{"682308":{"#nid":"682308","#data":{"type":"news","title":"Decentralized Finance is Booming \u2014 So Are the Security Risks","body":[{"value":"\u003Cdiv class=\u0022theconversation-article-body\u0022\u003E\u003Cp\u003EWhen the first cryptocurrency, Bitcoin, was \u003Ca href=\u0022https:\/\/bitcoin.org\/bitcoin.pdf\u0022\u003Eproposed in 2008\u003C\/a\u003E, the goal was simple: to create a digital currency free from banks and governments. Over time, that idea evolved into something much bigger: \u201c\u003Ca href=\u0022https:\/\/www.nytimes.com\/interactive\/2022\/03\/18\/technology\/what-is-defi-cryptocurrency.html\u0022\u003Edecentralized finance\u003C\/a\u003E,\u201d or \u201cDeFi.\u201d\u003C\/p\u003E\u003Cp\u003EWith decentralized finance, people trade, borrow and earn interest on crypto assets without relying on traditional intermediaries. DeFi services run on \u003Ca href=\u0022https:\/\/www.bloomberglaw.com\/external\/document\/X29AE5PK000000\/tech-telecom-professional-perspective-an-introduction-to-blockch\u0022\u003Eblockchains\u003C\/a\u003E, which are essentially digital ledgers, and use \u201c\u003Ca href=\u0022https:\/\/www.bloomberglaw.com\/external\/document\/X4SGO17O000000\/tech-telecom-professional-perspective-blockchain-smart-contracts\u0022\u003Esmart contracts\u003C\/a\u003E\u201d \u2212 self-executing code that automates financial transactions. \u003Ca href=\u0022https:\/\/mitsloan.mit.edu\/ideas-made-to-matter\/decentralized-finance-4-challenges-to-consider\u0022\u003ETens of billions of dollars\u003C\/a\u003E have poured into the DeFi market.\u003C\/p\u003E\u003Cp\u003EBut with innovation comes risks. The lack of centralized oversight has made crypto, including decentralized finance, a prime target for hackers and scammers. In 2024 alone, people lost \u003Ca href=\u0022https:\/\/downloads.ctfassets.net\/t3wqy70tc3bv\/2LqNkvjajiCS5sPJmWLakc\/9715af967dd95a55da05d2ad373edb0d\/Immunefi_Crypto_Losses_in_2024_Report.pdf\u0022\u003Enearly US$1.5 billion\u003C\/a\u003E due to security exploits and fraud. And unlike traditional finance, there\u2019s usually no way to recover stolen crypto.\u003C\/p\u003E\u003Cp\u003EAs \u003Ca href=\u0022http:\/\/mingyiliu.me\u0022\u003Ea computer scientist\u003C\/a\u003E, I wanted to better understand how people perceive and respond to these risks. So my colleagues and I first conducted in-depth interviews with 14 crypto investors, then surveyed nearly 500 others to validate our findings.\u003C\/p\u003E\u003Cp\u003E\u003Ca href=\u0022https:\/\/www.usenix.org\/system\/files\/usenixsecurity24-liu-mingyi.pdf\u0022\u003EOur study\u003C\/a\u003E found that people often made the same mistakes, driven by recurring misconceptions and gaps in security awareness. Here are some of the most important.\u003C\/p\u003E\u003Ch2\u003EMistake 1: Thinking the blockchain guarantees security\u003C\/h2\u003E\u003Cp\u003EMany people told us they thought decentralized finance was secure \u2013 but their reasoning wasn\u2019t very convincing. Some seemed to confuse decentralized finance with blockchain technology itself, which is designed to ensure transactions are tamper-resistant through so-called \u201c\u003Ca href=\u0022https:\/\/www.investopedia.com\/terms\/c\/consensus-mechanism-cryptocurrency.asp\u0022\u003Econsensus mechanisms\u003C\/a\u003E.\u201d One told us that DeFi is secure \u201cbecause a hacker would have to override an entire blockchain\u201d to steal funds.\u003C\/p\u003E\u003Cp\u003EBut services on the blockchain are still vulnerable to implementation and design flaws. These include smart contract breaches, in which bad guys exploit bugs in a service\u2019s code, and front-end attacks, where a user interface is altered to redirect funds into a hacker\u2019s wallet. A \u003Ca href=\u0022https:\/\/www.csis.org\/analysis\/bybit-heist-and-future-us-crypto-regulation\u0022\u003Efront-end attack\u003C\/a\u003E was reportedly to blame for a \u003Ca href=\u0022https:\/\/www.abc.net.au\/news\/2025-02-24\/bybit-cryptocurrency-hack-what-we-know\/104974512\u0022\u003Erecent $1.5 billion crypto heist\u003C\/a\u003E.\u003C\/p\u003E\u003Cfigure\u003E\u003Cp\u003E\u003Ciframe width=\u0022440\u0022 height=\u0022260\u0022 src=\u0022https:\/\/www.youtube.com\/embed\/nCZh9xdp43U?wmode=transparent\u0026amp;start=0\u0022 frameborder=\u00220\u0022 allowfullscreen=\u0022\u0022\u003E\u003C\/iframe\u003E\u003C\/p\u003E\u003Cfigcaption\u003E\u003Cspan class=\u0022caption\u0022\u003ECNBC reports on the record-breaking $1.5 billion crypto theft.\u003C\/span\u003E\u003C\/figcaption\u003E\u003C\/figure\u003E\u003Ch2\u003EMistake 2: Thinking safe keys mean safe funds\u003C\/h2\u003E\u003Cp\u003EAnother common misconception is that DeFi is secure if private keys are well stored. A private key is a secret code that allows someone to access their crypto assets. It\u2019s true that in DeFi \u2013 unlike in \u003Ca href=\u0022https:\/\/www.investopedia.com\/tech\/what-are-centralized-cryptocurrency-exchanges\/\u0022\u003Ecentralized crypto finance\u003C\/a\u003E where an exchange holds private keys \u2013 users have full control over their own private keys.\u003C\/p\u003E\u003Cp\u003EBut even with perfect private key management, users can still lose funds by interacting with compromised DeFi platforms. That\u2019s because safeguarding private keys can prevent only direct attacks targeting private key access, such as \u003Ca href=\u0022https:\/\/theconversation.com\/phishing-scams-7-safety-tips-from-a-cybersecurity-expert-216198\u0022\u003Ephishing attempts\u003C\/a\u003E.\u003C\/p\u003E\u003Cp\u003EThe people we spoke with also failed to follow best practices for securing their private keys. Using a hardware wallet \u2013 a physical device that stores private keys offline \u2013 is one of the most secure options for protecting keys from online threats. However, our study found that only a handful of participants actually used hardware wallets.\u003C\/p\u003E\u003Ch2\u003EMistake 3: Thinking 2-factor authentication is a silver bullet\u003C\/h2\u003E\u003Cp\u003ETwo-factor authentication, or 2FA, is a standard security mechanism in which two forms of verification are required to access an account. Think being texted a one-time code before you can log into your bank account.\u003C\/p\u003E\u003Cp\u003ETo prevent account breaches, \u003Ca href=\u0022https:\/\/www.investopedia.com\/tech\/what-are-centralized-cryptocurrency-exchanges\/\u0022\u003Ecentralized crypto exchanges\u003C\/a\u003E such as Binance and Coinbase use two-factor authentication for logins, account recovery and withdrawal confirmations. But while 2FA is crucial to security in the traditional and centralized crypto finance system, it plays a much smaller role in decentralized finance.\u003C\/p\u003E\u003Cp\u003EDeFi wallets give users access based on private key ownership rather than identity verification, which means traditional 2FA can\u2019t be used. Instead, only 2FA-like mechanisms are available in DeFi. For instance, \u003Ca href=\u0022https:\/\/www.investopedia.com\/multi-signature-wallets-definition-5271193\u0022\u003Emultisignature wallets\u003C\/a\u003E require approval from multiple private key holders. However, if your private key is compromised, attackers can perform wallet operations on your behalf without any additional verification. In addition, even users who adopt 2FA-like measures can\u2019t prevent the security breaches on the DeFi services\u2019 end.\u003C\/p\u003E\u003Cp\u003EUnfortunately, our participants were overly confident regarding the effectiveness of 2FA, with one saying, \u201cTwo-factor authentication has been one of the best solutions for keeping wallets safe.\u201d In our survey, 57.1% of users relied on 2FA as their only technical countermeasure against \u003Ca href=\u0022https:\/\/www.coinbase.com\/learn\/tips-and-tutorials\/what-is-a-rug-pull-and-how-to-avoid-it\u0022\u003Erug pulls\u003C\/a\u003E \u2013 scams where project creators suddenly withdraw funds \u2013 and 49.3% did so for smart contract exploits. This misplaced trust could lead them to ignore more effective security strategies.\u003C\/p\u003E\u003Ch2\u003EMistake 4: Not managing token approvals\u003C\/h2\u003E\u003Cp\u003EOne such effective strategy is revoking token approvals. In DeFi, tokens are digital assets on a blockchain that represent value or rights, and users often need to approve smart contracts to access or spend them. But if you leave these approvals open, a malicious contract \u2013 or one that\u2019s been hacked \u2013 can drain your wallet. So it\u2019s crucial to routinely check all token approvals you\u2019ve granted to prevent losses caused by fraudulent or hacked DeFi services. Specifically, you should limit spending allowances instead of using the default \u201cunlimited\u201d option, and \u003Ca href=\u0022https:\/\/support.metamask.io\/more-web3\/learn\/how-to-revoke-smart-contract-allowances-token-approvals\u0022\u003Erevoke approvals\u003C\/a\u003E for apps you no longer use or trust.\u003C\/p\u003E\u003Cp\u003EWorryingly, we found that only 10.8% and 16.3% of participants regularly checked and revoked token approvals to protect against rug pulls and smart contract exploits, respectively. In light of this, we recommend that wallet providers introduce a reminder feature to prompt users to review their token approvals periodically.\u003C\/p\u003E\u003Ch2\u003EMistake 5: Not learning from past incidents\u003C\/h2\u003E\u003Cp\u003EEven after they\u2019re hacked or scammed, people often don\u2019t do anything to improve their security practices, we found. Just 17.6% of those who reported being victims of a DeFi scam regularly checked token approvals afterward. Worse, 26% took no action at all after a scam, and 16.4% doubled down by investing even more in other DeFi services.\u003C\/p\u003E\u003Cp\u003ESurprisingly, more than half of the victims said their belief in DeFi either stayed the same or grew stronger after the incident. One user who lost $4,700 due to a rug-pull incident said, \u201cMy belief in cryptocurrency has grown stronger after that because I made good money from it.\u201d That person added, \u201cAn opportunity to make money is something I believe in.\u201d This suggests that DeFi users\u2019 financial motivations can sometimes outweigh their security concerns \u2013 and, perhaps, their better judgment.\u003C\/p\u003E\u003Cp\u003EThere\u2019s no one-size-fits-all solution to DeFi security. But awareness is the first step. To stay safe, crypto investors should use hardware wallets, revoke unused token approvals and continually learn new techniques to protect themselves from evolving threats. Most importantly, they should stay rational and not let the allure of profits cloud their security practices.\u003C!-- Below is The Conversation\u0027s page counter tag. Please DO NOT REMOVE. --\u003E\u003Cimg style=\u0022border-color:!important;border-style:none;box-shadow:none !important;margin:0 !important;max-height:1px !important;max-width:1px !important;min-height:1px !important;min-width:1px !important;opacity:0 !important;outline:none !important;padding:0 !important;\u0022 src=\u0022https:\/\/counter.theconversation.com\/content\/251305\/count.gif?distributor=republish-lightbox-basic\u0022 alt=\u0022The Conversation\u0022 width=\u00221\u0022 height=\u00221\u0022 referrerpolicy=\u0022no-referrer-when-downgrade\u0022\u003E\u003C!-- End of code. If you don\u0027t see any code above, please get new code from the Advanced tab after you click the republish button. The page counter does not collect any personal data. More info: https:\/\/theconversation.com\/republishing-guidelines --\u003E\u003C\/p\u003E\u003Cp\u003E\u0026nbsp;\u003C\/p\u003E\u003Cp\u003E\u003Cem\u003EThis article is republished from \u003C\/em\u003E\u003Ca href=\u0022https:\/\/theconversation.com\u0022\u003E\u003Cem\u003EThe Conversation\u003C\/em\u003E\u003C\/a\u003E\u003Cem\u003E under a Creative Commons license. Read the \u003C\/em\u003E\u003Ca href=\u0022https:\/\/theconversation.com\/decentralized-finance-is-booming-and-so-are-the-security-risks-my-team-surveyed-nearly-500-crypto-investors-and-uncovered-the-most-common-mistakes-251305\u0022\u003E\u003Cem\u003Eoriginal article\u003C\/em\u003E\u003C\/a\u003E\u003Cem\u003E.\u003C\/em\u003E\u003C\/p\u003E\u003C\/div\u003E","summary":"","format":"full_html"}],"field_subtitle":"","field_summary":[{"value":"\u003Cp\u003EThe lack of centralized oversight has made crypto, including decentralized finance, a prime target for hackers and scammers.\u003C\/p\u003E","format":"limited_html"}],"field_summary_sentence":[{"value":"The lack of centralized oversight has made crypto, including decentralized finance, a prime target for hackers and scammers."}],"uid":"27469","created_gmt":"2025-05-08 14:58:26","changed_gmt":"2026-03-19 13:16:39","author":"Kristen Bailey","boilerplate_text":"","field_publication":"","field_article_url":"","location":"Atlanta, GA","dateline":{"date":"2025-05-08T00:00:00-04:00","iso_date":"2025-05-08T00:00:00-04:00","tz":"America\/New_York"},"extras":[],"hg_media":{"677055":{"id":"677055","type":"image","title":"Cryptocurrency Illustration","body":"\u003Cp\u003ECryptocurrency Illustration\u003C\/p\u003E","created":"1746805311","gmt_created":"2025-05-09 15:41:51","changed":"1746805311","gmt_changed":"2025-05-09 15:41:51","alt":"Cryptocurrency Illustration","file":{"fid":"260917","name":"file-20250416-62-k0tjqh-copy.jpg","image_path":"\/sites\/default\/files\/2025\/05\/09\/file-20250416-62-k0tjqh-copy.jpg","image_full_path":"http:\/\/hg.gatech.edu\/\/sites\/default\/files\/2025\/05\/09\/file-20250416-62-k0tjqh-copy.jpg","mime":"image\/jpeg","size":137180,"path_740":"http:\/\/hg.gatech.edu\/sites\/default\/files\/styles\/740xx_scale\/public\/2025\/05\/09\/file-20250416-62-k0tjqh-copy.jpg?itok=hvYp-oXG"}}},"media_ids":["677055"],"related_links":[{"url":"https:\/\/theconversation.com\/decentralized-finance-is-booming-and-so-are-the-security-risks-my-team-surveyed-nearly-500-crypto-investors-and-uncovered-the-most-common-mistakes-251305","title":"Read This Article on The Conversation"}],"groups":[{"id":"47223","name":"College of Computing"},{"id":"658168","name":"Experts"},{"id":"1214","name":"News Room"},{"id":"1188","name":"Research Horizons"},{"id":"50875","name":"School of Computer Science"}],"categories":[],"keywords":[{"id":"187915","name":"go-researchnews"}],"core_research_areas":[],"news_room_topics":[{"id":"71881","name":"Science and Technology"}],"event_categories":[],"invited_audience":[],"affiliations":[],"classification":[],"areas_of_expertise":[],"news_and_recent_appearances":[],"phone":[],"contact":[{"value":"\u003Ch5\u003EAuthor:\u003C\/h5\u003E\u003Cp\u003E\u003Ca href=\u0022https:\/\/theconversation.com\/profiles\/mingyi-liu-2337663\u0022\u003EMingyi Liu\u003C\/a\u003E, Ph.D. student in Computer Science, Georgia Institute of Technology\u003C\/p\u003E\u003Ch5\u003EMedia Contact:\u003C\/h5\u003E\u003Cp\u003EShelley Wunder-Smith\u003Cbr\u003E\u003Ca href=\u0022mailto:shelley.wunder-smith@research.gatech.edu\u0022\u003Eshelley.wunder-smith@research.gatech.edu\u003C\/a\u003E\u003C\/p\u003E","format":"limited_html"}],"email":[],"slides":[],"orientation":[],"userdata":""}}}