DeFi Security Checklist
Six essential security checks to run before depositing funds into any DeFi protocol. Protect your capital from smart contract exploits, admin key compromises, and governance attacks.
Step-by-Step Guide
Verify Protocol Audit
Before depositing funds into any DeFi protocol, check whether it has been audited by a reputable security firm such as CertiK, Trail of Bits, OpenZeppelin, or Halborn. Read the actual audit report — not just the badge on the website. Look for the severity of findings and whether critical issues were resolved. Unaudited protocols carry significantly higher risk of smart contract exploits.
Check TVL Trends
Total Value Locked (TVL) indicates how much capital users have deposited. A steadily growing TVL suggests trust and adoption, while a rapidly declining TVL can signal problems. Be cautious of protocols where TVL is inflated by a single whale deposit, as that deposit can be withdrawn at any time. Use Coinibi to monitor token-level metrics that relate to the protocols you are considering.
Review Admin Key Setup
Check who controls the protocol's admin keys. Ideally, critical functions should be behind a multi-signature wallet (multisig) requiring multiple parties to approve changes. A single admin key means one compromised wallet can drain the entire protocol. Also check for time-lock contracts that delay admin actions, giving users time to exit if malicious changes are proposed.
Test with Small Amounts
Never deposit your full intended amount on the first interaction. Start with a small test transaction to verify that deposits, yields, and withdrawals all work as expected. Check that you can freely withdraw your funds — some protocols have lock-up periods or withdrawal fees that are not prominently displayed. This small test can save you from losing a large sum.
Verify Token Approvals
When you interact with a DeFi protocol, you grant token approvals that allow the smart contract to spend your tokens. Many protocols request unlimited approval by default, which means the contract can access all tokens of that type in your wallet. Use a token approval checker to review and revoke unnecessary approvals. Limit approvals to the exact amount you intend to deposit.
Monitor Governance Proposals
Active governance proposals can change how a protocol operates — including fee structures, collateral ratios, and withdrawal rules. Follow the protocol's governance forum and voting interface to stay informed about upcoming changes. Proposals that significantly alter tokenomics or admin permissions deserve extra scrutiny. Exit your position before any governance change that increases your risk.
Frequently Asked Questions
What is DeFi security and why does it matter?+
DeFi security encompasses the measures that protect decentralized finance protocols and their users from smart contract exploits, rug pulls, governance attacks, and flash loan manipulations. It matters because DeFi transactions are irreversible — once funds are stolen from a protocol, recovery is extremely unlikely. Billions of dollars have been lost to DeFi exploits since 2020.
What does a DeFi audit actually check?+
A DeFi audit reviews the smart contract code for vulnerabilities including reentrancy attacks, integer overflow, access control flaws, oracle manipulation risks, and logic errors. Auditors also check whether the code matches the protocol's documentation and whether admin functions have appropriate safeguards. The audit report rates findings by severity: critical, high, medium, low, and informational.
How do I check token approvals in my wallet?+
You can review and revoke token approvals using tools like Revoke.cash or Etherscan's token approval checker. These tools show every smart contract that has permission to spend tokens from your wallet. Revoke any approvals for protocols you no longer use, and consider limiting future approvals to the exact amount needed rather than granting unlimited access.
What is a multisig wallet and why is it important for DeFi?+
A multisig (multi-signature) wallet requires multiple private keys to authorize a transaction, such as 3 out of 5 signers. For DeFi protocols, multisig admin keys mean no single person can make critical changes like upgrading contracts, changing fees, or pausing the protocol. This distributes trust and reduces the risk of a single compromised key draining all funds.