When the first cryptocurrency, Bitcoin, was proposed in 2008, the goal was simple: to create a digital currency free from banks and governments. Over time, that idea evolved into something much bigger: “decentralized finance,” or “DeFi.”
With decentralized finance, people trade, borrow and earn interest on crypto assets without relying on traditional intermediaries. DeFi services run on blockchains, which are essentially digital ledgers, and use “smart contracts” − self-executing code that automates financial transactions. Tens of billions of dollars have poured into the DeFi market.
But with innovation comes risks. The lack of centralized oversight has made crypto, including decentralized finance, a prime target for hackers and scammers. In 2024 alone, people lost nearly US$1.5 billion due to security exploits and fraud. And unlike traditional finance, there’s usually no way to recover stolen crypto.
As a computer scientist, I wanted to better understand how people perceive and respond to these risks. So my colleagues and I first conducted in-depth interviews with 14 crypto investors, then surveyed nearly 500 others to validate our findings.
Our study found that people often made the same mistakes, driven by recurring misconceptions and gaps in security awareness. Here are some of the most important.
Mistake 1: Thinking the blockchain guarantees security
Many people told us they thought decentralized finance was secure – but their reasoning wasn’t very convincing. Some seemed to confuse decentralized finance with blockchain technology itself, which is designed to ensure transactions are tamper-resistant through so-called “consensus mechanisms.” One told us that DeFi is secure “because a hacker would have to override an entire blockchain” to steal funds.
But services on the blockchain are still vulnerable to implementation and design flaws. These include smart contract breaches, in which bad guys exploit bugs in a service’s code, and front-end attacks, where a user interface is altered to redirect funds into a hacker’s wallet. A front-end attack was reportedly to blame for a recent $1.5 billion crypto heist.
Mistake 2: Thinking safe keys mean safe funds
Another common misconception is that DeFi is secure if private keys are well stored. A private key is a secret code that allows someone to access their crypto assets. It’s true that in DeFi – unlike in centralized crypto finance where an exchange holds private keys – users have full control over their own private keys.
But even with perfect private key management, users can still lose funds by interacting with compromised DeFi platforms. That’s because safeguarding private keys can prevent only direct attacks targeting private key access, such as phishing attempts.
The people we spoke with also failed to follow best practices for securing their private keys. Using a hardware wallet – a physical device that stores private keys offline – is one of the most secure options for protecting keys from online threats. However, our study found that only a handful of participants actually used hardware wallets.
Mistake 3: Thinking 2-factor authentication is a silver bullet
Two-factor authentication, or 2FA, is a standard security mechanism in which two forms of verification are required to access an account. Think being texted a one-time code before you can log into your bank account.
To prevent account breaches, centralized crypto exchanges such as Binance and Coinbase use two-factor authentication for logins, account recovery and withdrawal confirmations. But while 2FA is crucial to security in the traditional and centralized crypto finance system, it plays a much smaller role in decentralized finance.
DeFi wallets give users access based on private key ownership rather than identity verification, which means traditional 2FA can’t be used. Instead, only 2FA-like mechanisms are available in DeFi. For instance, multisignature wallets require approval from multiple private key holders. However, if your private key is compromised, attackers can perform wallet operations on your behalf without any additional verification. In addition, even users who adopt 2FA-like measures can’t prevent the security breaches on the DeFi services’ end.
Unfortunately, our participants were overly confident regarding the effectiveness of 2FA, with one saying, “Two-factor authentication has been one of the best solutions for keeping wallets safe.” In our survey, 57.1% of users relied on 2FA as their only technical countermeasure against rug pulls – scams where project creators suddenly withdraw funds – and 49.3% did so for smart contract exploits. This misplaced trust could lead them to ignore more effective security strategies.
Mistake 4: Not managing token approvals
One such effective strategy is revoking token approvals. In DeFi, tokens are digital assets on a blockchain that represent value or rights, and users often need to approve smart contracts to access or spend them. But if you leave these approvals open, a malicious contract – or one that’s been hacked – can drain your wallet. So it’s crucial to routinely check all token approvals you’ve granted to prevent losses caused by fraudulent or hacked DeFi services. Specifically, you should limit spending allowances instead of using the default “unlimited” option, and revoke approvals for apps you no longer use or trust.
Worryingly, we found that only 10.8% and 16.3% of participants regularly checked and revoked token approvals to protect against rug pulls and smart contract exploits, respectively. In light of this, we recommend that wallet providers introduce a reminder feature to prompt users to review their token approvals periodically.
Mistake 5: Not learning from past incidents
Even after they’re hacked or scammed, people often don’t do anything to improve their security practices, we found. Just 17.6% of those who reported being victims of a DeFi scam regularly checked token approvals afterward. Worse, 26% took no action at all after a scam, and 16.4% doubled down by investing even more in other DeFi services.
Surprisingly, more than half of the victims said their belief in DeFi either stayed the same or grew stronger after the incident. One user who lost $4,700 due to a rug-pull incident said, “My belief in cryptocurrency has grown stronger after that because I made good money from it.” That person added, “An opportunity to make money is something I believe in.” This suggests that DeFi users’ financial motivations can sometimes outweigh their security concerns – and, perhaps, their better judgment.
There’s no one-size-fits-all solution to DeFi security. But awareness is the first step. To stay safe, crypto investors should use hardware wallets, revoke unused token approvals and continually learn new techniques to protect themselves from evolving threats. Most importantly, they should stay rational and not let the allure of profits cloud their security practices.
Mingyi Liu does not work for, consult, own shares in or receive funding from any company or organization that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.
