DeFi offers incredible opportunities but comes with real risks. This checklist helps you evaluate protocols and protect your funds.
Pre-Deposit Checklist
Before depositing funds into any DeFi protocol, verify:
Protocol Fundamentals
Age: Is the protocol at least 6 months old? Newer protocols have higher risk.
TVL: Does it have at least $10M TVL? Low TVL indicates low trust or liquidity risk.
Team: Is the team known and reputable? Anonymous teams aren't necessarily bad, but add risk.
Funding: Is the project backed by reputable investors? Check Crunchbase or DefiLlama.
Smart Contract Security
Audit: Has the protocol been audited by a reputable firm (Trail of Bits, OpenZeppelin, Spearbit, Cyfrin)?
Multiple audits: Ideally, there should be 2+ audits from different firms.
Audit recency: Was the audit done on the current deployed code? Check if there have been upgrades since.
Bug bounty: Does the protocol have an active bug bounty program (Immunefi, Code4rena)?
On-Chain Verification
Verified contracts: Are the smart contracts verified on the block explorer?
Proxy patterns: If upgradeable, who controls the proxy admin? Is there a timelock?
Admin keys: Who holds admin keys? Multisig? What's the threshold?
Timelock: Is there a timelock on admin actions (24-48 hours minimum)?
Contract Verification Steps
Step 1: Find the Contract
Go to the protocol's official documentation and find the deployed contract addresses. Never trust addresses from Discord or Twitter.
Step 2: Verify on Block Explorer
On Etherscan/Arbiscan/etc., check:
Is the contract verified (source code visible)?
Does the contract name match what you expect?
When was it deployed? Does this match the protocol's launch?
Step 3: Check for Proxies
If it's a proxy contract:
Find the implementation contract
Check who owns the proxy admin
Look for timelock protection on upgrades
Step 4: Review Permissions
Use tools like Etherscan's "Read Contract" to check:
Who is the owner/admin?
What functions can they call?
Are there any pause/freeze functions?
Wallet Security Basics
Hardware Wallet
Use a hardware wallet (Ledger, Trezor) for any significant funds
Never enter your seed phrase on a computer
Keep firmware updated
Hot Wallet Hygiene
Use a dedicated browser for DeFi (not your daily browsing)
Separate wallets for different risk levels (trading wallet, savings wallet)
Regularly review and revoke unused token approvals
Approvals Management
Only approve the amount needed for each transaction
Revoke approvals after you're done (use revoke.cash or Etherscan's token approval checker)
Never approve unlimited amounts to new or unaudited contracts
Common Scams to Avoid
Fake Websites
Bookmark official URLs and only use bookmarks
Check the URL carefully (app.aave.com vs app-aave.com)
Never click DeFi links from social media or Discord
Approval Exploits
Malicious contracts can drain your wallet if you approve them
Always verify what you're signing in your wallet
Be especially careful with "gasless" transactions and permit signatures
Rug Pulls
Team drains liquidity or mints unlimited tokens
Warning signs: anonymous team, no audit, locked liquidity claims that aren't verifiable
Check token contracts for mint functions and ownership
Social Engineering
"Support" staff will never DM you first
No one legitimate will ask for your seed phrase
Be wary of "too good to be true" yield opportunities
Emergency Procedures
If You Suspect a Compromise
Don't panic — rushed actions often make things worse
Disconnect your wallet from all sites
Check recent approvals at revoke.cash
Revoke suspicious approvals immediately
Move funds to a new wallet if you believe your keys are compromised
Document everything for potential recovery or reporting
If a Protocol is Hacked
Check official channels for announcements
Don't rush to withdraw — you may lose more to gas or slippage
Assess the damage — is your specific pool/vault affected?
Wait for post-mortem — the protocol may have a recovery plan
Document your exposure for tax purposes
Emergency Revoke All
If you need to quickly revoke all approvals:
Go to revoke.cash
Connect your wallet
Sort by "Unlimited" approvals
Revoke high-risk approvals first (new protocols, unlimited amounts)
Daily Habits
Check your DeFi positions regularly (daily or weekly)
Follow protocol official Twitter/Discord for announcements
Set up position monitoring (DefiSaver, Instadapp, Zapper)
Review new transactions in your wallet for anything unexpected
Stay updated on security news (rekt.news, DeFi Llama)