Self-custody and being your own bank are the future of finance, they say.

But even crypto veterans are losing millions due to an obscure exploit that empties wallets of crypto wallets.

It's easy to lose money in DeFi if you're not careful due to the presence of many exploits, rug pulls, and contract bugs. Just yesterday, Merlin DEX rug pulled users of ~$2M USD.

What’s more, even more money has been lost due to avoidable, human mistakes. To prevent yourself from becoming the next victim, it's essential to have a strategy in place to minimize these errors.

That’s why I want to share my guidebook to staying safe in crypto & DeFi. All from personal experience. There are two parts to this blog:

1. How to evaluate DeFi project safety to avoid rugs & hacks

2. 5 tips to avoid stupid human error mistakes.

This blog post is brought to you by De.Fi, a Web3 Super App & Antivirus. I honestly think it’s one of the must-to-know tools together with DefiLlama, Coingecko, and Nansen.

• Crypto's First Antivirus: De.Fi has developed the industry's first antivirus by combining their Scanner and Shield tools. This multi-layer security solution prevents users from acquiring high-risk assets or approving vulnerable smart contracts.
  
  The Scanner allows you to analyze technical and liquidity aspects of any asset in seconds, while the Shield automatically scans your wallet for high-risk approvals and sends notifications if any are detected.

• Web3 SuperApp: De.Fi's Dashboard integrates 43 blockchains, 380+ protocols, and 8 exchanges, allowing you to track both CEX and DEX portfolios simultaneously in one place by bundling your wallets/accounts.

• APY Aggregator: With their APY aggregator De.Fi offers access to 10k+ LPs and tracks historical data. Click on any pool to see the magic of their comprehensive tracking.

• Rekt Database: De.Fi maintains the largest database of crypto scams and hacks, with each case investigated on-chain by their security department and explained in detail.

Make sure you check out their app and follow them on Twitter.

By the way, if you are looking to sponsor this newsletter, send me a DM on Twitter to @DeFiIgnas.

How to evaluate safety of DeFi projects to avoid rugs & hacks.

Total Value Lock, ultimate proof of security?

It’s great if you’re an experienced smart contract developer and can verify the code yourself. But most of us aren’t.

It leaves us with no other choice, but to evaluate projects based on other data, that involves some degree of trust.

It’s no secret that the majority evaluate DeFi projects by how much value is deposited to the smart contracts. So, TVL is the sort of proof of trust.

The higher the Total Value Locked, the higher the implied security of a protocol. If a lot of money is deposited, it means ‘someone’ did due diligence, and that protocol is secure.

Unfortunately, it gives a false sense of security. And high TVL protocols are actively targeted by hackers. At the same time, low TVL doesn’t mean a protocol is not secure.

The biggest recent shock to me was the hack of Euler protocol! If Euler can get hacked, everything can.

Take a look at the top DeFi protocols by TVL.

• Do you think that the TVL represents the level of security/safety?

• Is there any protocol you wouldn’t trust with your money? Why?

There might be biases in you based on what you read online.

Trust, but verify?

‘Don’t trust, verify’ is the reason we have smart contract audits.

If that wasn’t the case, we might not need audits, because code is open source and community could find all the issues in the code. Yet the community might not have the right motivation, incentives or expertise to verify code.

Auditors are supposed to have the right technical expertise, but at the end of the day, we also have to trust them to do the right job.

For example, Merlin DEX rugged after passing Certik audit. Apparently, “there was a potential private key management issue.”

Audit companies are building their reputation too. If the protocols they audit (and evaluated as safe) are exploited, then it shows lack of expertise. In fact, Certik has audited 3,774 projects (let that sink in), so no wonder some of them got hacked or had a bug.

Just because a protocol has been audited doesn't mean it's safe.

I’ve seen projects proudly announcing ‘Completed audit’, but when you read the audit the safety score is actually low. Here’s another example for you of what I mean.

The lesson is not to trust the announcements blindly but verify the result by reading the actual audit.

What if you don’t read the audits?

The majority doesn’t read the audits anyway.

Knowing that Certik has a dashboard with all their audited projects. You can check the ‘Trust Score’ with higher number implying safety.

Other auditors like Hacken have a similar dashboard.

De.Fi has built largest database of DeFi project audits, where you can search by a project name and find all the audits done. For example, Aave has 9 audits in total!

Audit is just a start.

A lot more is needed to evaluate safety:

• Adequate testing

• Bounty campaigns

• Documentation clarity

• Admin controls

• Oracle documentation

and much more… It’s a nightmare to verify it all yourself.

I really like what DefiSafety is doing. Its Process Quality Review verifies protocols and gives them a safety score.

According to the PQR results, Morpho, Liquity Protocol, and Synthetix are the safest of all verified DeFi protocols.

On DefiSafety you can then check every element and see where the protocol scores the best/worst. Unfortunately, DeFi Safety now made this a paid feature.

A good way to start is by scanning your portfolio on De.fi Web3 Antivirus.

The 'Shield' feature provides a risk analysis of your current deposits. For example, Andrew Kang has assets in 43 high risk smart contracts.

In all honesty, it's quite impressive, and my enthusiasm isn't solely due to their sponsorship of this post; it's genuinely a valuable tool.

The De.fi scanner not only examines for basic vulnerabilities and threats such as reentrancy attacks and unchecked transfers but also incorporates any exploits or susceptibilities identified in recent years, ensuring comprehensive detection.

In the case of Andrew Kang’s wallet, he had previously deposited some USDT into a risky Fulcrum USDT iToken (iUSDT), which could be upgraded, changing its functionality.

This tool is useful when degen trading or yield farming.

For instance, you can input a token's smart contract address or simply search by a protocol name, and De.fi will scan the protocol's smart contract address for any potential vulnerabilities.

The process is like this:

1. You find some token trading or new farm on Twitter (in my case WOJAK token)

2. Enter the smart contract in De.fi scanner

3. Check the total Safety Score and potential vulnerabilities.

In WOJAK’s case, the token has infinite mint function, so there’s no way I will buy this token.

Additionally, you can also rate your portfolio safety on Exponential DeFi.

The 'Rate my wallet' feature provides a custom risk analysis of your current portfolio.

For instance, my degen portfolio isn't as degen as the name suggests, since 50% of the deposits reside in A or B rated smart contracts.

Finally, there’s Webacy helps you to stay informed about your wallet activities.

It offers real-time alerts (via SMS or email) for all transactions, ensuring you're always in the loop. Along with a weekly summary of signed approvals, this free service helps safeguard your wallet by keeping you updated.

If in doubt, ask!

Finally, I recommend joining the project community groups and ask:

• Do they have an insurance fund?

• Do they avoid questions?

• What are they doing to increase security?

I asked Stargate team if they had an insurance fund in case they get hacked, but it sometimes more difficult to get an answer than I thought, which poses red flags.

But whatever happens, DeFi is still young, so better not to put all your assets into one protocol.

Do you have more useful tips how to evaluate projects and protect your assets?

5 Habit-Based Tips to Stay Safe

While there’ve been $ 76B USD lost in DeFi hacks and scams, millions have been lost due to avoidable human mistakes. That’s why the abovementioned tools will not protect you from yourself.

In my 5 years in crypto, I’ve developed some habits, that I hope will help you stay safe too!

They are quite simple!

1. Avoid transactions when tired

This simple advice is often overlooked.

Fatigue can lead to impulsive decisions, like the time I accidentally bought 10 times more of a token than I intended due to an extra zero. To avoid similar mistakes, stay alert and well-rested when making transactions.

2. Avoid transactions when busy or rushed

Rushing through transactions can also lead to errors.

I once sent 1 ETH to the wrong address because I was in a hurry, essentially giving away free money to a stranger. To prevent such costly mistakes, always take your time when executing transactions.

3. Add steps to transactions

It might sound counterintuitive, but adding extra steps to your transactions can actually help you avoid errors.

Using hardware wallets for seed-phrase security AND introducing additional confirmation steps provide more time to think and catch potential mistakes. This is also why I have 2FA enabled everywhere possible.

You can also use multi-sig wallets like Safe, so two of your wallets (for example, PC + Mobile) would be required to sign a transaction.

4. Choose a place and time to execute transactions

Establishing a routine for when and where you make transactions can also help reduce errors.

I prefer to make long-term token purchases once a week, always in the morning when I'm well-rested and not in a rush. Avoid trading in public or uncomfortable environments.

5. Prepare for slip-ups

Even if you follow the first four tips, mistakes can still happen.

That's why I have a mobile hot wallet with 3% of my portfolio allocated for impulsive buys and fun. This allows me to satisfy cravings without risking significant losses.