DeFi protocols have collectively lost over $5 billion to exploits since 2020. While some losses are unavoidable in an emerging technology, the majority could have been reduced or avoided by investors who knew what red flags to look for. This checklist is a practical guide for evaluating any protocol before committing funds.

1. Audit history

A security audit is the minimum viable signal of a protocol's security posture. Before investing:

  • Has the protocol been audited by at least one reputable firm (Trail of Bits, OpenZeppelin, Certik, Halborn, Consensys Diligence)?
  • Is the full audit report publicly available? A protocol that hides its audit should be a hard pass.
  • Were Critical and High findings resolved before deployment? Check the remediation status column.
  • Was any code changed after the audit without a re-audit?

2. Smart contract verification

  • Are the contracts verified on Etherscan (or the relevant block explorer)? Unverified contracts are a major red flag.
  • Does the deployed bytecode match the audited source code? You can verify this using the commit hash referenced in the audit report.

You can run a free AI audit on any verified contract address to get an instant security assessment, even without a formal audit report.

3. Admin keys and upgradeability

Many DeFi exploits involve the team (or an attacker who compromised the team) using admin keys to drain the protocol. Ask:

  • Who controls the admin/owner address? Is it a multi-sig? How many signers are required?
  • Is the contract upgradeable? If so, is there a timelock that gives users time to exit before changes take effect?
  • Can the team pause the contract? Can they drain funds unilaterally?

4. Oracle risk

Protocols that use price oracles to determine collateral value, trigger liquidations, or calculate payouts are susceptible to oracle manipulation attacks. Check:

  • What oracle does the protocol use? Chainlink and Uniswap V3 TWAP are safer than spot prices from a single DEX.
  • Is there a price deviation circuit breaker?

5. Liquidity and economic design

  • Is total value locked (TVL) deep enough that a price manipulation attack would be prohibitively expensive?
  • Are there caps on how much can be deposited, borrowed, or withdrawn in a single transaction?
  • Does the tokenomics design create unsustainable yield? If APY seems impossibly high, it's usually a sign of impending insolvency or an exit scam.

6. Team and transparency

  • Is the team doxxed (publicly identified)? Anonymous teams can exit-scam without legal consequences.
  • Is there a public bug bounty on Immunefi or Code4rena? A bug bounty signals that the team takes security seriously and invites external scrutiny.
  • Is the protocol open source? If not, you can't independently verify any security claims.

7. Community and incident history

  • Has the protocol been exploited before? If so, how did the team respond? Protocols that responded transparently, compensated users, and implemented fixes deserve more credit than those that went silent.
  • Are there active security researchers monitoring the contracts?

Red flags at a glance

  • No public audit or audit from an unknown firm.
  • Admin key controlled by a single address (not multi-sig).
  • No timelock on upgrades.
  • Anonymous team with no doxxed members.
  • Promises of APY above 50% without a clear sustainable mechanism.
  • Contract not verified on the block explorer.

Before investing, run a free security analysis on the protocol's main contract address. Our AI audit checks for access control issues, reentrancy vulnerabilities, oracle risks, and more in under a minute.