ESMA Joint Report on Crypto-Assets: DeFi Risks, MiCA Implementation, and EU Market Analysis

ESMA-EBA Joint Report Overview and Regulatory Context

In January 2025, the European Securities and Markets Authority (ESMA) and the European Banking Authority (EBA) published a landmark joint report analyzing recent developments in crypto-assets under Article 142 of MiCAR — the Markets in Crypto-Assets Regulation. This report, produced at the explicit request of the European Commission, represents the most comprehensive institutional assessment of DeFi risks, crypto lending, and staking markets in the European Union.

The report is deliberately analytical rather than prescriptive — it does not propose specific legislation or regulatory changes. Instead, it provides the evidence base that the Commission will use to prepare its own legislative report to the European Parliament and Council, expected in 2025. The ESMA crypto report covers two primary areas: decentralized finance (DeFi), including its engagement levels, ICT vulnerabilities, governance risks, and MEV implications; and the business models, market dynamics, and risks associated with crypto lending, borrowing, and staking.

The regulatory context is critical. MiCAR, which took full effect on December 30, 2024, established the world’s first comprehensive framework for crypto-asset regulation. However, it contains significant carve-outs: Recital 22 specifies that fully decentralized services without intermediaries fall outside MiCA’s scope, while Recital 94 explicitly excludes crypto lending and borrowing from the regulation’s reach. This report effectively maps the terrain that lies beyond MiCA’s current borders — and assesses whether that regulatory gap creates unacceptable risks. For those following the parallel regulatory evolution, our analysis of IMF crypto market data offers complementary global context.

DeFi Market Size and EU Adoption Statistics

The ESMA report provides granular data on DeFi’s scale and European penetration. Global DeFi Total Value Locked stood at approximately EUR 78 billion as of September 2024 (adjusted for double-counting) — roughly 4% of total crypto market capitalization. The unadjusted figure, which counts assets locked across multiple protocols, reaches EUR 160 billion. Ethereum continues to dominate with approximately 60% of all DeFi TVL, and the protocol landscape is led by Lido (EUR 23.3 billion in staking), Aave (EUR 12.1 billion in lending), and EigenLayer (EUR 10.6 billion in restaking).

EU-specific adoption data reveals a market that is significant but not dominant. An estimated 7.2 million EU citizens (1.6% of the population) use DeFi, slightly below the US at 7.5 million (2.2%). However, fewer than 15% of EU DeFi users engage regularly. The euro accounts for only 8% of fiat-to-crypto transactions on average, dwarfed by the US dollar at 44% and the Korean won at 37%. Euro-denominated stablecoins remain negligible in DeFi markets, highlighting a structural disadvantage for European participation.

Country-level data shows significant variation. France leads with approximately 12% of its population (6.5 million) holding crypto, with 21% familiar with the DeFi concept. The Netherlands and UK have ownership rates of 17% and 16% respectively. Higher DeFi adoption is concentrated in France, Germany, Italy, the Netherlands, Poland, and Spain, while Belgium, Croatia, Finland, and Ireland show lower penetration. The report notes that EU DeFi lending and borrowing totals approximately EUR 1.8 billion and staking EUR 3.6 billion — just 0.08% of euro area bank loans to households (EUR 6,665.7 billion).

Smart Contract Vulnerabilities and DeFi Security Risks

The security analysis in the ESMA report is sobering. DeFi thefts reached approximately USD 3.1 billion in 2022, following USD 2.5 billion in 2021. While 2024 figures (through October) showed 34 DeFi hacks exploiting smart contract vulnerabilities with USD 346 million in losses, the report documents a structural shift in attack vectors that may be more concerning than the headline numbers suggest.

Historically, the majority of DeFi theft stemmed from on-chain vulnerabilities — direct exploitation of smart contract code, price manipulation through oracle attacks, and flash loan-enabled arbitrage. However, the report identifies a critical shift: off-chain vulnerabilities are becoming the primary attack vector. Since 2023, private key compromises have accounted for slightly above 50% of all DeFi theft value, indicating that human and operational security failures now exceed code-level vulnerabilities as the primary risk.

Bridge protocols emerge as particularly vulnerable infrastructure. Bridge attacks in 2022 alone exceeded USD 1.3 billion in stolen assets, reflecting the inherent complexity and risk of cross-chain interoperability. The report also documents scam and rug-pull losses totaling USD 211.9 million across at least 20 instances between 2020 and October 2024. A concerning finding from Halborn’s 2024 data shows that 90% of Ethereum smart contracts are at least 56% similar to each other, with approximately 7% being completely identical — suggesting that vulnerabilities in widely-copied code could create systemic risk across the entire DeFi ecosystem.

MEV Extraction: Scale, Impact, and Counter-Measures

The report’s analysis of Maximal Extractable Value (MEV) represents one of the most comprehensive institutional assessments of this phenomenon. MEV refers to the profit that block builders and validators can extract by strategically reordering, inserting, or censoring transactions within blocks. Post-Merge Ethereum MEV revenues are estimated at USD 851 million to USD 1.1 billion, with sandwich attacks representing a 4:1 ratio of extractable MEV versus arbitrage by volume.

The scale of the problem is striking. Nearly 50% of Ethereum DEX trading volume in 2022 was affected by MEV extraction. Crisis events amplify the issue dramatically: the FTX collapse boosted MEV revenues by 400%, while the USDC de-peg event triggered a 1,000% increase. The concentration of MEV activity is extreme — 20% of MEV operations captured 72% of total revenues between September 2022 and May 2023, and a single bot extracted USD 34 million in just three months via sandwich attacks.

Counter-measures remain imperfect. MEV-Boost (Flashbots) is used in 85-95% of Ethereum blocks, addressing validator-level MEV but creating concentration at the builder and relay level. The top 3 builders consistently produce over 50% of all blocks, and the Flashbots relay processes over 50% of PBS blocks. The Ethereum Foundation has endorsed Enshrined PBS (e-PBS) as a longer-term solution, but it has not yet been implemented. Fair ordering solutions including time-based and blind ordering remain at limited practical deployment.

Money Laundering and Financial Crime in DeFi

The anti-money laundering assessment carries particular weight given the European regulatory context. National Competent Authorities (NCAs) generally rate DeFi money laundering and terrorist financing risks as “significant” to “very significant.” The primary risk drivers include the absence of an AML/CFT regulatory framework for DeFi, the anonymity and pseudonymity of participants, the cross-border nature of transactions, and the lack of customer due diligence obligations on DeFi protocols.

The report documents that DeFi protocols currently fall outside the remit of the Anti-Money Laundering Directive (AMLD) and the Funds Transfer Regulation (FTR) when operating in a fully decentralized manner. The share of illicit funds flowing to DeFi has grown over time, though centralized exchanges remain the primary destination for funds from illicit addresses. Techniques employed include exchanging for less traceable cryptocurrencies, using bridges and mixers, and placing funds in liquidity pools to obscure their origin.

DAO governance presents an additional vector of concern. Voter turnout in major DeFi governance processes often falls below 10% of eligible participants, with Aave and Compound frequently seeing just 3-5% turnout. Governance token ownership is heavily concentrated among developer teams, venture capital investors, founders, and large holders — raising questions about whether purportedly decentralized protocols are genuinely governed by their communities or effectively controlled by small groups.

Crypto Lending and Borrowing Market Analysis

The lending chapter provides the first comprehensive EU regulatory assessment of crypto lending models. Centralized lending platforms typically require over-collateralization at loan-to-value (LTV) ratios of 20-80%, with no creditworthiness checks. Primary collateral consists of BTC, ETH, USDT, and USDC, with liquidation thresholds typically set at 85% LTV and 2% liquidation fees. Borrowing interest rates range from 8-15%, with some exceeding 21% and reaching as high as 81% for the most volatile assets.

DeFi lending operates through two primary models: Collateralized Debt Positions (CDPs) and Collateralized Debt Markets (CDMs), with pooled (peer-to-pool) lending being the dominant format. DeFi LTV ratios range from 20% for volatile assets to 90% for stablecoin-only positions, with liquidation fees of 5-15% — significantly higher than centralized platforms. Market concentration is extreme: one protocol accounts for well above 50% of all market fees, and the top 2 protocols represent 52% of TVL.

The report documents the catastrophic failures that have exposed lending market risks. Celsius, which collapsed in 2022, had liabilities of approximately $5.5 billion and a shortfall of approximately $1.2 billion. Voyager Digital had $650 million in exposure to the failed Three Arrows Capital. These failures underscore why the ESMA considers the absence of lending regulation under MiCA a significant gap. For those tracking global crypto market data, these EU-specific findings provide essential regulatory context.

Staking Market Dynamics and Liquid Staking Growth

The global staking market has reached USD 562 billion as of November 2024, with Ethereum at USD 85 billion (18% of staked value, with 29% of all ETH staked) and Solana at USD 66 billion (13% of staked value, with 67% of all SOL staked). Staking reward rates on Ethereum average 3.46% at the baseline network level, with provider-specific rates ranging from 2.29% to 5.09%. Solana offers higher base rates at 6.73%, ranging from 5.94% to 7.74% across providers.

Liquid staking has emerged as the fastest-growing segment, with TVL reaching USD 44 billion in October 2024 — up 131% year-over-year. Lido dominates with 70% market share (USD 25 billion), raising concentration concerns. EigenLayer’s restaking protocol has accumulated EUR 11 billion in TVL, introducing a new layer of risk where Liquid Staking Tokens (LSTs) are re-staked to support Actively Validated Services (AVS), creating compounded exposure chains.

The report identifies a critical custodial distinction. Solo staking retains both signing and withdrawal keys with the user. Non-custodial pooled staking transfers signing keys but retains withdrawal keys. Custodial staking — offered by centralized platforms — transfers both sets of keys to the provider, creating counterparty risk. On Ethereum, only 0.04% of active validators had been slashed as of February 2024, but some centralized providers offer contractual protection against slashing losses, blurring the line between crypto-native staking and traditional financial products.

MiCA Implementation and Regulatory Gaps

The MiCA regulation (Regulation (EU) 2023/1114) represents a landmark achievement in crypto regulation, but the ESMA report identifies significant gaps that future legislation may need to address. MiCAR applies to natural and legal persons providing crypto-asset services, but Recital 22 explicitly notes that fully decentralized services without intermediaries fall outside its scope. The term “fully decentralized” remains undefined, creating a regulatory ambiguity that DeFi protocols could exploit.

Crypto lending and borrowing are excluded from MiCA’s coverage under Recital 94, deferring to applicable national law. The report reveals uneven national approaches: only 5 NCAs across 4 EU/EEA Member States indicated some form of regulation for these services, and only 4 NCAs reported awareness of consumer complaints. This regulatory fragmentation creates competitive distortions and potential for regulatory arbitrage within the single market.

The Digital Operational Resilience Act (DORA) applies to regulated financial entities engaging with crypto, but the vast majority of DeFi protocols operate outside its scope. The report notes that 16 NCAs identified crypto lending and borrowing providers in their jurisdictions, while 23 NCAs identified staking providers — suggesting widespread market activity occurring largely outside formal regulatory supervision. This comprehensive mapping of regulatory gaps provides the evidence base for the Commission’s upcoming legislative proposals.

EU Financial Institution Crypto Exposure

The ESMA report provides reassuring data on institutional exposure. Fewer than 5% of EU banks are involved in crypto-asset issuance or service provision, with approximately 10% planning engagement within the next two or more years. Among SSM-supervised banks, only 1% currently use DeFi applications, though 7% are exploring, planning, or testing DeFi engagement. EU investment funds with crypto exposure represent just 0.02% of the EU fund universe, with net asset values of EUR 2-4 billion.

Ethereum’s node infrastructure has meaningful European presence, with Germany hosting 14.78% of the 6,245 active Ethereum nodes as of September 2024, followed by France at 4.69% and Finland at 4.34%. This geographic distribution is relevant for regulatory oversight and underscores that the physical infrastructure supporting DeFi has tangible connections to European jurisdictions, even when the protocols themselves may claim to operate beyond regulatory borders.

The low institutional exposure suggests that crypto risks to the EU financial system remain contained for now. However, the report implicitly cautions that this could change rapidly as MiCA’s regulatory clarity encourages institutional entry, as staking and lending yields attract capital allocation, and as DeFi protocols continue to grow. For professionals monitoring how global institutions are approaching digital assets, our CEO outlook analysis provides additional corporate perspective.

Implications for European Crypto Regulation

The ESMA-EBA joint report carries several critical implications for the future of European crypto regulation. First, the DeFi regulatory gap is real and growing. With 7.2 million EU users and billions in lending, borrowing, and staking activity occurring outside MiCA’s scope, the Commission faces pressure to develop a supplementary framework. The undefined concept of “fully decentralized” services creates a loophole that is likely to be tested by protocols seeking to avoid regulatory obligations.

Second, the MEV problem demands attention. With nearly half of Ethereum DEX volume affected by value extraction, and counter-measures creating their own concentration risks, MEV represents a structural challenge to market integrity that European regulators cannot ignore if they seek to ensure fair treatment of retail participants. The report’s detailed analysis of sandwich attacks and builder concentration provides the analytical foundation for potential market conduct rules.

Third, crypto lending regulation is overdue. The Celsius and Voyager Digital failures demonstrated the systemic risks of unregulated lending platforms, and the report’s documentation of interest rates exceeding 81% and LTV practices that expose consumers to rapid liquidation make a compelling case for consumer protection measures. The fact that only 4 NCAs were aware of consumer complaints suggests under-reporting rather than absence of harm.

Finally, the institutional entry pipeline — with 10% of banks planning crypto engagement and growing liquid staking adoption — suggests that the regulatory framework will be tested at increasing scale. MiCA version 2.0, incorporating lessons from this report, may need to address DeFi governance, lending standards, MEV mitigation, and the custodial risks inherent in staking arrangements. The Commission’s response will set the regulatory standard not just for Europe but potentially for other jurisdictions watching MiCA’s evolution. For further analysis of digital asset regulation, explore our EU cybersecurity analysis.