A complete practical guide to keeping assets secure in DeFi

Author: William M. Peaster Source: Bankless Translation: Shan Ouba, Golden Finance

Since 2026, hacking attacks and scams have stolen hundreds of millions of dollars from crypto projects, and the situation is not optimistic.

Indeed, some attack methods are extremely complex, often plundering projects before the team can respond. But vulnerabilities, coin thefts, and scams come in many forms. As long as you stick to good basic security habits, ordinary DeFi users can greatly avoid most risks.

The core bottom line of on-chain transactions is always: asset security, responsibility lies with yourself. You must conduct your own due diligence and build your own protection system.

Based on this, I have organized a set of personal long-term security steps (used since the peak of DeFi in 2020 and almost unchanged), to research and test new projects. I hope this method can benefit you now and in the future.

Some practices are considered common sense by many, but the vast majority of crypto users do no more than one or two at the same time. Combining these steps can form a simple yet effective first line of defense, and I recommend everyone to follow them.

Below is my DeFi security self-checklist.

1. Start with the official project documentation

Some crypto project documents are sparse or even completely blank, which is a very dangerous signal.

High-quality project documentation is detailed, not only explaining the protocol operation mechanism but also including audit reports, risk disclosures, and other key information. As long as you can find the official documentation, start here to understand the project. It can help you quickly grasp the project logic and potential security risks.

For example: this week I was studying Alchemix V3, a lending product that supports automatic repayment using ETH and USDC. I first read its official user documentation. This documentation is very comprehensive, and compared to many perfunctory project docs, it can be considered a model. The official site provides a clear overview of the protocol, and there are dedicated pages for risk warnings, security, and audits.

This kind of critical information should be the first thing you verify.

But just reading these is not enough. You also need to dig deeper into the project’s composability and related risks: what other protocols does it depend on, what external technologies does it interface with? Alchemix’s documentation clearly states that V3’s yield mechanism is based on the Morpho V2 vault, and it also interacts with external protocols like Aave. Such information helps you see the project’s advantages and potential vulnerabilities, aiding rational judgment.

2. Consult third-party authoritative data analysis

After establishing a basic understanding from the official documentation, step out of the project itself and cross-verify through top neutral data analysis platforms like Dune, DeFiScan, and DefiLlama.

DefiLlama is especially useful: besides industry-leading DeFi core data and professional analysis tools, it also has a project application directory, allowing direct and safe access to official links, avoiding scam links from Google, and verifying social platform links.

Research focus: observe whether the project has been functioning normally recently, such as whether locked funds are stable, or if there have been sudden drops; check for abnormal signals. A major warning sign is: claiming to be DeFi but actually having very low decentralization. This situation can be well checked with DeFiScan.

3. Check the latest updates on X platform

X remains the public square of the crypto industry. To find the latest project announcements, especially security incident notices, this is the first place to look.

For example: Alchemix originally planned to lift the V3 deposit cap on April 20, but due to the Kelp DAO hacker incident, to wait for further clarification, the official announced a delay. This is not an emergency that requires user action, but it shows that: to check the latest updates and community discussions, you must first browse X. Spending a few minutes to scan here before any on-chain operation is the most basic risk avoidance.

4. Test with small funds, stay cautious throughout

When you feel the project is reliable and are ready to enter, first create a new isolated test wallet, transferring only small amounts to experience the unfamiliar project. Even if malicious contracts are encountered, your main assets in the main wallet won’t be at risk.

Perform a few deposit and withdrawal tests to verify whether the protocol operates normally. Once confirmed, gradually increase your investment. Always remember: only invest funds you can afford to lose in any project; for large, long-term holdings, use hardware wallets to add physical security barriers.

I also recommend using a Safe multi-signature wallet (at least 2/3 multi-sig) as your main asset hub, only for receiving, sending, and storing core funds. After earning yields from daily DeFi activities, regularly transfer assets into the multi-sig vault, keeping operational wallets physically separate from asset vaults.

5. Always simulate large transactions first

After familiarizing yourself with the project, large transactions are inevitable, but safety is never overkill. Before executing large on-chain transactions, it’s best to simulate them first, preview the transaction results before actual on-chain signing.

I recommend using Tenderly, which offers free accounts supporting simulation of over 100 EVM-compatible chains. You can see in advance whether the transaction will succeed, if it will revert, and what token balances will change.

If you want a simpler option, wallets like MetaMask and Rabby have built-in Tenderly simulation features. When initiating a transaction for signing, the interface automatically previews the result, no extra platform switching needed, making it very convenient.

6. Regularly clean up and revoke unused token approvals

During DeFi interactions, wallets often grant token approvals to protocols, allowing them to transfer your assets up to a specified limit.

Unlimited approvals are very convenient but pose huge risks. Even if you granted approval years ago to a project you no longer use, if it gets hacked, the attacker can transfer all assets within your approved limit, regardless of your subsequent usage.

Develop the habit of regularly using tools like revoke.cash to connect your wallet, review all active approvals, assess risk exposure, and revoke those no longer needed. It’s recommended to do this monthly, integrating it into your routine on-chain security practices.

In conclusion

As mentioned at the beginning, some top-tier, complex hacking methods are hard to defend against. Ordinary users can do more by diversifying asset allocation: don’t concentrate all funds in one project, avoid investing in principal you can’t afford to lose, and stay away from projects with multiple red flags.

But the core value of this checklist is: helping you avoid the vast majority of low-level, high-frequency security risks. These steps have no operational barriers; stacking and sticking to them can form a very strong security shield. Basic protection is always the most effective—just keep doing it.