In the world of decentralized finance (DeFi), where fortunes can be made and lost with a click, a new study reveals alarming security practices among crypto investors. The DeFi ecosystem holds exhilarating promise—the promise of a democratized financial architecture, liberated from the shackles of intermediaries. It’s fraught with danger, and more often than not, investors sabotage their own success. In 2024 alone, security exploits and fraud led to losses of nearly $1.5 billion, underscoring the urgent need for better security awareness and practices.

The study uncovers some alarming reliance on basic security protections including two-factor authentication (2FA). It further reveals a troubling disconnect in our ability to grasp more complex threats. This toxic combination has left millions of everyday investors exposed to scams and exploitive schemes. The results show a marketplace humming with excitement. Yet, this enthusiasm frequently drowns out the warning bells, resulting in hundreds of millions of dollars wasted and a misplaced confidence.

Over-Reliance on Two-Factor Authentication

Two-factor authentication (or 2FA for short) is a common security measure that requires two types of verification in order to log into an account. It is intended to provide an additional layer of security, outside of just a password. While 2FA is undoubtedly a valuable tool, the study reveals a worrying trend of investors treating it as a silver bullet against all threats.

Our survey found that 57.1% of users place complete trust in 2FA as their only protection from rug pulls. These scams happen when developers walk away from a development project, taking off with the investors’ money. Scary enough, 49.3% of users had to trust 2FA exclusively to keep them safe from smart contract exploits. These exploits happen when cyber criminals exploit weaknesses in the code that runs DeFi apps.

"Two-factor authentication has been one of the best solutions for keeping wallets safe." - a participant in the survey.

This habit of relying on 2FA as the one and only defense is problematic. Under certain conditions, it can prevent unauthorized users from getting into an account. It does not protect against smart contract bugs or other malfeasance by project developers. It’s time for investors to take a broader view of what security includes.

Neglecting Token Approval Checks

One of the scariest, yet easily addressable, aspects of DeFi security is the need to vigilantly check and revoke token approvals. Each time a user interacts with a DeFi platform, the user gives that platform permission to spend their tokens. If a platform ever becomes breached or turns out to be a bad actor itself, it can misuse these permissions. This can result in unexpectedly emptying a user’s wallet. Despite this risk, the study found that even while aware of this risk, very few investors proactively do what they need to do to protect themselves.

Just 10.8% of respondents often revoked their token approvals and proactively checked them to protect against rug pulls. Only 16.3% did the same to protect against smart contract exploits. This failure to exercise even modest levels of vigilance is a dangerous weakness that puts investors at serious risk of financial harm. The statistics tell a very clear story about the difference between what is considered security and what is real security.

Even among those who had already been victims of scams, the behavior change was not substantial. Surprisingly, 82.4% of the people who claimed to have been scammed in a DeFi scam didn’t check their token approvals on a regular basis afterwards. This suggests a disconnect between experiencing a security breach and understanding the underlying causes and preventative measures.

The Psychology of Crypto Losses

Additionally, the study provides focus on the psychological aspects towards understanding how the investors will act once he or she has been scammed. As it turns out, the majority of users did the opposite – they took no action or worse, increased their exposure to DeFi.

Even more concerning, 26% of victims did nothing after being scammed. Such inaction would only serve to make them sitting ducks for the next day to day attack. Increasingly concerning, 16.4% of users decided to double down and invest more in other DeFi services following a scam. I imagine this decision was not made lightly but by urgency to recoup their investment costs as soon as possible. This behavior shows a breakdown in risk management and a willingness to chase returns without due diligence.

"My belief in cryptocurrency has grown stronger after that because I made good money from it." - a user who lost $4,700 due to a rug-pull incident.

What the research found was an unexpected turn. Over half of the victims indicated that their faith in DeFi was undeterred, or in fact strengthened following the incident. This resilience is truly inspiring. It can be the product of a cognitive bias, causing people to downplay dangers to rationalize their continued involvement in the space.

The Evolving Threat Landscape

The DeFi security landscape is always shifting, with new attack vectors popping up every day. For example, a recent $1.5 billion crypto heist was recently blamed on a front-end attack, demonstrating the growing sophistication of cybercriminals. This form of attack, which focuses on the user interface of a DeFi platform, dupes users into approving harmful transactions.

Mingyi Liu is a graduate student pursuing his Ph.D. in computer science at the Georgia Institute of Technology. He pointed out that there’s no universal answer when it comes to DeFi security. Investors must be aware of the most recent dangers and take a multi-faceted approach to security. This means employing good password hygiene, such as using strong passwords, and enabling 2FA, regularly reviewing token approvals and being cautious of unsolicited links and requests.

The Promise and Peril of DeFi

The promise of cryptocurrency, as laid out in an anonymous white paper in 2008, was a decentralized currency that escaped the control of banks and governments. Since then, more than $40 billion has streamed into the DeFi market. Investors are hungry for the unfulfilled promise of DeFi and future yield opportunities. Unfortunately, this rapid growth has made it a target for malicious actors. This lack of regulation and centralized oversight leaves DeFi a perfect breeding ground for scams and exploits.

"because a hacker would have to override an entire blockchain" - a participant in the survey.

This is especially true today, as the inherent complexity of blockchain technology and smart contracts present an extra hurdle for investors. Most users do not possess the technical abilities to grasp the potential threats, leaving them susceptible to advanced persistent threats. Education and awareness will be key to closing this knowledge gap and enabling investors to make more informed decisions.