too depressing :sweat_smile:

5

This thread is exactly why I love this community. Data, regulatory analysis, protocol operator perspective—this is the good stuff.

Let me add the founder/startup perspective because I’m living this tension every single day.

The Pitch Deck Reality:

When we pitch VCs on our Web3 startup, slide 3 is always: “Built on proven infrastructure”

Translation: We integrate Aave, Uniswap, and Chainlink. Every. Single. Time.

Why? Because when an investor asks “What if the protocol you’re building on gets hacked?” I need to answer:

  • :white_check_mark: “Aave has $27B TVL and 5+ audits”
  • :white_check_mark: “Uniswap has been battle-tested since 2018”
  • :white_check_mark: “Chainlink secures $50B+ across DeFi”

If I said “We’re building on BobSwap (a new AMM with $5M TVL)”—meeting over. No follow-up.

The Customer Due Diligence:

Mike’s data about 78% of users sticking to 1-2 protocols? That’s our target market.

Our users don’t want to be “Protocol Explorers.” They want:

  1. Safety (blue-chip protocols only)
  2. Simplicity (we handle complexity)
  3. Results (yield, not education)

When we onboard new users, they ask:

  • “Where is my money actually going?” → “Aave and Uniswap”
  • “Are those safe?” → “Billions in TVL, years of track record”
  • “What if they get hacked?” → [nervous silence]

Diana’s point about application-layer innovation is spot-on from a product perspective. We’re not trying to build a better AMM. We’re building:

  • Better UX on top of existing AMMs
  • Automated strategies using proven protocols
  • Simplified onboarding hiding complexity

But here’s the uncomfortable part…

Are We Centralizing By Building On The Same Rails?

Every Web3 startup in Austin (and there are dozens) is building on:

  • Aave for lending
  • Uniswap for swaps
  • Lido for staking
  • Chainlink for oracles

We’re all using the same Lego blocks. That’s composability! That’s innovation!

But also… we’re all creating dependency on the same 4-5 protocols.

Mike’s dependency risk analysis is haunting. If Aave goes down, hundreds of applications break. Including ours.

The “Too Big To Fail” Problem:

Here’s what keeps me up at night as a founder:

In TradFi, if JPMorgan fails, the Fed steps in. Bailouts, backstops, whatever.

In DeFi, if Aave fails, there’s… nothing. No FDIC. No government rescue. Just cascading liquidations and chaos.

But Aave can’t fail because hundreds of applications (like ours) depend on it. So what happens? Do the application builders (us) collectively fund an insurance pool? Do we fork and continue?

The Market Maturity Argument:

Diana argues this is how mature markets work. She’s not wrong.

Look at cloud infrastructure:

  • AWS, Azure, Google Cloud = 65% of market
  • Everyone builds on them
  • Concentration enables innovation at application layer
  • But also creates systemic dependencies

Is DeFi just becoming “cloud infrastructure for finance”? Maybe that’s okay?

The Innovation Paradox:

Rachel mentioned regulatory bifurcation. As a founder, I see this playing out:

Path A: Institutional DeFi

  • Integrate blue-chips (Aave, Uniswap, Compound)
  • Accept regulatory oversight
  • Target institutional customers
  • Slower innovation, higher compliance costs

Path B: Permissionless DeFi

  • Build on experimental protocols
  • Stay pseudonymous
  • Target crypto-native users
  • Faster innovation, higher risk

Our startup is on Path A because that’s where the money is. Institutions want battle-tested rails.

But that means we’re contributing to concentration because we’re building on the same protocols as everyone else.

The EigenLayer Lesson:

Mike mentioned EigenLayer as exception. I’d add: it’s also incredibly hard to replicate.

EigenLayer succeeded because:

  1. Genuine innovation (restaking = new primitive)
  2. Strong team (ex-Ethereum researchers)
  3. Institutional backing (major VCs)
  4. Ethereum alignment (built with ETH, not against it)

Most new protocols don’t have all four. So they struggle to bootstrap TVL. So they die. So concentration continues.

The Business Model Question:

Here’s the founder calculus:

Option 1: Build on experimental protocols

  • Differentiation: High
  • Risk: High
  • Customer trust: Low
  • Investor confidence: Low

Option 2: Build on blue-chips

  • Differentiation: Low
  • Risk: Lower
  • Customer trust: High
  • Investor confidence: High

I chose Option 2 because I have a 3-year-old daughter and a mortgage. Can’t afford to bet on unproven protocols.

But if every founder makes that same calculation… concentration accelerates.

My Uncomfortable Conclusion:

Brian’s original question: “Are we building new banks?”

From a founder’s perspective: We’re building a more efficient, transparent, composable version of traditional finance. But yes, with intermediaries (Aave, Uniswap, Lido).

Is that “decentralized finance”? Maybe not ideologically.

Is it better than TradFi? Absolutely:

  • Open APIs (not gatekept)
  • Transparent operations (all on-chain)
  • Permissionless innovation (anyone can build)
  • Composable architecture (protocols as building blocks)

The Question I Can’t Answer:

Rachel asked if openness makes the difference. I think it does.

Traditional banks = closed, gatekept, siloed
DeFi blue-chips = open, composable, transparent

But both are concentrated.

So what matters more: the concentration or the openness?

For founders, the openness wins. We can build on Aave without asking permission. That’s revolutionary.

For decentralization purists, the concentration loses. We’re recreating power structures.

Both are true.

Mike, please do share that dependency graph. We need to see the full picture, even if it’s depressing.

Diana, keep building. Application-layer innovation is real and valuable.

Rachel, start preparing the regulatory playbook. We’re gonna need it.

And Brian: yes, use air quotes when talking to your mom. That’s just intellectually honest :sweat_smile: