Decentralized finance (DeFi) is one of the fastest-growing sectors of the crypto industry, with $92 billion worth of crypto assets locked in peer-to-peer powered protocols in January, 2022 – up 196% over 2021.
This growth can largely be attributed to the many lucrative, high-interest earning opportunities available across DeFi lending and trading platforms. But, of course, with any new crypto trend that draws significant attention and investment, there are always scammers looking for ways to capitalize on it – and you aren’t likely to get a refund for your mistakes.
What is DeFi again?
DeFi protocols are blockchain-based platforms that offer a range of financial services you would typically find in the traditional space, such as: The key difference is, DeFi platforms run entirely using smart contracts rather than having an intermediary like a bank or insurance broker operating in the middle.
Smart contracts are self-executing computer programs that enforce contractual agreements between parties.
In an ideal world, they power valuable non-custodial financial services, like lending protocols and decentralized exchanges. But sometimes they contain bugs or gaping security vulnerabilities that allow attackers, or even errant developers, to drain treasury wallets.
To stay safe, it’s valuable to be able to identify common red flags that indicate a DeFi protocol might, in fact, be a scam or operate on faulty code.
To do this, you don’t have to be able to read smart contract code or understand programming. Free tools, such as Token Sniffer for Ethereum and PooCoin for Binance Smart Chain, run automated audits of token contracts to check if they contain any malicious code for you. While these shouldn’t be relied on entirely, they can be a good starting point for your own due diligence process.
Rug pulls
Rug pulls are so common in DeFi that “getting rugged” has become a common phrase in crypto-speak.
A rug pull is a type of exit scam in which the perpetrators create a new token, launch a liquidity pool for it and pair it with a base token like ether (the native token of Ethereum) or a stablecoin like dai (DAI). A liquidity pool is a large pool of tokens that a protocol uses to fulfill trades, as opposed to an order book system where buyers and sellers list their trade orders and wait to be filled.
The key part of this scam is the creators retain a significant portion of the total supply once the token launches.
If they’ve successfully marketed it to the wider crypto community, investors will begin adding liquidity to the pool to earn a portion of transaction fees charged to traders who use it. Once the amount of liquidity in the pool reaches a certain point, the creators dump all their tokens into the pool and withdraw all the ether, dai or whichever base token was used from the pool. This sends the price of the newly created token to near-zero, leaving investors holding worthless coins while the rug pullers walk away with a tidy profit.
It’s a massive red flag when just a few wallets control nearly half the circulating supply of a token. You can check the token distribution on a blockchain explorer – Etherscan for Ethereum – by clicking on the "Holders" tab of a token contract.
A November 2021 study found that 50% of all token listings on Uniswap are scams, so the odds aren’t in your favor when it comes to investing in relatively unknown projects.
It’s generally safer if the team behind a project is public, or if it’s run by anonymous accounts that have earned a good reputation by launching previously successful, honest projects.
Honeypots
Cryptocurrencies are volatile, meaning prices can fluctuate massively over a given time period. But, if a new coin only goes up and nobody seems to be selling it, it can be a sign that something known as a honeypot scam is going on.
This is where investors are lured in by a token’s ever-increasing price but the only wallet that the smart contract allows to sell is controlled by the scammers.
Squid Game token is a recent example. The DeFi project attracted mainstream media attention due to its alleged association with the popular TV show. It rapidly rose in value shortly after launch, but the media quickly noticed investors were unable to sell any of their tokens. Eventually, the founders dumped their tokens and ran off with millions of dollars worth of binance coin (BNB).
It’s important to note that widespread coverage of a cryptocurrency doesn’t necessarily mean it’s safe. Mainstream media outlets may not have the expertise or time to vet a crypto project, and can often assist in drumming up more hype for scams. In some cases, social media influencers may be paid to promote cryptocurrencies without taking the time to realize they’re a scam – and these influencers don’t always disclose that they’re being paid to talk about a project. A-list celebrities like Floyd Mayweather, DJ Khalid and Kevin Hart have all faced lawsuits for promoting crypto projects that were later found to be outright scams.
Phishing attacks
Phishing is when a scammer pretends to be an official company in order to trick victims into revealing sensitive information. This type of scam is especially rampant in crypto.
If you post certain keywords on social media like “MetaMask” on Twitter, you can expect a swarm of scam bots to reply. Often these bots will direct you to a Google Form, asking you to enter your wallet seed phrase or other sensitive information. Something you should never share with anyone.
Many scammers pretend to be famous people you might follow on social media. They’ll message you appearing to offer help before asking you to send crypto or share sensitive information. Sometimes scammers will run fake YouTube channels soliciting funds.
In January 2021, someone lost $1.14 million to scammers pretending to be Michael Saylor, the CEO of MicroStrategy.
Remember, real influencers are highly unlikely to ask you to send them money in a private message– especially if they’ve never spoken to you before. However, some celebrities may knowingly or unwittingly promote pump-and-dump schemes, which are also highly common in crypto.
Fake Google ads
The first Google result for a crypto project might not point you in the right direction – in fact, it might direct you toward a scam.
Unfortunately, Google doesn’t vet the authenticity of websites before it sells an advertisement spot, so a Google ad should never be construed as a sign of legitimacy.
If you aren't sure what the right website is, check out reliable sources, like the official Twitter page of the project, to find the real website.
Exploits and vulnerabilities
DeFi runs on pieces of code visible to everyone, which means that technically-savvy people may exploit vulnerabilities in the code and run away with huge sums of money. In fact, the amount of funds lost in exploits of DeFi projects totaled $1.3 billion in 2021, according to blockchain security firm CertiK.
To reduce the risks of exploits, many DeFi projects commission audit firms like PeckShield or Hacken to review their code and help them patch any issues found. DeFi projects may also offer bounties to white-hat hackers through platforms like Immunefi to discover bugs in their code before malicious attackers do.
Audits and bounty programs are usually displayed on project sites, so you may want to check them before deciding to invest. Although these programs reduce the risks of exploits, they don't eliminate the risks completely. There are plenty of audited DeFi projects that have fallen victim to million-dollar-plus exploits.
Scam airdrops
Airdrops, when protocols distribute free tokens to members of their communities, are common in crypto. But not all tokens airdropped to your wallet are genuine.
A recent DeFi scam, especially common on the Binance Smart Chain, tricks people into thinking they have suddenly received tokens worth thousands of dollars. But they aren’t tradable on exchanges as there’s no liquidity.
In most instances, these tokens will be named after a shady website. If you connect your wallet through that website and approve access to a malicious smart contract, scammers are able to siphon funds directly from your wallet.