As 2024 began, decentralized finance (DeFi) investors were faced with significant security hurdles. These problems resulted in nearly US$1.5 billion in losses through exploits and fraud. A recent survey highlights critical vulnerabilities in user behavior and security practices, revealing a concerning gap between perceived and actual protection. Together, the findings highlight the critical need for greater vigilance and stronger security practices amid the DeFi ecosystem’s explosive growth.
Sadly, the survey revealed that a shocking one-in-four victims took no action after getting scammed. 16.4% unexpectedly chose to double down and pour even more into other DeFi offerings. These reactions show a mix of resignation and still-simmering hopefulness. More importantly, they indicate a lack of holistic appreciation of the security threats at play. Tens of billions of dollars are pouring into the DeFi space. These vulnerabilities represent an even larger risk to individual investors and to the stability of the entire ecosystem.
Over-Reliance on 2FA Creates False Sense of Security
Perhaps the most startling result from the survey is the over-reliance on two-factor authentication (2FA) as a primary line of security. Over half (57.1%) of users assumed that two-factor authentication (2FA) was enough protection against rug pulls. Meanwhile, 49.3% leveraged it to protect against smart contract exploits. This heavy reliance on 2FA indicates a failure to grasp the limits of 2FA in the DeFi landscape.
While 2FA adds a layer of security against unauthorized account access, it does not protect against vulnerabilities within smart contracts or malicious actions by project developers, such as rug pulls. Even with 2FA in place, there are cases where users may find themselves losing their funds. Whether through an exploited smart contract or project founders absconding with invested capital, users have been subjected to substantial risk.
The survey points to a scary degree of overconfidence regarding 2FA’s effectiveness in protecting DeFi investments. Many users think of 2FA as the end-all solution to security, failing to understand its shortcomings.
"Two-factor authentication has been one of the best solutions for keeping wallets safe" - a participant
Neglecting Token Approval Checks
Another major vulnerability found in our survey is the failure to routinely check or revoke token approvals. Only 10.8% of participants regularly checked and revoked token approvals to protect against rug pulls, while a slightly higher 16.3% did so for smart contract exploits. This gross negligence leaves users open to dangerous exploits. If approvals are not handled correctly, malicious actors will be able to gain access to their tokens.
Token approvals give smart contracts authorization to withdraw and spend tokens from an individual’s wallet. If a user is tricked or accidentally interacts with a malicious or compromised smart contract, they put their funds at risk. If the token approvals are still active, the contract can empty their bank account. Our survey data indicates that a significant number of DeFi users are forgoing this essential security step. Consequently, they leave themselves vulnerable to painful net worth-erasing losses.
Of those that were deceived by DeFi scams less than one-in-five sought recourse. Only 17.6% took the time to routinely review their token approvals. All of which points to a failure to learn from previous experiences and a need to do better on implementing basic security hygiene.
Resilience Amidst Losses
Despite the prevalence of security breaches and financial losses, the survey revealed a surprising level of resilience among DeFi users. More than half of the victims stated that their belief in DeFi either remained the same or grew stronger after the incident. This unanticipated outcome speaks to the depth of belief in the long-term promise of DeFi, even amidst the storm of setbacks.
Even one user who lost $4,700 from a rug-pull scam incident went so far as to say that he now feels more confident in cryptocurrency.
"My belief in cryptocurrency has grown stronger after that because I made good money from it" - a user who lost $4,700 due to a rug-pull incident
The primary factor is a remarkable resilience. Investors are attracted to the DeFi market as a result of high expected returns, a conviction in the technology behind DeFi, and a belief in community within DeFi. It's crucial to note that this resilience should not overshadow the importance of addressing security vulnerabilities and protecting investors from avoidable losses.
Addressing the DeFi Security Crisis
The survey results illustrate a troubling reality about the state of DeFi security today. This over-reliance on 2FA and the abandonment of token approval checks has produced severe vulnerabilities. We need to do better at implementing security measures and ultimately informing users in order to tackle the issues of rug pulls and smart contract exploits. No silver bullet. In reality, there is no easy fix to DeFi security.
Whatever the case may be, awareness is the first step to remedying DeFi security risks. First, they must educate users on the risks they present and what users can do to keep themselves safe. This includes understanding the limitations of 2FA, regularly checking and revoking token approvals, and carefully researching DeFi projects before investing.
