Quick answer
The most important DeFi security rules: never share your recovery phrase with anyone (ever, for any reason); only access protocols from bookmarked official URLs; use a hardware wallet (Ledger) for serious amounts; regularly revoke unnecessary token approvals at revoke.cash; and treat any unsolicited contact offering to 'help' you as an attempted scam.
Why DeFi security is different from traditional finance
In traditional finance, there are layers of protection between you and permanent loss: banks reverse fraudulent transactions, card providers offer chargeback rights, deposit schemes protect savings up to a limit, and courts can compel the return of stolen funds.
DeFi has none of these protections. Blockchain transactions are irreversible. Smart contracts execute automatically. There is no customer service, no fraud department, no court that can unwind an on-chain transaction. If your funds are stolen or lost, they are usually gone permanently.
This is not a flaw — irreversibility and trustlessness are features that make DeFi function without intermediaries. But they transfer the full burden of security to the individual user. Understanding exactly how attacks work is the first step to preventing them.
According to blockchain security firms, over $10 billion has been lost to DeFi exploits, scams, and user errors since 2020. The vast majority of individual losses come not from protocol hacks but from phishing, social engineering, and seed phrase exposure — all entirely preventable.
Attack type 1: Phishing websites and fake applications
The most common way ordinary users lose funds. A phishing site looks visually identical to a legitimate protocol — same colours, same layout, same logo. The URL is slightly different: un1swap.org instead of uniswap.org, aave-finance.io instead of app.aave.com.
When you connect your wallet to a phishing site and approve a transaction, you may be signing over unlimited access to your tokens — the site drains your wallet instantly.
- 01
Bookmark all official URLs immediately
Right now, bookmark: app.uniswap.org, app.aave.com, metamask.io, curve.fi, app.compound.finance, and any other protocols you use. Access them exclusively via these bookmarks — never via search results or links in messages.
- 02
Never click links in emails, Discord, or Twitter
Scammers send emails purporting to be from MetaMask, Uniswap, or other protocols. Official protocols do not email you. Discord servers for DeFi projects are frequently infiltrated with bot accounts posting fake links. Always navigate directly.
- 03
Be especially wary of Google Ads
Phishing sites frequently purchase Google Ads for search terms like 'Uniswap', 'MetaMask', and 'Aave'. The ad may appear directly above the legitimate search result. Always scroll past ads to find the organic official link, or type the URL directly.
- 04
Check the URL bar before connecting your wallet
Before clicking 'Connect wallet' on any site, look carefully at the full URL including domain extension. app.uniswap.org is legitimate. app.uniswap.finance, app.uniswap.xyz, or any variation is a phishing site.
Attack type 2: Recovery phrase (seed phrase) theft
Your 12 or 24-word recovery phrase is the single most valuable piece of information in DeFi. Anyone with it has complete, immediate, irrevocable access to every asset in your wallet.
Social engineering — tricking you into revealing your phrase — is one of the most effective attack vectors because it bypasses all technical security. Attackers impersonate wallet support staff, project moderators, MetaMask helpdesks, and even friends.
- 01
Understand that 'wallet support' in DMs is always a scam
MetaMask, Ledger, and every legitimate company in crypto has no ability to DM you on Discord, Telegram, or Twitter/X. Their 'support' staff will never contact you first. If you post in a public forum that you have a problem with your wallet, expect scammers to DM within minutes posing as support.
- 02
Recognise the 'validation' scam
A common script: your wallet is 'flagged' and needs to be 'validated' by entering your recovery phrase on a fake website. No such process exists. This is theft.
- 03
Store your recovery phrase physically, offline
Write your phrase on paper or a metal backup plate. Store it somewhere physically secure (fireproof safe, safe deposit box). Never photograph it, type it in a document, store it in cloud services, or tell anyone what it is.
- 04
Test your backup before loading serious funds
Restore your recovery phrase on a fresh device (or use MetaMask's 'reveal seed phrase' feature after resetting) to verify it works, before sending significant amounts to the wallet.
No legitimate company, application, wallet provider, support person, or community moderator will ever ask for your recovery phrase. There is no legitimate reason for anyone to need it except you, when restoring your own wallet. If anyone asks for it — in any context, through any channel — they are attempting to steal your funds.
Attack type 3: Malicious token approvals
When you use a DeFi protocol for the first time, you give it permission to access specific tokens in your wallet — this is called a token approval. Most legitimate protocols request approval for specific amounts. Malicious contracts request unlimited approval, then drain your wallet in a follow-up transaction.
Approvals persist indefinitely even after you stop using a protocol. If a protocol you approved a year ago is later hacked, or if you approved a malicious contract without realising, that approval can be used to steal your funds at any time.
- 01
Review every approval before signing
When MetaMask shows you an approval transaction, read it carefully. Unlimited approvals (type: 'unlimited amount') for unfamiliar contracts are a serious red flag.
- 02
Use revoke.cash regularly
Visit revoke.cash, connect your wallet, and see every active token approval you have given. Revoke any approvals for protocols you no longer use, unrecognised contracts, or those requesting unlimited amounts.
- 03
Use a separate wallet for experimenting with new protocols
Serious DeFi users maintain a 'hot' wallet with only a small amount of funds for testing new protocols, and a separate 'cold' hardware wallet for holding larger amounts. A compromised approval on your hot wallet cannot affect your cold wallet.
Make a monthly habit of visiting revoke.cash and reviewing your token approvals. Revoke anything you don't recognise or no longer need. The small gas fee for revoking is cheap insurance against a potentially catastrophic approval exploit.
Attack type 4: Rug pulls
A rug pull is a scam where developers create a DeFi project, attract investment, and then withdraw all liquidity and disappear — 'pulling the rug' from under investors. The token value collapses to zero instantly.
Rug pulls can be hard or soft. A hard rug pull involves developers suddenly withdrawing liquidity and disappearing. A soft rug pull involves a slower exit — developers sell their large token allocations gradually, then abandon the project.
- Anonymous or pseudonymous team — no accountability if they disappear
- Unaudited smart contracts — no independent security review
- Promises of unusually high returns ('1000% APY') — economically unsustainable
- Locked liquidity for very short periods — liquidity providers can exit quickly
- Heavy promotional pressure and FOMO language — 'last chance', 'moon soon'
- No clear utility or product — just a token with vague promises
- Small, concentrated token ownership among a few wallets
- Copycat names of legitimate projects with slight variations
Attack type 5: Honeypot tokens
A honeypot is a token you can buy but cannot sell. The smart contract is coded with a hidden function that prevents any address (except the deployer's) from selling. You buy the token, the price pumps artificially, and then when you try to sell, the transaction fails every time.
Honeypots are typically promoted in Telegram groups and Discord servers with fake trading charts and excitement. They always require unusually high slippage to buy — a red flag.
- 01
Use Honeypot.is before buying any unfamiliar token
Honeypot.is simulates buy and sell transactions for any Ethereum token contract. If it shows 'HONEYPOT DETECTED', do not buy the token regardless of how attractive the return looks.
- 02
Check buy and sell taxes
Legitimate tokens have no or minimal sell taxes. A token with a 20%+ sell tax is designed to trap you. Check the contract on TokenSniffer or use a contract analyser before buying.
- 03
Be suspicious of any token requiring >10% slippage
Legitimate projects virtually never require high slippage. The only reason a token requires high slippage to buy is that it has high transaction taxes or the contract is manipulating trades.
How to verify a DeFi protocol before depositing
- 01
Check for security audits
Every reputable protocol publishes independent security audits from firms like Trail of Bits, OpenZeppelin, Certik, or Quantstamp. Audit reports should be public on the project's website or GitHub. A protocol with no public audit should not receive significant funds.
- 02
Check TVL history on DeFiLlama
Visit defillama.com and search the protocol. A legitimate, trusted protocol will show substantial TVL over time. A protocol showing exponential TVL growth in days is often a yield farm scam attracting capital before an exit. Look at the TVL chart over 6-12 months.
- 03
Verify the team and development activity
Look for a public GitHub with consistent development activity. Check LinkedIn for core team members. Anonymous teams are not automatically scams, but verifiable accountability increases trust. Look for advisers and investors who have reputations to protect.
- 04
Check how long it has been running
A protocol that has operated securely with hundreds of millions in TVL for 2+ years has demonstrated meaningful resilience. New protocols, regardless of audits, have not been battle-tested at scale.
- 05
Read the documentation
Legitimate protocols have clear, detailed documentation explaining how they work, their risk parameters, and their governance structure. Poor or absent documentation is a red flag.
Essential security toolkit
- Hardware wallet (Ledger Nano X or Trezor Model T) for any significant holdings
- Bookmark official URLs for all protocols you use — access from bookmarks only
- revoke.cash — monthly review and revocation of unnecessary token approvals
- Honeypot.is — check before buying any unfamiliar token
- DeFiLlama — verify TVL, age, and legitimacy of protocols
- Etherscan — examine token contracts, holder distributions, and transaction history
- Separate browser profile or device for crypto activities
- Never use public WiFi for DeFi transactions — use mobile data or VPN
- Use MetaMask's simulation feature to preview what a transaction will do before confirming
- Keep the wallet you use for DeFi separate from your long-term storage wallet
- Enable 2FA on all exchange accounts — use an authenticator app, not SMS
Frequently asked questions
What should I do immediately if I think my wallet is compromised?
Act within seconds. Transfer any remaining funds from the compromised wallet to a completely new wallet immediately. Go to revoke.cash and revoke all approvals on the compromised wallet (though if the private key is compromised, an attacker may front-run your revocations). Do not try to 'save' the compromised wallet — create a new one and transfer what you can. For significant losses, report to Action Fraud (UK) or the FBI's IC3 (US) — though recovery is usually impossible.
Is a hardware wallet really necessary?
For amounts under £200 and casual DeFi use, a well-secured MetaMask is manageable. For anything you would not want to lose — generally over £500 — a hardware wallet provides dramatically better security. The private key on a Ledger never touches the internet even when approving DeFi transactions. The £60-100 cost is modest insurance for meaningful holdings.
Can DeFi protocols actually be trusted?
Established protocols with long track records, major audits, and hundreds of millions in TVL have demonstrated a meaningful level of trustworthiness through time. Aave, Uniswap, Curve, and Compound have operated for years without major exploits. 'Trust' in DeFi should be calibrated to track record, audit quality, and TVL — not to marketing claims or anonymous promises.
Can I recover funds that have been stolen?
In most cases, no. On-chain transactions are irreversible. Blockchain analysis firms (like Chainalysis) can sometimes trace stolen funds, and in a small number of cases authorities have seized crypto from identifiable criminal wallets. But the practical reality is that the vast majority of stolen DeFi funds are never recovered. Prevention is the only reliable strategy.
Are all airdrops legitimate?
No. Airdrop scams are common. The attack: you receive an unknown token in your wallet. When you try to sell it, you are directed to a fake website that asks for wallet approval — draining your wallet. Rule: never interact with tokens you didn't buy or earn through a known protocol. Simply receiving a token in your wallet cannot harm you — interacting with it can.