Subscribe to Bankless or sign in
Hacks and scams have extracted hundreds of millions of dollars from crypto projects so far in 2026. That's... not great.
Of course, some of these attacks have been very sophisticated and drained protocols before their teams could even respond. Yet exploits come in many different forms, and DeFi users who double down on basic security practices can greatly improve their chances of avoiding trouble.
The bottom line to transacting onchain is the buck stops with you. You have to do your own due diligence and implement your own defenses.
To that note, I personally have a handful of steps (which basically haven't changed since DeFi Summer in 2020) that I use when exploring new DeFi projects in earnest. I hope these can serve you well now and for years to come, too.
For some people these steps will seem obvious, many crypto users don't use more than 1-2 of them simultaneously. Layering them together gives you a common-sense first line of defense, and I'd recommend this to anyone.
Accordingly, my DeFi safety checklist is as follows...
1. Start with the project docs
Some crypto projects have sparse or nonexistent documentation, which drives me crazy.
Good docs are expansive docs that explain protocol mechanics and also include stuff like audit reports, risk disclosures, etc. Whenever possible, and whenever you can find them, an app's docs should serve as your starting point. They give you a quick-start understanding of how a project works and, hopefully, its main security implications.
For instance, this week I've been checking out Alchemix V3, which offers self-repaying loans against ETH and USDC, so I was recently surfing through docs.alchemix.fi/user. This one has some great resources, and I say that as someone who has seen droves of subpar docs. Alchemix's hub gives you a total bird's-eye view of the protocol, plus explicit pages for Risk Considerations and Security & Audits.
This is precisely the info you want to vet early.
However, this isn't the only info to look for.
Also uncover what you can about a project's composability exposure. In other words, what other apps and tech does it touch? Alchemix's docs explain that the V3 yield flow is centered around Morpho V2 vaults, which in turn can interact with other external protocols like Aave. This sort of info catches you up on a project's strengths and pressure points so you can make informed decisions around them.
2. Check external analytics
Once you have a research baseline from the docs, zoom out and learn what else you can about the project from neutral S-tier analytics platforms like Dune, DeFiScan, and DefiLlama.
DefiLlama is particularly nice because beyond its bread-and-butter DeFi data (which is the industry's gold standard and is streamlined for analysts), the platform also offers an app directory of DeFi apps for visiting your desired projects directly and with ease of mind (in order to bypass scam results on Google, or cross-check whether a link you saw on X is legit, and so on).
As far as digging into additional info, though, you're mainly looking to see if everything currently looks normal around your target project (e.g. is its total value locked stable or plummeting over the past day?) or if you can find anything problematic. One red flag is if a "DeFi protocol" isn't actually that decentralized, which is where reviewing projects on DeFiScan comes in handy.
3. Search X for recent updates
X remains the town square of crypto. It's the place to search if you want to find the latest announcements from projects, particularly announcements related to security incidents.
For instance, Alchemix had originally planned to lift its initial V3 deposit caps on April 20, but in the wake of the Kelp DAO exploit and in anticipation of more clarity around that incident (which has thankfully arrived), the project announced a pause on its cap-lifting plans. It wasn't an emergency that required action from users, but the post demonstrates that X is where you go to check for the latest updates and community discussions. Make a scan here before doing anything onchain just to be safe.
We're temporarily holding the planned v3 cap raises while we work to find the best resolution to the ongoing KelpDAO/
— Alchemix (@AlchemixFi) April 21, 2026LayerZero issue.
We want everything airtight before we scale.
Update coming soon.
4. Start cautious, stay cautious
Once you feel comfortable moving forward, create a test wallet siloed with only a small amount of funds, and use this for getting a feel for apps you haven't tried before. This way if something nefarious does happen, it's not your main wallet with the bulk of your holdings that gets hit.
Fire off some transactions, like deposits and withdrawals, so you can verify that the underlying protocols behave as they're supposed to. Then if everything checks out, you can scale up your action. Just never deposit more than you can lose anywhere, and consider using a hardware wallet for your more dedicated activities to add a physical shield to your transactions.
I'd also recommend setting up a 
Safe multisig (at least a 2/3) as your "main base," so to speak, and only send and receive funds here. Then rake back any crypto and yield from your DeFi wallet(s) to this multisig as you please, giving you a layer of separation between your action accounts and your vault wallet.
5. Simulate non-trivial transactions
Once you're experienced with a DeFi project, you might want to start using it in size, but you can never be too safe. A great prophylactic measure you can take before executing large transactions is simulating them first. In other words, preview exactly how your desired transaction would play out before actually firing it off live onchain.
For example, you can get a free account on Tenderly, a platform that, among other things, lets users simulate transactions across more than 100 
Ethereum Virtual Machine (EVM) chains. The previews specifically show you whether your transactions will succeed or revert and what token balance changes would occur if they actually succeeded.
However, if you want to keep things simple, wallets like 
MetaMask and 
Rabby have natively integrated Tenderly so that when you tee up transactions in them, their UIs automatically show transaction previews before you ever sign anything. They're easy avenues to take advantage of this capability.
6. Prune your token approvals
When you interact with DeFi protocols, it's common to use your wallet to grant a token approval, i.e. permission to move a given token up to some specific limit.
That said, unlimited approvals are prevalent and convenient in DeFi, but they create definite exposure. If a protocol you approved months or years ago gets exploited, an attacker could drain your max-approved balance regardless of whether you've used that project recently.
With this vector in mind, make it a habit to periodically review and revoke the approvals you no longer need using a platform like revoke.cash, which lets you connect your wallet, see every open approval you have, vet how much money you have at stake, and remove approvals. As part of your ongoing onchain security regimen, go through these monthly and ax the ones you no longer use.
Zooming out
As I said in the intro, some DeFi exploits will be so sophisticated that there's not much you could do besides positioning, i.e. not having all your eggs in one basket, not depositing more than you can afford to lose, not using projects with multiple red flags.
But ultimately the checklist I've outlined above matters because it will protect you from most of the lowest-hanging vectors. None of these steps are hard, and they become defensive force multipliers when you layer them together as good habits. The basics work, so use them!
