When Bitcoin was introduced in 2008, its primary aim was clear: to establish a digital currency independent of government and banking systems. However, this concept has transformed significantly, evolving into a broader framework known as “decentralized finance,” or “DeFi.” DeFi allows individuals to trade, borrow, and earn interest on cryptocurrency assets without the need for conventional financial intermediaries. The services within DeFi operate on blockchains—digital ledgers that facilitate transactions—and utilize “smart contracts,” which are self-executing codes that automate financial operations. The DeFi sector has attracted tens of billions of dollars in investments. Nonetheless, this innovation is not without its risks. The absence of centralized regulation has rendered both cryptocurrency and decentralized finance vulnerable to hacking and fraud. In 2024, losses from security breaches and scams in this space approached $1.5 billion. Unlike traditional financial systems, recovering stolen crypto assets is often impossible.
To gain insights into how individuals perceive and react to these risks, a research team conducted thorough interviews with 14 cryptocurrency investors and followed up with a survey of nearly 500 additional participants to confirm their findings. The outcome revealed that many individuals frequently fell into the same traps, which were often fueled by persistent misconceptions and a lack of security awareness.
Mistake 1: Misunderstanding Blockchain Security
A prevalent misunderstanding among users is the belief that blockchain technology guarantees security for decentralized finance. Participants often conflated DeFi with blockchain itself, which employs “consensus mechanisms” to ensure transaction integrity and resistance to tampering. One participant remarked that DeFi is secure because “a hacker would have to override an entire blockchain” to steal assets. However, services running on blockchains are still susceptible to various vulnerabilities, including flaws in implementation and design. For instance, breaches in smart contracts occur when malicious actors exploit coding errors, while front-end attacks involve altering user interfaces to divert funds into a hacker’s wallet. A notable example of this was a recent $1.5 billion crypto heist attributed to a front-end attack.
Mistake 2: Misplaced Trust in Private Key Management
Another widespread misconception is the belief that DeFi platforms are secure as long as private keys are well-protected. A private key is a confidential code that grants access to one’s cryptocurrency assets. Unlike centralized finance, where exchanges manage private keys, DeFi users retain control over their own keys. However, even with optimal private key management, users risk losing funds if they engage with compromised DeFi applications. Protecting private keys only safeguards against direct attacks aimed at accessing them, such as phishing scams. Our research indicated that many interviewees did not adhere to best practices for securing their private keys. Utilizing a hardware wallet—a physical device that stores private keys offline—can significantly enhance security, yet only a small fraction of participants reported employing this method.
Mistake 3: Overreliance on Two-Factor Authentication
Two-factor authentication (2FA) is a security measure requiring two forms of verification to access an account, such as receiving a one-time code via text before logging into a banking platform. Centralized cryptocurrency exchanges like Binance and Coinbase implement 2FA to secure logins, account recovery, and withdrawal confirmations. While essential for security in centralized systems, 2FA’s role diminishes in decentralized finance. In DeFi, wallet access is determined by ownership of private keys rather than identity verification, rendering traditional 2FA ineffective. Alternatives in DeFi, like multisignature wallets, require approval from multiple private key holders. However, if a private key is compromised, attackers can execute transactions without further verification. Our study found that many participants held an inflated sense of confidence in 2FA’s effectiveness, with 57.1% relying solely on it as a safeguard against rug pulls—scams where project developers abruptly withdraw funds—and 49.3% doing the same for smart contract vulnerabilities. This misplaced confidence might lead them to overlook more effective security measures.
Mistake 4: Neglecting Token Approval Management
An effective security strategy that many users overlook is the management of token approvals. In DeFi, tokens are digital assets representing value or rights, and users typically must approve smart contracts to utilize or spend them. Leaving these approvals open poses a risk, as a malicious or compromised contract can deplete a user’s wallet. It is essential to regularly review all granted token approvals to mitigate losses from fraudulent or hacked DeFi services. Users should restrict spending allowances rather than opting for the default “unlimited” setting and revoke approvals for applications they no longer trust or use. Alarmingly, our research revealed that only 10.8% and 16.3% of participants consistently checked and revoked token approvals to guard against rug pulls and smart contract exploits, respectively. We recommend that wallet providers implement reminder features to encourage users to periodically review their token approvals.
Mistake 5: Failing to Learn from Past Security Breaches
Even after experiencing hacks or scams, many users do not take steps to enhance their security practices. Our findings showed that only 17.6% of individuals who were victims of DeFi scams regularly checked their token approvals afterward. Alarmingly, 26% took no action following a scam, and 16.4% even increased their investments in other DeFi platforms. Surprisingly, more than half of the victims reported that their faith in DeFi either remained unchanged or grew stronger after the incident. One individual who lost $4,700 in a rug-pull incident stated, “My belief in cryptocurrency has grown stronger because I made good money from it,” emphasizing their unwavering belief in the profit potential of cryptocurrency despite the risks involved. This indicates that the financial motivations of DeFi users can sometimes overshadow their security concerns and judgment.
There is no universal solution for ensuring security in decentralized finance. However, raising awareness is the first step. To protect themselves, cryptocurrency investors should employ hardware wallets, revoke approvals for unused tokens, and continually educate themselves on new security measures to counter evolving threats. Most importantly, they should remain level-headed and not allow the prospect of profits to compromise their security practices.
