A fresh academic study has revealed some shocking security habits among digital currency speculators trading in the decentralized finance (DeFi) bubble. The work was co-authored by Mingyi Liu, a Ph.D. student in Computer Science at the Georgia Institute of Technology. It shows how widespread investors’ negligence of basic security practices has made them vulnerable to scams and exploits. Through in-depth interviews and surveys, the study highlights a critical need for increased awareness and improved security practices within the DeFi community.

Research Methodology and Findings

User security in DeFi Mingyi Liu, working together with colleagues, found through extensive research that users of DeFi don’t have great security practices. As part of the research, Liu conducted in-depth interviews with 14 crypto investors to understand their security practices and perceptions of risk. To corroborate the perspectives learned through these interviews, Liu surveyed nearly 500 other people.

What most alarmed us from the study’s findings was the absence of basic cybersecurity practices by DeFi investors. Surprisingly, only a small percentage of participants even routinely checked their token approvals. This important measure is primarily to protect user funds from bad faith actors that might try to access them without permission.

The study showed that alarming statistic buried. Sadly, only 10.8% of respondents took the time to routinely check and revoke token approvals to protect themselves from rug pulls—a scam in which developers leave a project after investors have put their money in. Just over 16.3% of all participants consistently checked and revoked token approvals. This proactive measure adds a layer of protection against smart contract exploits, a type of vulnerability that hackers can prey upon.

Over-Reliance on Two-Factor Authentication

The study focused on the over-reliance of two-factor authentication (2FA) as the chief security defense. 2FA provides an additional layer of security to your accounts. It doesn’t provide full immunity against any kind of DeFi attack.

Mingyi Liu communicated to us that 57.1% of users said they 2FA as their main technical countermeasure against rug pulls. Likewise, 49.3% of users did not implement any technical 2FA or considered it a technical countermeasure against smart contract exploits. The over-reliance on this one security measure leaves millions of investors at great risk to threats beyond the cyber-attack. Other users may think that their wallets are fully protected from hacks because they have 2FA enabled.

Two-factor authentication has been one of the best solutions for keeping wallets safe - one of the participants in the study.

Security experts have long warned against a siloed approach. This means monitoring your token approvals on a regular basis, diversifying your security measures, and continually learning and adapting to new threats.

Victims' Reactions and Continued Risky Behavior

Maybe the most shocking discovery came from looking at the behavior of investors who were already victims of DeFi scams. Victims continued to participate in the unsafe behaviors even after suffering monetary damages. This shows their unfamiliarity with the underlying security threats.

According to the study, only 17.6% of those who reported being victims of a DeFi scam regularly checked token approvals afterward. Perhaps most alarming of all, a recent report found that 26% of victims didn’t report lost money scam. This reflects either a feeling of being powerless in the face of action or ignorance of the options for recourse that exist.

Even more shockingly, 16.4% of victims chose to reallocate their stolen funds to invest further in other DeFi services. This decision would make them more vulnerable to danger. Some users are so committed that they double down on cryptocurrency after getting rug-pulled.

My belief in cryptocurrency has grown stronger after that because I made good money from it - a user who lost $4,700 due to a rug-pull incident.

This puzzling behavior is indicative of the lack of educational resources available to DeFi investors. It’s particularly important for people who have already been scammed themselves.

Addressing Misconceptions and Promoting Awareness

Apart from those findings, the research revealed such widespread DeFi security misconceptions. One attendee admitted to being under the misconception that security is built in with blockchain technology.

Because a hacker would have to override an entire blockchain - a computer user interviewed in the study.

To be clear, while blockchain technology does provide unique security benefits, it can still be attacked. Smart contracts, which are the building blocks of most DeFi applications, are not immune to programming flaws that hackers can use to their advantage.

Mingyi Liu’s study highlights the critical need to raise awareness about DeFi security risks and encourage more responsible investment practices. When investors learn to identify their frequent pitfalls, they strengthen the DeFi ecosystem. Working in tandem, they can help create a more secure and safer ecosystem across the board.

Mingyi Liu’s co-authored piece first appeared in The Conversation and is republished under a Creative Commons agreement. This helps to make the research findings more digestible and accessible to the general public. In doing so, it increases the visibility and comprehension of DeFi security risks.