When Bitcoin was introduced in 2008, the primary aim was to develop a digital currency that would operate independently of banks and government intervention. This foundational concept has since expanded into a broader movement known as “decentralized finance,” or “DeFi.” DeFi allows individuals to engage in trading, borrowing, and earning interest on cryptocurrency assets without the need for traditional financial institutions. These services function on blockchain technology, which serves as a digital ledger, and utilize “smart contracts”—automated scripts that facilitate financial transactions without human intervention. The DeFi market has seen investments totaling tens of billions of dollars. However, with this rapid innovation comes significant risks; the decentralized nature of crypto makes it an attractive target for hackers and fraudsters. In 2024, losses from security breaches and scams approached $1.5 billion, and unlike conventional finance, recovering stolen cryptocurrency presents a formidable challenge.
As a computer scientist, I sought to explore how users perceive and react to the risks associated with DeFi. My colleagues and I began our research with comprehensive interviews involving 14 crypto investors, followed by a survey of nearly 500 individuals to corroborate our findings. Our study revealed that users frequently fall into the same pitfalls, predominantly due to persistent misunderstandings and a lack of awareness regarding security measures. Below, we outline several critical errors.
Mistake 1: Misunderstanding Blockchain Security
Many participants expressed a belief that DeFi is inherently secure; however, their reasoning lacked depth. Some confused the concept of decentralized finance with the underlying blockchain technology, which is designed to ensure transaction integrity through various consensus mechanisms. One individual claimed that DeFi is secure because “a hacker would have to override an entire blockchain” to steal assets. In reality, while blockchain technology provides a level of tamper resistance, the services built on it can still be susceptible to flaws in their design and execution. Vulnerabilities include smart contract exploits, where hackers take advantage of weaknesses in a service’s code, and front-end attacks that manipulate user interfaces to divert funds into the attackers’ accounts. Notably, a recent incident involving a front-end attack was linked to a staggering $1.5 billion in stolen cryptocurrency.
Mistake 2: Overestimating Private Key Security
Another widespread misconception is the belief that the security of DeFi hinges solely on the safekeeping of private keys. A private key is a confidential code that grants access to a user’s cryptocurrency holdings. Unlike centralized crypto exchanges that maintain control over users’ private keys, DeFi gives individuals full ownership. Nevertheless, even with ideal management of private keys, users can still incur losses by engaging with compromised DeFi platforms. Proper key management can only defend against direct attacks aimed at accessing private keys, such as phishing schemes. Additionally, many of our interviewees did not adhere to best practices for private key security. For example, using a hardware wallet—a physical device that keeps private keys stored offline—offers robust protection against online threats, but our research indicated that only a small proportion of participants utilized such devices.
Mistake 3: Misplaced Confidence in Two-Factor Authentication
Two-factor authentication (2FA) is a widely adopted security measure that requires two forms of verification for account access, such as receiving a one-time code via text message. Centralized exchanges like Binance and Coinbase implement 2FA for logins, account recovery, and withdrawal confirmations. While 2FA is an essential security feature in both traditional and centralized crypto finance, its relevance diminishes in the context of DeFi. DeFi wallets rely on private key ownership for access rather than identity verification, rendering conventional 2FA ineffective. Instead, DeFi offers alternatives similar to 2FA, such as multisignature wallets that require approval from multiple key holders. However, if a private key is compromised, attackers can execute transactions without any further verification. Furthermore, even users who implement 2FA-like strategies cannot safeguard against security breaches that occur on the DeFi service’s side. Alarmingly, our participants exhibited unwarranted confidence in the effectiveness of 2FA, with 57.1% relying on it as their sole defense against rug pulls—scams in which project creators abruptly withdraw funds—and 49.3% doing the same for smart contract vulnerabilities. This misplaced trust may lead users to overlook more effective security measures.
Mistake 4: Neglecting Token Approval Management
A crucial security strategy that many users overlook is the regular revocation of token approvals. In the DeFi ecosystem, tokens represent digital assets on a blockchain that hold value or rights, and users often need to authorize smart contracts to access or utilize them. However, leaving these approvals unchecked can expose users to the risk of malicious contracts or hacks draining their wallets. It is vital to routinely assess all token approvals granted to mitigate potential losses from fraudulent or compromised DeFi services. Users should restrict spending limits rather than accepting the default “unlimited” setting and revoke approvals for applications they no longer use or trust. Alarmingly, our findings indicated that only 10.8% and 16.3% of participants regularly monitored and revoked token approvals to protect against rug pulls and smart contract exploits, respectively. We recommend that wallet providers implement reminder systems to encourage users to periodically review their token approvals.
Mistake 5: Failing to Learn from Past Scams
Perhaps most concerning is the trend where individuals do not take steps to enhance their security practices even after falling victim to hacks or scams. Our research showed that just 17.6% of those who had experienced a DeFi scam consistently checked their token approvals afterward. Alarmingly, 26% took no action at all following a scam, and 16.4% continued to invest in other DeFi services despite their previous losses. Surprisingly, over half of the victims reported that their belief in DeFi remained unchanged or even strengthened after their experiences. One individual who lost $4,700 in a rug-pull incident remarked, “My belief in cryptocurrency has grown stronger after that because I made good money from it,” adding that “an opportunity to make money is something I believe in.” This highlights a troubling reality: financial motivations can sometimes overshadow security concerns and sound judgment among DeFi users.
There is no universal solution to the challenges of DeFi security; however, raising awareness is vital. To enhance their safety, crypto investors should utilize hardware wallets, revoke unused token approvals, and continuously educate themselves on new protective measures against evolving threats. Most importantly, they must maintain a rational mindset and avoid allowing potential profits to compromise their security practices.
