Business Daily Media

Men's Weekly

.

Decentralized finance is booming − and so are the security risks. My team surveyed nearly 500 crypto investors and uncovered the most common mistakes

  • Written by Mingyi Liu, Ph.D. student in Computer Science, Georgia Institute of Technology

When the first cryptocurrency, Bitcoin, was proposed in 2008[1], the goal was simple: to create a digital currency free from banks and governments. Over time, that idea evolved into something much bigger: “decentralized finance[2],” or “DeFi.”

With decentralized finance, people trade, borrow and earn interest on crypto assets without relying on traditional intermediaries. DeFi services run on blockchains[3], which are essentially digital ledgers, and use “smart contracts[4]” − self-executing code that automates financial transactions. Tens of billions of dollars[5] have poured into the DeFi market.

But with innovation comes risks. The lack of centralized oversight has made crypto, including decentralized finance, a prime target for hackers and scammers. In 2024 alone, people lost nearly US$1.5 billion[6] due to security exploits and fraud. And unlike traditional finance, there’s usually no way to recover stolen crypto.

As a computer scientist[7], I wanted to better understand how people perceive and respond to these risks. So my colleagues and I first conducted in-depth interviews with 14 crypto investors, then surveyed nearly 500 others to validate our findings.

Our study[8] found that people often made the same mistakes, driven by recurring misconceptions and gaps in security awareness. Here are some of the most important.

Mistake 1: Thinking the blockchain guarantees security

Many people told us they thought decentralized finance was secure – but their reasoning wasn’t very convincing. Some seemed to confuse decentralized finance with blockchain technology itself, which is designed to ensure transactions are tamper-resistant through so-called “consensus mechanisms[9].” One told us that DeFi is secure “because a hacker would have to override an entire blockchain” to steal funds.

But services on the blockchain are still vulnerable to implementation and design flaws. These include smart contract breaches, in which bad guys exploit bugs in a service’s code, and front-end attacks, where a user interface is altered to redirect funds into a hacker’s wallet. A front-end attack[10] was reportedly to blame for a recent $1.5 billion crypto heist[11].

CNBC reports on the record-breaking $1.5 billion crypto theft.

Mistake 2: Thinking safe keys mean safe funds

Another common misconception is that DeFi is secure if private keys are well stored. A private key is a secret code that allows someone to access their crypto assets. It’s true that in DeFi – unlike in centralized crypto finance[12] where an exchange holds private keys – users have full control over their own private keys.

But even with perfect private key management, users can still lose funds by interacting with compromised DeFi platforms. That’s because safeguarding private keys can prevent only direct attacks targeting private key access, such as phishing attempts[13].

The people we spoke with also failed to follow best practices for securing their private keys. Using a hardware wallet – a physical device that stores private keys offline – is one of the most secure options for protecting keys from online threats. However, our study found that only a handful of participants actually used hardware wallets.

Mistake 3: Thinking 2-factor authentication is a silver bullet

Two-factor authentication, or 2FA, is a standard security mechanism in which two forms of verification are required to access an account. Think being texted a one-time code before you can log into your bank account.

To prevent account breaches, centralized crypto exchanges[14] such as Binance and Coinbase use two-factor authentication for logins, account recovery and withdrawal confirmations. But while 2FA is crucial to security in the traditional and centralized crypto finance system, it plays a much smaller role in decentralized finance.

DeFi wallets give users access based on private key ownership rather than identity verification, which means traditional 2FA can’t be used. Instead, only 2FA-like mechanisms are available in DeFi. For instance, multisignature wallets[15] require approval from multiple private key holders. However, if your private key is compromised, attackers can perform wallet operations on your behalf without any additional verification. In addition, even users who adopt 2FA-like measures can’t prevent the security breaches on the DeFi services’ end.

Unfortunately, our participants were overly confident regarding the effectiveness of 2FA, with one saying, “Two-factor authentication has been one of the best solutions for keeping wallets safe.” In our survey, 57.1% of users relied on 2FA as their only technical countermeasure against rug pulls[16] – scams where project creators suddenly withdraw funds – and 49.3% did so for smart contract exploits. This misplaced trust could lead them to ignore more effective security strategies.

Mistake 4: Not managing token approvals

One such effective strategy is revoking token approvals. In DeFi, tokens are digital assets on a blockchain that represent value or rights, and users often need to approve smart contracts to access or spend them. But if you leave these approvals open, a malicious contract – or one that’s been hacked – can drain your wallet. So it’s crucial to routinely check all token approvals you’ve granted to prevent losses caused by fraudulent or hacked DeFi services. Specifically, you should limit spending allowances instead of using the default “unlimited” option, and revoke approvals[17] for apps you no longer use or trust.

Worryingly, we found that only 10.8% and 16.3% of participants regularly checked and revoked token approvals to protect against rug pulls and smart contract exploits, respectively. In light of this, we recommend that wallet providers introduce a reminder feature to prompt users to review their token approvals periodically.

Mistake 5: Not learning from past incidents

Even after they’re hacked or scammed, people often don’t do anything to improve their security practices, we found. Just 17.6% of those who reported being victims of a DeFi scam regularly checked token approvals afterward. Worse, 26% took no action at all after a scam, and 16.4% doubled down by investing even more in other DeFi services.

Surprisingly, more than half of the victims said their belief in DeFi either stayed the same or grew stronger after the incident. One user who lost $4,700 due to a rug-pull incident said, “My belief in cryptocurrency has grown stronger after that because I made good money from it.” That person added, “An opportunity to make money is something I believe in.” This suggests that DeFi users’ financial motivations can sometimes outweigh their security concerns – and, perhaps, their better judgment.

There’s no one-size-fits-all solution to DeFi security. But awareness is the first step. To stay safe, crypto investors should use hardware wallets, revoke unused token approvals and continually learn new techniques to protect themselves from evolving threats. Most importantly, they should stay rational and not let the allure of profits cloud their security practices.

References

  1. ^ proposed in 2008 (bitcoin.org)
  2. ^ decentralized finance (www.nytimes.com)
  3. ^ blockchains (www.bloomberglaw.com)
  4. ^ smart contracts (www.bloomberglaw.com)
  5. ^ Tens of billions of dollars (mitsloan.mit.edu)
  6. ^ nearly US$1.5 billion (downloads.ctfassets.net)
  7. ^ a computer scientist (mingyiliu.me)
  8. ^ Our study (www.usenix.org)
  9. ^ consensus mechanisms (www.investopedia.com)
  10. ^ front-end attack (www.csis.org)
  11. ^ recent $1.5 billion crypto heist (www.abc.net.au)
  12. ^ centralized crypto finance (www.investopedia.com)
  13. ^ phishing attempts (theconversation.com)
  14. ^ centralized crypto exchanges (www.investopedia.com)
  15. ^ multisignature wallets (www.investopedia.com)
  16. ^ rug pulls (www.coinbase.com)
  17. ^ revoke approvals (support.metamask.io)

Read more https://theconversation.com/decentralized-finance-is-booming-and-so-are-the-security-risks-my-team-surveyed-nearly-500-crypto-investors-and-uncovered-the-most-common-mistakes-251305

Yellow Canary partners with Celery to bring pre-payroll assurance technology to Australia

Wage underpayment headlines continue to put pressure on employers of all sizes, revealing how costly payroll mistakes can be for small and medium bu...

Brennan Bolsters Leadership to Accelerate Next Growth Chapter

In a move to further embed cybersecurity at the heart of its business strategy and deliver sovereign secure-by-design solutions for its customers, A...

How to Be Investable: Insights from Richelle Nicols, CEO of Pollinatr

Richelle Nicols is the CEO of Pollinatr, a pioneering investment and business development program designed to support and accelerate the growth of s...

What Can Australian SMEs Hope For in a Meeting Between Albanese and Trump?

For small and medium-sized enterprises (SMEs) in Australia, international politics might seem distant—but when leaders like Prime Minister Anthony...

Qantas to Serve Nan’s Davidson Plum Cookie

Lake Macquarie, NSW (Awabakal Country): From a single mother’s kitchen bench to supermarket shelves, Wiradjuri entrepreneur Terri-Ann “Tezzi” Dani...

Minns Labor Government shutting down the Business Connect program

The NSW Opposition is concerned that the Labor government will shut down a support program that has assisted New South Wales businesses. In a media ...