DeFi-ng the Odds: A Beginner’s Guide to Security

Originally published
March 5, 2021

DeFi-ng the Odds: A Beginner’s Guide to Security

Decentralized finance puts the power back in the hands of its users. But with great power comes great responsibility. Just as DeFi opens up a world of opportunity for those looking to make their money work for them, it also requires users to take responsibility for their own choices and security.

That might sound a little intimidating, but it really shouldn’t scare off anyone new to the space. With a few simple steps you can avoid many of the most common scams and exploits.

With that in mind, we convened a panel of DeFi experts to share their thoughts on how users can strengthen their security and take advantage of all that the space has to offer.

Our own Aaron Leibowitz and Mario Calicchia were joined by:

Rob Behnke — CEO at Halborn

Steve Walbroehl — CISO & Co-Founder Halborn

Steven Ferebee — Saxon Advisors

Dave Pazdan — Metamask, formerly Coinbase

Ally Medina — Director, Blockchain Advocacy Coalition, former Mayor of Emeryville, CA

Hardware Wallets

The number one piece of advice that everyone on the panel agreed on was the importance of hardware wallets.

A hardware wallet is a physical device that stores a crypto wallet’s private keys in a secure chip. The wallet only broadcasts the signed transaction to the network, meaning your private keys never leave the device. You could plug a hardware wallet into the most malware-ridden computer in the world and still be able to transact securely.

If your money is touching DeFi protocols, you really owe it to yourself to use a hardware wallet. The initial cost is insignificant compared to the amount you’re likely to end up storing on the wallet.

MetaMask now allows you to connect a Ledger or Trezor hardware wallet to their browser wallet interface, giving a great combination of usability and security. Check out Dave’s guide for a walkthrough on how exactly to do this.


Along with the classic disclaimer “This is not financial advice,” “DYOR” is another mainstay of crypto analysis and discussion. But what does it mean to Do Your Own Research? Is it possible for new investors to do any meaningful research in a space that can often become very technical very quickly?

Most of the experts think that yes, it is possible. It is, however, important to understand the scale of the task and to pace yourself accordingly. You’re not going to gain a deep understanding of every facet of DeFi in the course of a few evenings’ reading.

Before committing any funds, start by reading a project’s whitepaper. Whitepapers lay out the problem a team is aiming to solve and how they intend to go about it. Litepapers are very similar: they’re just written in less technical language.

These documents are the ideal place to start. Ask yourself if the project is addressing a real problem. How does it benefit from being built on a blockchain? How does the token (if there is one) come into it? Research whether there are already competitors seeking to do the same thing, and how their approaches differ.

You can also research the team behind the project. While anonymous or pseudonymous developers such as those behind Sushiswap and some other notable DeFi platforms complicate this, there are many projects backed by well-established names in the industry.

Of course, there’s only so much you can learn from reading whitepapers. There comes a point where you need to jump in and try out DeFi for yourself. Start with a small amount of money, one you are prepared to lose but meaningful enough to ensure you’ve got some skin in the game.


Phishing is one of the most common attack vectors in DeFi. As the encryption that secures users’ wallets is incredibly secure, scammers turn their attention to a much more manipulable target: the users themselves.

Phishing involves a scammer impersonating a trusted entity in order to get someone to hand over sensitive information. This can include personal data, passwords, or — the holy grail when it comes to crypto — seed phrases.

There have been numerous cases of people losing all their funds after entering their seed phrase in a fraudulent website or giving their private key to someone impersonating a support agent.

Discord and Telegram are a scammer’s paradise, as many crypto projects use the platforms for communication and it’s simple to set up an official-looking account. In fact, the largest Telegram channel for MetaMask has over 15,000 users, yet it’s completely unaffiliated with the official project and populated mostly by bots and phishers.

Be very careful of people reaching out to you. You should never give your seed phrase or private key to anyone who requests it. There’s no problem they’ll be able to solve by using either, apart from the problem of money being in your account and not theirs.

Protocol-Level Security

While using a hardware wallet, researching projects and their founders, and remaining vigilant against potential phishing attacks will go a long way to keeping your funds in your possession, there’s only so much you can do about the security of the DeFi protocols you interact with.

What you can do is demand a level of security from projects that makes you comfortable investing your hard-earned money in them.

DYOR-ing can help you pick projects that have been audited by reputable firms. Project owners should be happy to answer questions regarding their security on Twitter or Telegram. In fact, many will show off a successful CertiK audit as a badge of honor. You’ve got to spend money to make money, and auditing is the kind of investment that can save millions down the line.

As a final measure, there are options out there that protect your funds in the event of a hack or exploit. CertiKShield is a decentralized, on-chain mutual. More simply, it’s a DeFi-native insurance alternative that allows project owners and investors to purchase protection for their funds. Deciding whether or not to buy reimbursement protection should be as straightforward as deciding whether you’d put your savings into a non-FDIC insured account.

Insurance is widespread in legacy financial systems. This kind of protection is exactly what institutional players are looking for before they start committing sizable sums. Both CertiK and Halborn have worked with Fortune 100 companies as they begin to implement DeFi strategies. Auditing firms are in a prime position to push DeFi security to a level that will attract game-changing investments.

Of course, part of the beauty of DeFi is its self-regulating nature. There’s no regulatory body making top-down decisions on what level of security companies must adhere to (and consequently what can remain unsecured). Instead, users vote with their dollars, sats, and gwei.

Investors can decide if they want to support a project that takes every precaution to ensure their funds are as secure as possible, or if they’d prefer to gamble on a platform that treats security as an afterthought. While ape-season has had its time in the sun recently, it’s time for us all to work toward a more secure DeFi ecosystem.

If you want to listen in on future CertiK roundtables, keep an eye on our Twitter.

If you’re looking for a weekly forum where you can have any and all DeFi-related questions answered, Rob runs a DeFi AMA on Clubhouse every Thursday. Check out the DeFi Clubhouse Telegram for more details.