DeFi Risk Checklist: What to Verify Before You Approve a Transaction

Most DeFi losses don't come from exotic zero-day exploits. They come from users skipping basic due diligence that takes ten minutes. You probably already know to "check if a protocol is audited" — but that advice is almost useless on its own. An audit is a snapshot of code at a specific commit hash, not an ongoing guarantee. Euler Finance was audited by six firms before losing $197 million in March 2023. The checklist that actually protects your funds goes deeper than "is it audited" and "is the TVL high."

This guide is the risk evaluation process you run before clicking Approve or Deposit. Every item is something you can verify yourself, on-chain, right now.

The standard explanation says a protocol is "safe" if it's been audited. What's actually happening is more layered: audits cover a specific version of the code, and most protocols upgrade contracts through proxy patterns. A protocol can be audited on day one and deploy unaudited logic changes on day thirty without most users noticing. Proxy contracts — used by Aave V3, Compound V3, and most major protocols — let the team swap the underlying implementation while your funds sit in the same address.

To check this yourself: paste the protocol's main contract address into Etherscan, click "More Info," and look for "This is a proxy contract." If it is, click through to the implementation contract and check when it was last updated. If the implementation changed recently and you can't find a corresponding audit report or governance vote, that's a flag.

Beyond audits, look at the protocol's bug bounty size on Immunefi. Aave's bug bounty maxes out at $250,000. Maker's goes up to $10 million. A large bounty doesn't guarantee safety, but it creates a financial incentive for white-hat hackers to report vulnerabilities instead of exploiting them. Protocols with no bounty program are telling you something about how seriously they take ongoing security.

⚠ Common mistake: Treating "audited" as a permanent status. Always check which version was audited and whether the deployed contracts match that version. DeFiSafety.com and Solodit.xyz maintain audit report databases you can cross-reference.

Every time you interact with a DeFi protocol, you typically sign a token approval granting that contract permission to move a specific token from your wallet. Most dApp frontends request unlimited approval by default — meaning the contract can move your entire balance of that token, forever, until you explicitly revoke it.

This matters because if that contract is exploited or has a malicious upgrade path, the attacker can drain every approved token from your wallet without you signing another transaction. The Badger DAO exploit in December 2021 ($120 million lost) worked exactly this way: a compromised frontend injected malicious approval transactions, and users signed them without reading the details.

Check your current approvals at revoke.cash — connect your wallet, see every contract you've ever approved, and revoke any you no longer use. On Ethereum mainnet, each revocation costs roughly 25,000–50,000 gas (about $1–4 at typical gas prices). It's cheap insurance. Going forward, set approvals to the exact amount you're depositing rather than unlimited. Most modern dApp frontends let you edit this in MetaMask's approval popup before confirming.

⚠ Common mistake: Assuming you're safe because you withdrew your funds. Withdrawal removes your deposit — it does not revoke the contract's permission to move tokens from your wallet. These are two separate states.

A protocol showing $500 million in Total Value Locked on DeFiLlama might look safe. But TVL is an aggregate number that hides critical details: how concentrated the deposits are, how quickly they can leave, and whether the "value" is circular.

Here's what to actually check on DeFiLlama: go to the protocol's page, look at the TVL chart over 30 and 90 days, and check for sharp drops. A protocol that went from $800 million to $400 million in a week has depositors who don't trust it — that's a signal. More importantly, click into the chain-specific breakdown. If 90% of TVL sits on one chain, a bridge exploit or chain-specific issue wipes the protocol's liquidity floor.

For lending protocols, the metric that matters more than TVL is utilization rate — the percentage of deposited assets currently borrowed. You can check this on each protocol's dashboard (Aave's is at app.aave.com under each asset's details). When utilization hits 90%+ on Aave, the interest rate curve goes vertical to incentivize repayment, but it also means you may not be able to withdraw your funds instantly. During the CRV liquidation scare in August 2023, USDT utilization on Aave V2 hit 100%, and lenders temporarily couldn't withdraw.

⚠ Common mistake: Equating high TVL with deep exit liquidity. A yield farm can have $200 million in TVL but only $2 million of actual DEX liquidity for its reward token. When everyone exits, the reward token craters and your real yield turns negative.

Smart contracts don't exist in a vacuum — someone controls the parameters. The question is who and how. Most DeFi protocols fall into one of three control structures: a multisig wallet controlled by a small team, a DAO governance system with timelocked execution, or full immutability (rare).

A multisig (typically a Gnosis Safe) means a group of key holders — say 3-of-5 or 4-of-7 — can execute changes to the protocol without a governance vote. This is standard for newer protocols and isn't inherently bad, but you need to know the threshold and who holds the keys. Check this on Etherscan: find the protocol's admin or owner address, and if it's a Gnosis Safe, the signers are public. If the multisig is 2-of-3 and two signers are the same team, that's effectively a single point of failure.

For DAO-governed protocols like Aave or Compound, changes go through on-chain votes with a timelock — a mandatory delay between vote passing and execution. Aave's timelock is 24 hours for standard proposals; Compound's is 48 hours. This delay gives you time to exit if a malicious proposal passes. Protocols with no timelock on governance execution can rug depositors in a single block.

Check timelocks on Etherscan by looking at the Timelock controller contract linked from the protocol's governance documentation. If you can't find this information easily, that's itself a risk signal.

⚠ Common mistake: Assuming "decentralized governance" means safe governance. A DAO where one whale holds 51% of voting power is functionally a dictatorship. Check token holder concentration on Etherscan's token holders tab or Boardroom.io.

Before putting funds into any DeFi protocol, run this sequence — the order matters because each step can save you from wasting time on the next.

First, verify the contract address through the protocol's official documentation or DeFiLlama's linked contracts, never through a link someone sent you. Phishing sites with cloned frontends are the single most common attack vector — not smart contract exploits. Second, check the contract's proxy status and audit history. Third, evaluate the governance structure and timelock. Fourth, check TVL trends and utilization rates. Fifth, set your token approval to the exact deposit amount. Sixth, use a test transaction with a small amount before committing real capital.

If the protocol fails any of the first four checks — unverifiable contract, unaudited proxy upgrade, no timelock, collapsing TVL — stop. No yield is worth the exposure.

Risk evaluation doesn't end at deposit. Protocol conditions change — new governance proposals, contract upgrades, shifts in liquidity, oracle failures. Set up alerts using DeBank's portfolio tracker or Tenderly's contract monitoring to get notified when admin functions are called on contracts where you have funds.

Monitor the protocol's governance forum (almost always on Discourse or Snapshot) weekly. Proposals to change collateral factors, liquidation thresholds, or fee structures directly affect your position's safety. When Gauntlet recommended reducing CRV's loan-to-value ratio on Aave in 2023, depositors who weren't paying attention didn't adjust before their risk profile changed underneath them.

Keep a spreadsheet of every protocol where you have active approvals and deposits, the chain, the contract address, and the date you last verified the setup. This sounds tedious — it takes fifteen minutes a month and it's the difference between managing risk and hoping nothing goes wrong.

⚠ Common mistake: Setting and forgetting. DeFi positions are not savings accounts. A position that was safe in January can be underwater by March if governance parameters shift or liquidity drains.

• Run revoke.cash now and clean up every unlimited token approval you've accumulated. This is the single highest-ROI security action most DeFi users haven't done.
• Bookmark DeFiLlama's protocol pages for every protocol where you hold funds. Check TVL trends and chain breakdowns weekly.
• Read one governance proposal on a protocol you use — Aave's governance forum (governance.aave.com) or Compound's (comp.xyz) are good starting points. Understanding how parameter changes work gives you lead time when conditions shift.
• Explore Tenderly's free tier for transaction simulation — you can simulate a deposit or withdrawal before executing it on-chain, which lets you catch unexpected behaviour before it costs you gas and risk.