When Bitcoin was introduced in 2008, its primary objective was to establish a digital currency that operated independently of banks and governmental control. This concept has since expanded into a broader and more complex framework known as “decentralized finance,” or “DeFi.” DeFi allows users to engage in trading, borrowing, and earning interest on cryptocurrency assets without the need for traditional financial institutions. These DeFi services are built on blockchain technology, which functions as a digital ledger, and utilize “smart contracts”—self-executing programs that facilitate financial transactions automatically. The DeFi sector has attracted significant investment, with tens of billions of dollars flowing into it. However, this innovation is not without its dangers. The absence of centralized regulation has made the crypto space, including DeFi, a prime target for cybercriminals. In 2024 alone, losses from security breaches and fraud in the sector approached $1.5 billion. Unlike conventional financial systems, recovering stolen cryptocurrencies is often impossible.
As a researcher in computer science, I aimed to delve deeper into how individuals perceive and react to the risks associated with DeFi. My colleagues and I conducted comprehensive interviews with 14 cryptocurrency investors, followed by a survey of nearly 500 additional participants to validate our insights. Our findings revealed that many investors frequently fall into the same traps, largely due to persistent misconceptions and a lack of awareness regarding security measures.
Mistake 1: Assuming Blockchain Guarantees Security
A prevalent belief among many individuals is that decentralized finance is inherently secure; however, their reasoning often lacks depth. Some individuals mistakenly conflate decentralized finance with blockchain technology itself, which is designed to provide tamper-resistant transaction records through what are known as “consensus mechanisms.” One participant claimed that DeFi is secure “because a hacker would have to override an entire blockchain” to steal funds. Nonetheless, platforms operating on the blockchain can still be susceptible to flaws in their design and implementation. This includes vulnerabilities in smart contracts, where attackers can exploit coding errors, and front-end attacks, which involve manipulating user interfaces to redirect funds to a hacker’s wallet. A significant $1.5 billion theft was reportedly linked to a front-end attack.
Mistake 2: Believing That Safe Keys Equals Safe Funds
Another widespread misunderstanding is the belief that decentralized finance is secure simply because private keys are stored securely. A private key is a confidential code that provides access to one’s cryptocurrency assets. In the realm of DeFi, unlike centralized cryptocurrency services that manage private keys, users maintain full control over their private keys. However, even with optimal private key management, users remain vulnerable to losses when engaging with compromised DeFi platforms. Protecting private keys can only guard against direct attacks aimed at gaining access to them, such as phishing scams. Our research indicated that many participants did not adhere to best practices for safeguarding their private keys. Utilizing a hardware wallet—a physical device that stores private keys offline—is among the most secure methods of protecting against online threats, yet our study found that only a small number of participants utilized hardware wallets.
Mistake 3: Viewing 2-Factor Authentication as a Complete Solution
Two-factor authentication (2FA) is a widely adopted security measure requiring two forms of verification for account access. For instance, users may receive a one-time code via text message before logging into their bank accounts. Centralized cryptocurrency exchanges, such as Binance and Coinbase, implement 2FA for logins, account recovery, and withdrawal confirmations to enhance security. However, while 2FA is crucial in traditional finance and centralized cryptocurrency platforms, its role is significantly diminished in decentralized finance. DeFi wallets grant access based on private key ownership rather than identity verification, rendering traditional 2FA ineffective. Instead, DeFi employs alternative mechanisms akin to 2FA, such as multisignature wallets that necessitate approval from multiple private key holders. Yet, if a private key is compromised, attackers can still execute transactions without additional verification. Moreover, even users who implement 2FA-like measures cannot prevent breaches stemming from vulnerabilities in the DeFi services themselves. Alarmingly, our participants exhibited misplaced confidence in the efficacy of 2FA; one remarked, “Two-factor authentication has been one of the best solutions for keeping wallets safe.” Our survey revealed that 57.1% of users relied solely on 2FA as their technical defense against rug pulls—scams where creators suddenly withdraw funds—and 49.3% did so against smart contract exploits. This misplaced trust could lead them to overlook more effective security practices.
Mistake 4: Failing to Manage Token Approvals
One effective security strategy that users often overlook is the revocation of token approvals. In decentralized finance, tokens are digital assets representing value or rights, and users frequently need to authorize smart contracts to access or utilize them. However, leaving these approvals open can expose users to risks, as a malicious contract—or one that has been hacked—can deplete their wallets. Therefore, it is essential to routinely review all token approvals granted to mitigate potential losses from fraudulent or compromised DeFi services. Users should specifically limit spending allowances rather than opting for the default “unlimited” setting and revoke approvals for applications they no longer utilize or trust. Disturbingly, our research indicated that only 10.8% and 16.3% of participants consistently checked and revoked token approvals to safeguard against rug pulls and smart contract exploits, respectively. We recommend that wallet providers implement reminder features to encourage users to periodically review their token approvals.
Mistake 5: Not Adapting After Past Incidents
Even after experiencing hacks or scams, many individuals often fail to enhance their security practices. Our findings revealed that only 17.6% of those who fell victim to a DeFi scam regularly checked their token approvals afterward. Alarmingly, 26% took no action after being scammed, and 16.4% doubled down by investing even more in other DeFi services. Surprisingly, over half of the victims reported that their faith in decentralized finance either remained unchanged or grew stronger following the incident. One user who lost $4,700 in a rug-pull incident stated, “My belief in cryptocurrency has grown stronger after that because I made good money from it.” This individual further asserted, “An opportunity to make money is something I believe in.” This implies that the financial motivations of DeFi users can sometimes overshadow their security concerns and sound judgment.
There isn’t a universal solution for enhancing security in decentralized finance. However, raising awareness is the first step. To ensure safety, cryptocurrency investors should utilize hardware wallets, revoke unused token approvals, and continuously educate themselves on new strategies to protect against emerging threats. Most importantly, they must maintain a rational mindset and not allow the potential for profit to compromise their security practices.
