On April 27, 2026, Paul Frambot, CEO and co-founder of Morpho, wrote on X about his conclusions after intensive communication with several large institutions: Institutions' interest in DeFi has not only not waned, but has instead firmly regarded "entry" as a necessary path. He emphasized that massive asset management, payments, and lending businesses are accelerating on-chain, and almost all fintech companies are planning to build themselves as thoroughly as possible on top of on-chain financial infrastructure—distribution channels will continue to exist, but the underlying framework is changing.
The real contradiction lies behind this "optimism." Paul bluntly stated that institutions have lost trust in the traditional DeFi funding pool models represented by open public liquidity pools like Aave and Compound. They are no longer willing to expose large-scale funds to an unmanageable black box; instead, they care more about direct control over code, risk parameters, and compliance pathways: Who is responsible for every line of code? How is each risk isolated? Can explanations be provided for every regulatory inquiry? This obsession with controllability sharply contrasts with the early DeFi spirit of "permissionless, no barriers."
Almost simultaneously, security companies represented by CertiK are doubling down on this battlefield. As one of the sponsors of Consensus Miami 2026, CertiK is not just displaying its logo in the conference area but has openly planned multiple side events around Web3 security, bringing auditing, monitoring, and risk control narratives to the forefront of this annual industry barometer. It will also jointly hold an offline security event with the bug bounty platform Immunefi during the conference—according to a single source, yet to be further verified, this event is named "Rare Cuts & Cocktails," slated for May 5 from 17:00 to 20:00—putting security audits and bug bounty ecosystems on the same stage is itself a signal to institutions: There are not only earnings here, but also protective layers designed specifically for them.
Looking back at the period from 2020 to 2024 characterized by the dominance of public funding pools, DeFi appeared more like an open yield testing ground for anyone. However, by the spring of 2026, from Paul Frambot's public statements to CertiK's strategic layout at Consensus Miami, a new main thread is becoming clear: safety and compliance are no longer peripheral topics but the main battlefield for DeFi's transition from "brutal growth" to "institutional-level trust," forcing all participants to reposition themselves on this main line.
Institutions have not exited; they just find DeFi not safe enough
If one looks solely at the TVL curve and price fluctuations, it is easy to draw an intuitive judgment: The funds from the 2020-2024 "DeFi summer" arrived quickly and left just as fast, with institutions quietly exiting after a trial. But by the spring of 2026, this narrative was directly overturned by a public statement from Paul Frambot. As the CEO and co-founder of Morpho, he emphasized on April 27 on X that the conclusion drawn from discussions with several large institutions is very clear—it's not a cooling of interest; rather, participating in DeFi is viewed as an "inevitability": massive asset management scales, payments, and lending businesses are moving on-chain, and almost all fintech companies are planning for "full on-chain integration," just waiting for an entry point that is secure, controllable, and can be explained to regulators and LPs.
In other words, institutions are not retreating; they are queuing at the door, just discontent with the current decor style inside being too dangerous. The problem lies in the product structure of DeFi itself. The traditional models represented by open public liquidity pools like Aave and Compound, during the "brutal growth" phase from 2020 to 2024, formed a perfect narrative for retail investors: anyone could deposit, borrow, and stack yields, with protocols pulling everyone into the same general risk curve, mixing risk and return in a "big pot." However, in the eyes of institutions, this "public pool" signifies three of the most fatal shortcomings—insufficient transparency, insufficient controllability, and unknown risk exposure.
On the surface, on-chain data is public; but for risk control teams, what truly matters is: with whom exactly are the funds doing counterparty trades, what strategies are being utilized, and under what governance rules are they operating. In recent years, reports surrounding DeFi's security vulnerabilities, cascading liquidations, and governance controversies have never ceased. Even without naming specific projects, these repeatedly headlining events have been enough for compliance officers and lawyers to form a solid intuition: public pools resemble a "black box laboratory" where anyone can modify parameters, rather than financial infrastructure that can be incorporated into internal risk control manuals.
This stands in stark contrast to the user profile of early DeFi. The main characters were anonymous avatars, retail investors, and small funds in Telegram groups, who eagerly waded through high volatility, high leverage, and high annualized returns, treating "smart contract risk" as an acceptable cost of gambling. The constant adjustments of protocol parameters, governance votes swayed by a few large holders, and a single vulnerability wiping out the deposits in the entire pool were indeed disastrous, but they never truly deterred profit-seeking individual players.
Yet, once institutions managing tens of billions or hundreds of billions of assets are involved, the story changes entirely. What they need is not a "great common pool" into which everyone can squeeze, but a system that can be clearly accounted for, responsibilities defined, and audited precisely. Paul Frambot puts it straightforwardly: institutions have lost trust in the traditional DeFi funding pool model; they no longer wish to entrust their destinies entirely to the general risk curve of a public pool. Instead, they demand stronger direct control over code, risk, and compliance—they want to know which specific version of code they are dealing with, what losses they might incur, and which set of internal and regulatory reports they correspond to.
This is why lending protocols like Morpho, which deliberately differentiate in mechanism design from traditional public pools, are seen as one of the directions more aligned with institutional needs; it is also why security companies represented by CertiK choose to use industry window events like Consensus Miami to quantify and market "safety" as a service. The prerequisite for institutions to enter is not higher yields but visible, tangible, and compliant safety boundaries—only when these boundaries are clearly defined can the judgment of "inevitable entry" find a practical footing.
From funding pools to dedicated positions: institutions want to grip the code
In Paul's view, "stronger direct control" is not a vague stance but rather three points distilled after repeated dialogues with large institutions: who writes the code, who sets the risk controls, and who delineates compliance boundaries. Traditional DeFi's public funding pools have relinquished these three matters to protocol governance, anonymous developers, and a set of rules aimed at "anyone"; institutions’ view of going on-chain requires pulling these three matters back into their controllable radius.
● Control over the code itself is the first layer.
In the past, depositing assets into public funding pools like Aave and Compound essentially handed funds over to a contract logic that could be continuously upgraded and rewritten by community votes, with the upgrade rhythm and direction almost beyond institutional influence. Paul emphasized in his April 27 statement that they no longer accept such "unified pool, unified code" passive exposure; instead, they want to know exactly which version of contracts they are facing, who has the authority to modify them, how the upgrade process is constrained, and whether they can use a "dedicated configuration" of the code branch for their funds—even if it is still deployed on the same chain.
● The second layer is control over risk parameters.
Traditional public pools put everyone into a single risk warehouse: collateral lists, collateralization ratios, interest rate curves, and liquidation logic are public and uniform; the launch of a long-tail asset or the adjustment of an interest rate curve could simultaneously affect the pool's entire liquidity through governance. Institutions no longer wish to be a part of such a "common fate community"; what they seek is market isolation—only interacting with selected assets and counterparties, only accepting collateral combinations and leverage limits they agree with. When necessary, they might even embed the entire set of parameters into their internal risk control manuals, corresponding them with on-chain logic.
● The third layer is compliance boundaries.
The so-called "whitelist pools" and "permissioned markets" fundamentally stipulate who can enter and exit and where assets come from in contract logic: only funds that have undergone specific due diligence and identity verification can enter, and only counterparties meeting certain qualifications can engage. This is distinctly different from the early DeFi design where "anyone with an address can enter." For institutions, compliance is no longer a PDF off-chain but a set of access controls and transaction paths that can be audited and regulatory verified.
Under these three demands, the narrative of traditional public funding pools begins to seem outdated. The design of "one global pool, anyone can enter," which was open from the viewpoint of retail investors, appears to be indiscriminate exposure from the institutional perspective: you cannot choose who your neighbors are, nor can you select how much unrelated tail risk you are bearing. Paul candidly states that institutions have lost trust in this model; what they want is not a "bigger pool," but "definable, isolatable positions."
Market isolation, whitelist pools, and customized positions have been pushed to the forefront under this pressure. Market isolation first disaggregates risks—each market only accommodates a limited number of asset lending relations, with parameters independent of each other; whitelist pools then enclose the admission circle—only participants who have gone through designated processes can enter and exit; customized positions take it further, allowing a single institution or a few participants to establish a "dedicated strategy warehouse" around a set of assets, a set of parameters, and one version of code, shrinking their risk universe to a size easily explained in boardroom PPTs.
Morpho is regarded as a sample on this evolutionary path. It itself is not the traditional model of "everyone pooling money into the same big pool and earning off the same interest rate curve," but by different matching and interest rate mechanisms, it disaggregates and organizes the relationship between lenders and borrowers more precisely and flexibly. Because of this, it was early on cast into the institutional limelight, viewed as infrastructure closer to a "customizable market," rather than just another public pool.
In recent months surrounding Morpho, the industry has begun to see how institutional demands are reshaping infrastructure in reverse.
According to a single source, yet to be validated: by late April 2026, Morpho has been integrated into Fireblocks' enterprise-grade custody and infrastructure system, providing on-chain yield products for enterprise clients through Fireblocks' frontend interface, tapping into nearly $200 billion monthly in fiat-pegged on-chain asset flows, servicing over 2,400 enterprise clients. For these clients, what they see might be just a "yield product" button on the Fireblocks dashboard, but what it actually points to is a specific Morpho market, specific parameters, and specific contract versions—this precisely meets the demand of “I don’t want to be exposed to all risks in the entire protocol; I just want to claim a small piece of the position I understand very clearly.”
Similarly, according to a single source, still to be verified, Morpho’s integration with Coinbase directly elevates this narrative of “isolated markets” to new heights—reports indicate that this integration has driven on-chain lending volumes on Morpho's isolated market to record highs. For institutional users on the Coinbase side, this means they can enter a specific Morpho market chosen and reviewed by Coinbase in a familiar custody and compliance environment, rather than the unpredictable ocean of an entire DeFi protocol. Who writes the code, who sets parameters, and who is responsible for the whitelist become specific, accountable entities.
Capital is also investing along this vein. On April 23, 2026, according to a single source, still to be verified, the project 3F (3f_xyz) completed a $4 million seed round, led by Maven11, aiming to build institutional on-chain infrastructure on top of Morpho. In other words, aside from the protocol layer of Morpho itself, there will be an "institutional shell" built on top of it, specifically responsible for packaging those complex isolated markets, whitelist pools, and customized positions into products that compliance departments can understand, sign off, and operational teams can call up with the push of a button. This means that the focus of "how to enable institutions to better grip the code" has evolved from just a product issue of one protocol into a new infrastructure track.
The path from public funding pools to dedicated positions is underpinned by a reordering of power relations: Previously, everything was determined by protocol and community governance; fund providers were merely liquidity contributors within the pool; now, the institutions that Paul refers to as "inevitably entering" want to become the true owners of the positions—even if on the surface, they are just clicking a few more buttons and signing some internal approval forms.
Massive AUM on-chain: distribution is not dead; the underlying track is changing
In Paul’s view, what institutions need to do is not to overthrow the existing financial "sales machine," but to quietly replace the tracks underlying this machine.
He repeatedly emphasized one point in his remarks on April 27: distribution channels will not disappear. Those responsible for attracting customers, providing consultancy, and making product outreach calls will not collectively lose their jobs because of the arrival of on-chain infrastructure. The end users might still be clicking on familiar bank apps and fintech applications, keeping the front-end experience relatively stable; the true structural change is that the tracks of custody, clearing, and yield generation are gradually migrating on-chain.
Paul also provided a broader judgment: massive asset management scale (AUM), payments, and lending businesses are moving on-chain, which is the mid-to-long-term direction from an institutional perspective, rather than short-term experiments. His confidence in making this conclusion stems not from a self-marketing stance of DeFi protocols but from direct communication with several large institutions, discovering that these players, originally considered the most conservative, are already internally discussing their future business architecture using terms like "must go on-chain" and "will inevitably go on-chain."
In other words, the truly heavyweight assets in the future will not forever remain in traditional account systems but will gradually be corresponding to atomic positions on-chain, with smart contracts executing collateral, interest calculations, settlements, and risk rules.
The phrase "distribution is not dead" is conveyed here quite realistically:
The client interfaces—financial advisors, corporate business managers, recommendation spots on internet platforms—will most likely continue their current organizational forms since these are the most expensive and hardest resources to rebuild. Yet, when a company purchases "cash management products" through these channels, or when a high-net-worth individual selects a "floating yield portfolio" on their phone, what is triggered behind the scenes may no longer be traditional custodians and clearing systems but an entire set of deployed on-chain infrastructures.
According to a single source, pending further verification, Morpho has integrated with Fireblocks, connecting its yield products to the latter's enterprise custody network, participating in approximately $200 billion monthly on-chain US dollar asset flows, servicing more than 2,400 enterprise clients; in this example, it is still Fireblocks that connects more than 2,400 enterprises, while the actual on-chain yield generation and risk rules are handled by protocols like Morpho—where the front-end distribution and back-end tracks have been separated and reorganized.
This also reflects Paul’s assertion that "almost all fintech companies hope to go fully on-chain": they are not trying to transform themselves into a sort of "new bank," but rather hoping to migrate existing business logic—whether in payments, lending, or asset management—onto on-chain infrastructures, and then package and sell them through existing or newly constructed distribution networks. For these fintech companies, going on-chain signifies programmable reconciliation and clearing, finer-grained risk isolation, and yield and credit modules directly interfacing with protocols like Morpho; distribution channels continue to take on the roles of storytelling, brand building, and customer relationship management.
As the underlying tracks change while distribution does not die, the boundaries between traditional finance and DeFi also begin to quietly rewrite.
From a medium- to long-term perspective, users will find it challenging to clearly distinguish "am I buying a bank product" or "am I buying a DeFi product"; they will see familiar brand logos and service interfaces, while the actual operational paths of assets shift from closed bank balance sheet systems to open on-chain contract sandboxes. Traditional financial institutions are no longer merely the "external world" of DeFi but more like a massive and stable distribution shell; meanwhile, DeFi protocols are nested as the clearing, lending, and yield engines under this shell.
The impact on business models follows closely:
Practices that once earned spreads through information asymmetry and opaque balance sheets will become increasingly unsustainable in the face of increasingly transparent on-chain positions, forcing institutions to charge by building dedicated markets, customizing risk control rules, providing compliance packaging, and offering customer services; the protocol parties will win over the “inevitably entering” institutions by providing more detailed and controllable on-chain infrastructure, transforming themselves from passive roles during the public liquidity pool era to key nodes on the new tracks.
Moreover, according to a single source, pending further verification, projects like 3F—specifically building infrastructure for institutions on Morpho—completed their seed round financing on April 23, 2026, marking a footnote for this new track: distribution networks continue to expand, but what is truly being rewritten is how assets are custodied, valued, and settled—along with who can control these rules.
On the Consensus stage, security companies take center stage
As the power over asset custody, valuation, and settlement is redistributed, it’s not just protocols and custodians that stand under the spotlight, but also those that write risk control rules and delineate "investable boundaries." The Consensus Miami in the spring of 2026 served as a live stage for this power shift, with CertiK prominently featured at the center of the stage scenery.
As one of the world's largest Web3 security companies, CertiK, which has long been focused on smart contract auditing, on-chain security monitoring, and risk assessment, did not settle for a corner booth; instead, they participated in this annual industry conference seen as a barometer by sponsoring it. Sponsorship itself is a declaration: safety is no longer a supplementary module, but a "necessary role" alongside exchanges, infrastructures, and leading protocols, which institutional representatives must highlight on the conference agenda.
CertiK also communicated a very direct signal beforehand—they plan to hold multiple safety-themed side events during Consensus Miami, firmly anchoring discussions on the four words "Web3 security." Beyond the form, what’s more important is the discourse power: once the topic of safety is packaged into an all-day special session, roundtable, or closed-door meeting, those who define "compliance-level security" will have the opportunity to stake pricing power in a new round of institutional entry. For institutions that need to report to risk control committees and compliance teams, hearing systematic narratives around auditing, monitoring, and risk control frameworks continuously in the same venue holds more value than individual project highlights.
What truly imbues the security ecosystem with a sense of "orchestration" is the collaboration between CertiK and Immunefi. One is a security firm strong in auditing and on-chain monitoring, while the other is a platform focused on bug bounties, previously seen as different endpoints in the security chain: the former is responsible for pre-launch security checks, while the latter takes care of post-launch public hunting. Now, the two are co-hosting an offline Web3 security event during Consensus Miami, bundling "pre-launch auditing" and "post-launch rewards" into the same occasion, presenting an imagination of a complete defense line—code release is no longer an end but a process undergoing continuous examination and incentivized repair.
According to a single source, this event is named "Rare Cuts & Cocktails," scheduled for May 5 from 17:00 to 20:00, with specific naming and timing arrangements still needing further verification. Yet, even setting aside the details temporarily, this kind of cross-role collaboration is already sketching a more acceptable risk picture for institutions: there are not only signatures on your contract, but also a group of "white hats" paid by bounties patrolling long-term around the perimeter; security is no longer a single audit report, but a complete set of operational mechanisms.
Tying this back to Paul Frambot’s judgment on April 27—that institutions will not exit DeFi but demand stronger direct control over code, risk, and compliance—CertiK’s actions become more than mere marketing. For institutions considering on-chain business, names corresponding to "who audited," "who monitored," and "who was responsible for discovering and promoting repairs in case of problems" must be listed on the due diligence checklist. Security vendors like CertiK, occupying sponsorship positions at Consensus, are transforming from behind-the-scenes service providers to front-line "risk interlocutors": their reports will appear in risk control meeting rooms, their ratings need to be referenced in compliance documents, and even the timelines for new product launches must align with their audit schedules.
On one end, Morpho and the new infrastructure built around it aim to provide institutions with more controllable on-chain markets; on the other end, security companies represented by CertiK are using sponsorship and co-branded events on top stages like Consensus to codify "safety and compliance" as the entry threshold for all on-chain solutions. In the process of DeFi being reshaped into an institutional compliance battleground, security vendors are no longer neutral referees but hold the starting whistle.
Brutal DeFi exits: the next story is written for institutions
The wild growth phase from 2020 to 2024, characterized by "rushing towards the highest interest rates," is now exiting. Paul Frambot's statement on April 27, 2026, makes this transition very clear: institutions are not leaving DeFi; they view entry as an "inevitability"—provided the three thresholds of safety, compliance, and controllability are truly raised. Open public liquidity pools like Aave and Compound, once the protagonists of the previous narrative, are now seen under institutional perspectives as synonymous with "uncontrollable risks"; taking up the mantle are protocols like Morpho, which rewrite lending mechanisms around controllability, along with security companies continuously strengthening their presence on stages like Consensus Miami.
This signifies that the competitive logic of DeFi itself is also being rewritten. In the past, protocols competed on interest rate curves—who dared to raise the annualized rate higher would siphon off the liquidity from retail investors; now, what institutions focus on is a different checklist:
● Is the code controllable—can parameters be adjusted within clear rules, risks isolated, rather than tossing massive assets into a shared black box pool?
● Is risk control transparent—can liquidation triggers, interest changes, and potential bad debts be finely dissected on-chain, rather than only identified during extreme market conditions?
● Is compliance adaptable—can protocols be embedded within different regulatory jurisdictions and internal compliance frameworks, rather than being done first and forcefully disconnected later by legal departments?
Paul Frambot states that institutions have lost trust in traditional funding pool models, essentially drawing a line for this new set of assessment standards: those who can incorporate controllability and transparency into contracts are qualified to discuss long-term partnerships.
The movements of Morpho and its surrounding ecosystem are an early sample of this shift. According to a single source, pending further verification, Morpho has been integrated into Fireblocks to provide on-chain yield products for enterprise clients, reaching approximately $200 billion in dollar-denominated asset flows and servicing over 2,400 enterprise clients each month; another report from a single source claims that Morpho’s integration with Coinbase is driving its isolated market lending volumes to new highs. Beyond that, some institutional-level infrastructures are continuing to build on top of Morpho—according to a single source, pending verification, the project 3F (3f_xyz) completed a $4 million seed round financing on April 23, 2026, led by Maven11, aiming to build on-chain infrastructure for institutions on top of Morpho. Regardless of what level these specific data ultimately gets validated to, they at least indicate that the narrative is no longer centered around "open liquidity pools with universal access," but rather focuses on "on-chain positions tailored for specific institutions that are configurable and auditable."
The narrative in the security domain is also concurrently upgrading. CertiK appeared as a sponsor at the 2026 Consensus Miami and announced plans for several safety-themed side events; simultaneously, it will jointly host an offline Web3 security event with the bug bounty platform Immunefi—according to a single source, yet to be validated, this event, named "Rare Cuts & Cocktails," is planned for May 5 from 17:00 to 20:00. Positioned at the center of such top-tier conferences, security audits, real-time monitoring, and bug bounties are no longer mere "pre-launch processes," but have been placed on the infrastructure clearance list for institutional DeFi: without robust safety backing, protocols lack the qualification to present themselves before institutions.
From piecing together these fragments, one can see the next round of capital and narrative focus:
● On one end, security companies and bug bounty ecosystems, represented by CertiK, providing a "risk explainable" moat for on-chain assets;
● The middle layer, compliance engines, on-chain identity, and permission management modules allow institutions in varying regulatory environments to "go on-chain by their own rules";
● At the bottom, protocols like Morpho, which rewrite the ways funds are organized around institutional demands, along with projects like 3F that are still awaiting verification, attempting to package controllable yields and compliant structures into standardized products.
DeFi is transitioning from a permissionless experimental ground aimed at retail to an "institutional-level trust layer" constructed for large amounts of funds—whoever can provide this complete suite of solutions will hold the narrative power in the next round.
Uncertainty is also distinctly present. Regulatory frameworks around the world have yet to genuinely materialize, and there remain no unified answers on which on-chain structures will be regarded as "acceptable" and which will be directly categorized into fuzzy zones; technically, from foundational architectures to implementations of privacy and compliance, a consensus is yet to be reached. The one repeatedly confirmed is Paul Frambot's judgment: institutions will not exit this table; they are merely waiting for an on-chain solution that is sufficiently safe, compliant, and controllable. The era of brutal DeFi is on the verge of concluding, and the next chapter will be written by those who can embed code into regulatory logic and also integrate regulatory logic into code.
Join our community to discuss together and become stronger!
Official Telegram community: https://t.me/aicoincn
AiCoin Chinese Twitter: https://x.com/AiCoinzh
OKX benefit group: https://aicoin.com/link/chat?cid=l61eM4owQ
Binance benefit group: https://aicoin.com/link/chat?cid=ynr7d1P6Z
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
