In 2024 so far, decentralized finance (DeFi) users have lost almost US$1.5 billion. This overwhelming loss comes from security exploits and fraud, highlighting the dire implications of dangerous vulnerabilities within this fast blossoming industry. A recent study provides disturbing insights into the security practices of crypto investors. Too many people count on basic measures such as two-factor authentication (2FA) alone while overlooking more advanced protections, while the potential of a financial system without traditional middlemen beckons. Users are then further vulnerable to major financial losses from being not vigilant enough. This problem is made worse by a lack of understanding about DeFi’s underlying security.

The introduction of Bitcoin in 2008 ignited what we now know as DeFi. It envisioned a peer-to-peer digital cash system that dispensed with the need for trust in banks or government. This concept has since evolved into a complex ecosystem of decentralized applications (dApps) offering services like lending, borrowing, and trading. Recently, tens of billions of dollars have flooded into the DeFi market. It’s this influx that not only brings legitimate users but also malicious actors who seek to exploit any vulnerabilities.

Over-Reliance on Basic Security Measures

A lot of DeFi users put a lot of faith in surface-level security measures. Yet despite this over-reliance, they are deeply at risk from an array of threats. The research found that 57.1% of users don’t do anything outside of two-factor authentication (2FA) to safeguard themselves from rug pulls. Rug pulls are a type of scam where developers leave a project after getting the money. Nearly half of all users, 49.3%, used only two-factor authentication (2FA) as a security measure against smart contract exploits. These exploits happen when attackers exploit coding vulnerabilities in decentralized finance (DeFi) applications.

"Two-factor authentication has been one of the best solutions for keeping wallets safe" - a participant in the study.

2FA adds an extra layer of security, but it’s not the complete solution. Even advanced attacks are able to get through this protection. Stronger countermeasures like regularly monitoring token approvals and revoking them are rarely prioritized. Token approvals are often the way DeFi applications get access to your funds. If you fail to cancel overly broad approvals, then you invite potential unauthorized withdrawals and you may jeopardize your financial interests. Our research found only 10.8% of participants routinely checked and revoked their token approvals as a safeguard against rug pulls. Further, just 16.3% used this measure to protect themselves from smart contract exploits.

This boom in haphazard security implementations leaves plenty of room for bad actors to exploit. A recent $1.5 billion crypto heist was reportedly attributed to a front-end attack, underscoring the importance of comprehensive security measures that extend beyond basic authentication.

The Psychology of DeFi Victims

The aftermath of a DeFi rug-pull scam can be even more complex than that, as victims often show the full spectrum of reactions. Even worse, one-in-four victims—26%—took no action after being defrauded at all. This lack of action might just be a factor of their uncertainty on how to act or their sense of powerlessness. Even scarier, 16.4% of victims decided to reinvest into other DeFi services. Whether this decision is driven by their need to recoup losses or their continued faith in the promise of DeFi is yet to be seen.

Even after the financial losses, many victims are still hopeful about the promise of DeFi. More than half of the victims said their belief in DeFi either stayed the same or grew stronger after the incident. Much of this resilience is derived from the benefits promised by DeFi. Consumers benefit from increased choice and convenience in managing their money and using new financial products.

"My belief in cryptocurrency has grown stronger after that because I made good money from it" - a user who lost $4,700 due to a rug-pull incident.

Just as this dogmatic conviction can be a strength, it can be a weakness, as many users have false assumptions about the security of DeFi protocols.

Misconceptions and the Path Forward

Many others are under the false impression that DeFi is secure by nature because they’re working on a blockchain. This misperception is extremely deadly. Many users think incorrectly that a hacker would need to take control of an entire blockchain network in order to steal funds.

"because a hacker would have to override an entire blockchain" - a computer user interviewed in the study.

Blockchain technology provides the perfect secure and transparent foundation. The DeFi applications that have been built on it continue to rack up billion dollar exploits and rampant scams. Smart contract flaws, front-end attacks, and social engineering tactics have all successfully compromised DeFi systems. These vulnerabilities can in turn be exploited to steal users’ funds.

In order to mitigate these risks, DeFi users must take a more proactive and informed approach to security. This includes:

  • Educating themselves: Users should take the time to understand the risks associated with DeFi and learn about best practices for protecting their funds.
  • Using a variety of security measures: Relying solely on 2FA is not sufficient. Users should also regularly check and revoke token approvals, use hardware wallets, and be wary of suspicious links and offers.
  • Staying informed: The DeFi landscape is constantly evolving, so users need to stay up-to-date on the latest threats and vulnerabilities.
  • Being cautious: If something seems too good to be true, it probably is. Users should avoid investing in projects they don't understand and be wary of promises of guaranteed returns.