When Bitcoin was introduced in 2008, its primary aim was to establish a digital currency that operated independently of banks and governments. As the years progressed, this concept expanded into a broader framework known as “decentralized finance,” or “DeFi.” DeFi enables individuals to trade, borrow, and earn interest on cryptocurrency assets without the need for traditional financial intermediaries. These decentralized services are built on blockchain technology, which functions as a digital ledger, and utilize “smart contracts,” which are automated codes that facilitate financial transactions. The DeFi sector has attracted tens of billions of dollars in investments. However, this innovation has also brought about significant risks. The absence of centralized regulation has rendered cryptocurrencies, including DeFi platforms, vulnerable to attacks from hackers and fraudsters. In 2024 alone, losses due to security breaches and scams amounted to nearly $1.5 billion. Unlike conventional finance, recovering stolen cryptocurrency is often impossible.
In my quest to understand how individuals perceive and react to these dangers, my colleagues and I conducted detailed interviews with 14 crypto investors and subsequently surveyed close to 500 additional participants to corroborate our findings. Our research revealed that many individuals frequently commit similar errors, primarily due to persistent misconceptions and a lack of awareness regarding security measures. Here are some of the key mistakes we identified.
Mistake 1: Misunderstanding Blockchain Security
A prevalent misconception among participants was the belief that decentralized finance is inherently secure. However, their reasoning was often flawed. Some confused the idea of decentralized finance with the underlying blockchain technology, which is designed to protect transactions through various “consensus mechanisms.” One participant claimed that DeFi is secure because a hacker would need to compromise an entire blockchain to access funds. Yet, services operating on blockchain networks can still be susceptible to flaws in design and execution. Vulnerabilities include breaches in smart contracts, where malicious actors exploit coding errors, and front-end attacks, which involve altering a user interface to divert funds to a hacker’s wallet. A notable example of this was a recent $1.5 billion crypto theft attributed to a front-end attack.
Mistake 2: Assuming Private Key Safety Ensures Fund Security
Another common misunderstanding is the belief that DeFi platforms are secure simply because private keys are stored securely. A private key is a confidential code that grants access to one’s cryptocurrency assets. In the realm of DeFi, users maintain complete control over their private keys, unlike in centralized finance systems where exchanges manage them. However, even with optimal private key management, users can still suffer financial losses by engaging with compromised DeFi platforms. Effective private key storage can only prevent direct attacks aimed at accessing those keys, such as phishing scams. Our interviews revealed that many users did not adhere to best practices for securing their private keys. For instance, using a hardware wallet — a physical device designed to store private keys offline — is among the most secure methods, yet our study found that only a small fraction of participants utilized hardware wallets.
Mistake 3: Overreliance on Two-Factor Authentication
Two-factor authentication (2FA) is a common security measure requiring two forms of verification to access an account, such as receiving a one-time code via text message before logging into a bank account. Centralized crypto exchanges like Binance and Coinbase implement 2FA for logins, account recovery, and withdrawal confirmations to enhance security. While 2FA is a critical component of security in traditional and centralized crypto finance, its role diminishes in decentralized finance. In DeFi, wallet access is determined by private key ownership rather than identity verification, rendering traditional 2FA ineffective. Instead, DeFi offers alternatives resembling 2FA, such as multisignature wallets, which necessitate approval from multiple private key holders. However, if a private key is compromised, attackers can conduct wallet operations without further verification. Additionally, users employing 2FA-like methods cannot prevent breaches on the DeFi service side. Alarmingly, many participants in our study exhibited undue confidence in the efficacy of 2FA, with one stating, “Two-factor authentication has been one of the best solutions for keeping wallets safe.” Our survey indicated that 57.1% of users relied solely on 2FA to protect against rug pulls — scams where project creators suddenly withdraw funds — and 49.3% did so against smart contract vulnerabilities. This misplaced trust may lead them to overlook more effective security practices.
Mistake 4: Neglecting Token Approval Management
A vital security strategy is the management of token approvals. In DeFi, tokens are digital assets on a blockchain representing value or rights, and users often need to authorize smart contracts to access or utilize them. Leaving these approvals open can allow a malicious contract — or a compromised one — to deplete a user’s wallet. Therefore, it is essential to regularly review all token approvals granted to mitigate losses from fraudulent or hacked DeFi services. Users should specifically limit spending allowances instead of opting for the default “unlimited” option and revoke approvals for applications they no longer trust or use. Our findings revealed that only 10.8% and 16.3% of participants routinely checked and revoked token approvals to guard against rug pulls and smart contract exploits, respectively. To address this issue, we recommend that wallet providers implement reminder features encouraging users to periodically review their token approvals.
Mistake 5: Failing to Learn from Previous Incidents
Even after experiencing hacks or scams, many individuals do not take steps to enhance their security protocols, according to our research. Only 17.6% of those who reported being victims of a DeFi scam regularly checked their token approvals afterward. Alarmingly, 26% took no action following a scam, and 16.4% even increased their investments in other DeFi services. Surprisingly, over half of the victims indicated that their belief in DeFi remained unchanged or grew stronger post-incident. One user who lost $4,700 to a rug pull remarked, “My belief in cryptocurrency has grown stronger after that because I made good money from it,” adding, “An opportunity to make money is something I believe in.” This highlights how financial incentives can sometimes overshadow security concerns and sound judgment among DeFi users.
While there may not be a universal solution to the security challenges within DeFi, awareness is crucial. To ensure their safety, cryptocurrency investors should utilize hardware wallets, revoke unused token approvals, and continuously educate themselves about emerging security threats. Most importantly, they must maintain a rational mindset and not allow the lure of profits to compromise their security practices.
