Why a pre-deposit checklist matters more than picking the right protocol
Most people who lose money in DeFi do not pick a scam on purpose. They click approve on a legitimate-looking interface, deposit into a pool that has been audited, and walk away assuming the smart contract will do what the front page promised. The next morning, the protocol is drained, the team is silent, and the user is left reading a post-mortem they could have read the week before.
That is what this article is for. The point is not to help you find the next 10x yield farm. The point is to slow you down at the approval screen, the way a pilot runs a pre-flight list before takeoff. Most crashes are not caused by one catastrophic surprise. They are caused by a chain of small things that nobody checked.
You do not need to be a developer to use this checklist. You need to be willing to spend fifteen minutes reading a protocol's docs, audit reports, and on-chain data before you sign a transaction. If a protocol does not give you the information to complete this checklist, that is itself the answer to whether you should deposit.
The real risks before you approve a token
Risk in DeFi is not abstract. It is a list of specific failure modes that have cost real users real money. Before we get to the checklist, here are the categories of risk you are actually checking for.
Smart contract bugs
Code is law in DeFi, which is a polite way of saying that a typo in a smart contract can let an attacker walk off with every dollar in the protocol. Audits reduce this risk but do not eliminate it. The 2021 Cream Finance hack, the 2022 Wormhole bridge exploit, and the 2024 BingX-related incidents all happened on contracts that had been audited. Audits catch the bugs the auditor thought to look for. They do not catch everything.
Economic and oracle manipulation
Some protocols are not hacked in the traditional sense. The code works exactly as written, but the price feed it relies on is pushed around by a trader with enough capital, and the protocol pays out based on a price that no longer matches reality. Mango Markets lost about $114 million in October 2022 to exactly this kind of attack, and it was carried out by manipulating the MNGO-PERP market on the protocol's own platform.
Admin key and governance risk
Many DeFi protocols give a small group of signers the ability to upgrade contracts, change parameters, or pause withdrawals. If those signers are compromised, coerced, or simply act honestly in a way that hurts depositors, your funds can be moved or frozen. The relevant question is not whether a protocol is decentralized in spirit. It is how many humans can move your money, and how long the warning is before they do.
Approval and wallet hygiene
When you approve a token on a site like Uniswap, Aave, Morpho, or Pendle, you are giving that contract permission to spend that token from your wallet forever, or until you revoke the approval. Old approvals are a favorite target. In 2025, address-poisoning and approval-draining scams became the single largest category of crypto theft by volume, surpassing even exchange breaches. You can lose money in a protocol that has never been hacked, simply because you approved a token two years ago and never revoked it.
The 12-point DeFi deposit checklist
Work through these in order. If you cannot answer yes to the first three, do not bother with the rest. The point is to catch the one thing that would wipe you out, not to grade the protocol on a curve.
1. Is the contract audited, and how recently?
Find the audit report. AAVE, UNI, MORPHO, PENDLE, and ENA all have public audit pages. Read the date, the firm, and the scope. A 2022 audit on code that was updated in 2025 is not the same as a fresh audit. If there is no audit, or the only audit was internal, treat that as a hard stop.
2. Is there an active bug bounty, and how big is it?
A protocol that has been audited but does not pay white-hat hackers to keep looking is telling you the team is not serious about ongoing security. Immunefi has paid out over $100 million in bug bounties since 2020. Check the bounty size. A $1 million bounty is meaningfully different from a $100,000 one. Bigger bounties attract better researchers.
3. Who holds the admin keys, and how many are there?
Look at the protocol's documentation or governance forum. Find the multisig address that controls upgrades. Count the signers. A 3-of-5 multisig is meaningfully different from a 2-of-5, which is meaningfully different from a single EOA that one person controls. AAVE uses a 6-of-9 multisig with a 24-hour timelock. That is the kind of detail you want to see in writing.
4. How long is the timelock on upgrades?
A timelock is a delay between when an admin action is queued and when it executes. A 24-hour timelock gives the community time to react and exit if a malicious change is proposed. A 1-hour timelock, or no timelock at all, means you will only find out about a change after your funds are gone.
5. What oracle does the protocol use, and how is it secured?
Chainlink is the most common answer, and it is generally a good one. But not every protocol uses Chainlink, and not every Chainlink feed is equally liquid. Look for explicit documentation of which feeds the protocol reads from and what happens if a feed stalls or returns a stale price. The Mango Markets attacker exploited a lack of price staleness checks. That detail was in the docs. Almost nobody read it.
6. Is the protocol's main liquidity actually deep, or just the TVL?
Total value locked is the headline number. It tells you how much is deposited, not how much you can withdraw in a panic. A lending market with $500 million in TVL might only have $20 million in actual liquidatable collateral. In the March 2023 USDC depeg, several protocols looked healthy on the TVL chart and turned out to be functionally insolvent for hours. Check the available liquidity, not just the deposits.
7. Have there been past incidents, and how were they handled?
Every major protocol has had at least one close call. The interesting question is what happened next. Did the team publish a post-mortem within 48 hours? Did they reimburse users? Did they fix the root cause? Protocols that have been hacked and recovered honestly are often safer than protocols that have never been tested at all, because the stress test was real.
8. Are the smart contracts upgradeable, and through what mechanism?
Upgradeable contracts can be improved, which is good. They can also be silently changed, which is bad. Look for the proxy pattern in use, who can upgrade it, and whether the upgrade is gated by the timelock and multisig from items 3 and 4. If a contract is not upgradeable, that is also useful information, because it means no admin can change the rules on you.
9. What is the token approval you are about to sign, exactly?
Most wallets show you the approval amount. Some DeFi frontends ask for unlimited approval by default. Unlimited approval is convenient, but it means a future bug in the protocol, or a clone of the protocol's interface, can drain that token from your wallet at any point in the future. Set a specific amount when you can, and revoke approvals you are not actively using.
10. Are you on the real URL, and is the contract address verified?
Phishing sites copy interfaces pixel-for-pixel. Check the URL character by character. Open the protocol from a bookmark, not from a search result or a Twitter link. Verify the contract address on the protocol's official documentation before you approve. Scammers spent years buying Google ads that looked like Aave and Uniswap.
11. Is the yield actually coming from somewhere real?
15% APY is a number. Where does it come from? Lending fees? Liquidation penalties? Token emissions? If the protocol is paying you with its own governance token, you are being paid in something the team can print more of. The yield in Pendle, for example, comes from specific yield sources clearly broken down in the UI. If a protocol cannot explain its yield in one sentence, treat the yield as marketing.
12. Have you revoked old approvals in the last 30 days?
Open revoke.cash, connect your wallet, and look at what is still approved. Anything you are not actively using is a permanent invitation for the next exploit to drain. Revoking is free. Not revoking has cost users eight-figure sums. Make it a monthly habit.
What the checklist would have caught in real exploits
It is easy to read a list of risks and assume they are theoretical. They are not. Here is what a careful version of this checklist would have surfaced for some of the biggest DeFi incidents of the last three years.
Mango Markets, October 2022
Avraham Eisenberg manipulated the MNGO-PERP market on Mango by inflating the price of the MNGO token with his own capital, then borrowing against the inflated value. The protocol worked as designed. The oracle worked as designed. The economic design did not account for a single attacker with enough capital to push the price far enough to drain the lending pool. A user reading the documentation would have seen that the MNGO oracle used a thin on-chain market as its source. Item 5 on the checklist, oracle source and liquidity, would have flagged it.
Curve Finance pools, July 2023
Several Curve pools were drained because of a vulnerability in the Vyper compiler used to deploy them. The affected pools had been audited. The bug was in the compiler version, not the protocol logic. A user checking item 1 and finding that the audit report referenced a specific compiler version would have at least known to look for compiler-related disclosures afterward. Curve's response, full reimbursement of affected pools and a public post-mortem within days, is also a useful data point for item 7.
Steakhouse Morpho vaults, 2024
The Morpho-Blue lending markets, including curated vaults run by Steakhouse Financial, were the subject of intense scrutiny in 2024 because the design is genuinely novel. A user running this checklist would have found public audits by Spearbit and Trail of Bits, an active Immunefi bug bounty, a multisig-controlled upgrade path, and detailed oracle documentation. That is exactly what a healthy pre-deposit review looks like. The fact that nothing was exploited is not a coincidence.
How to use this checklist in practice
A checklist only works if you actually use it. Here is the practical workflow for a first-time deposit on a protocol like AAVE, MORPHO, PENDLE, or ENA.
Start by opening the protocol's documentation, not the app. Find the audit page, the security page, and the governance forum. Confirm the multisig signers and timelock on a block explorer like Etherscan. Verify the oracle setup and the contract addresses you will be interacting with. Then go to the app, set a specific token approval amount instead of unlimited, deposit a small test amount first, and confirm you can withdraw it before you scale up.
Set a calendar reminder to revisit the protocol monthly. Check for new audits, new governance proposals, new incidents, and revoke any approvals you are not actively using. The DeFi space moves fast, and a protocol that was safe in March can be risky in April if a parameter change was proposed and passed without you noticing.
If at any point in this process you cannot find the information you need, treat that as a risk in itself. Protocols that hide their security model are not safer than protocols that publish it. They are simply less verifiable, and un-verifiable is not a good place to park your money.
Stay ahead of DeFi risk with the right news signal
DeFi risk moves fast, and so does the news around it. Tracking audit updates, governance proposals, and oracle changes across AAVE, UNI, MORPHO, PENDLE, and ENA manually is a losing game, because the warning signs are scattered across forum posts, governance votes, and security disclosures. Zippfeed surfaces DeFi protocol headlines with sentiment scoring (bullish, neutral, or bearish) and an importance rating, so you can spot a risky change before you next deposit or claim a yield.
