Before depositing money into any DeFi protocol, check five things: audit history, total value locked (TVL), time in production, team transparency, and governance structure. A protocol that has been audited by multiple firms, holds over $100M in TVL, has operated for 2+ years without exploits, and has transparent governance is significantly safer than one missing any of these criteria.

This guide expands those five essentials into a full 10-point checklist that covers every dimension of protocol safety. Whether you are evaluating a blue-chip protocol like Aave or a brand-new yield farm on an L2, these ten checks apply universally. By the end, you will have a repeatable process you can use before every deposit.

If you are new to decentralized finance, start with our guide on what DeFi is before diving into protocol evaluation. If you already understand the basics, read on.

The 10-Point Checklist

Here is the full checklist in summary. Each item is explained in detail below.

#CheckWhat to look forRed flag
1Audit historyMultiple audits by reputable firms, reports public"Audit pending" or audit by unknown firm
2TVL (Total Value Locked)>$100M = significant market trust<$1M with high APY promises
3Time in production>2 years live with real money<3 months old
4Open-source contractsCode verified on Etherscan/SolscanClosed source / unverified
5Team transparencyPublicly known founders, company entityAnonymous team + new protocol + high APY
6Bug bounty programActive bounty on Immunefi, >$100KNo bounty program at all
7Governance structureMultisig + timelock, or DAO voteSingle admin key with no timelock
8Incident historyClean record, or quick response + compensationRepeated exploits with no postmortem
9Documentation qualityClear, comprehensive, maintained docsNo docs, or outdated/broken links
10Community & ecosystemActive Discord/forum, integrations, listed on aggregatorsGhost town community, no integrations

1. Audit History

A security audit means an independent firm has reviewed the protocol's smart contract code line by line, looking for vulnerabilities, logic errors, and potential exploits. This is the single most important safety check you can perform.

What to look for:

  • Multiple audits from different firms. One audit is good. Two or three from independent firms (Trail of Bits, OpenZeppelin, Spearbit, Certik, Hacken) is much better. Different auditors catch different things.
  • Public reports. Reputable protocols publish their full audit reports, including findings and how they were resolved. If the audit report is not public, treat it as if it does not exist.
  • Scope coverage. An audit of the core lending logic does not cover the governance module or the oracle integration. Check that the audit covers the parts of the protocol you are using.
  • Recency. An audit from three years ago does not cover code changes made last month. Look for audits that cover the current deployed version.

Red flags: "Audit pending" (it may never happen), audit by an unknown one-person firm, or "internally audited" (the team reviewed their own code — that is not an independent audit). For more on verifying contracts, see our guide on how to verify smart contracts.

2. TVL (Total Value Locked)

Total Value Locked measures how much money users have deposited into the protocol. It is not a guarantee of safety, but it is a strong signal of market trust.

General benchmarks:

  • >$1B TVL: Major protocol with significant institutional and retail trust (Aave, Lido, Uniswap, MakerDAO).
  • $100M–$1B: Established protocol with meaningful adoption. Likely has been audited and battle-tested.
  • $10M–$100M: Mid-tier. May be legitimate but carries more risk. Due diligence is especially important.
  • <$1M: High risk. Could be new, experimental, or a potential rug pull. Proceed with extreme caution — or don't proceed at all.

Where to check: DefiLlama is the gold standard for TVL data. It tracks over 3,000 protocols across 200+ chains with transparent methodology. Check both the current TVL and the historical trend — a protocol that has been steadily growing is healthier than one that spiked and crashed.

Important caveat: TVL alone is not enough. Terra/Luna had over $20 billion in TVL before its collapse in May 2022. High TVL reduces some risks (more security researcher attention, larger bug bounties) but does not eliminate design-level flaws.

3. Time in Production

The longer a protocol has been live with real money without being exploited, the more confidence you can have in its security. This is sometimes called "Lindy effect" — the longer something survives, the longer it is expected to continue surviving.

  • >3 years: Battle-tested. Has survived multiple market cycles, bear markets, and waves of exploit attempts. Examples: Aave (2020), Uniswap (2018), MakerDAO (2017).
  • 1–3 years: Reasonably established. Has weathered at least one market downturn.
  • 3–12 months: Still new. Code may be solid, but it hasn't been tested by time and adversarial conditions.
  • <3 months: Experimental. Even if audited, novel code needs time to prove itself. The first 90 days are the highest-risk period for any new DeFi protocol.

Check the protocol's deployment date on the block explorer. If the contracts were deployed last week and they are already promising 50% APY, that is a major red flag.

4. Open-Source Contracts

Smart contracts that handle your money should be publicly verifiable. "Verified" on a block explorer (Etherscan, Solscan, Arbiscan, etc.) means the source code is published and matches the deployed bytecode — anyone can read it and check what the contract actually does.

Closed-source contracts are a deal-breaker. If you cannot read the code, you are trusting the team completely. The contract could contain a function that allows the deployer to drain all funds, and you would have no way to know.

What to check on the block explorer:

  • Is the contract marked as "verified"?
  • Does the source code match what the protocol's documentation describes?
  • Are there any suspicious functions like transferOwnership, emergencyWithdraw (only callable by admin), or selfdestruct?
  • If using a proxy pattern (upgradeable contracts), who controls the upgrade mechanism?

If you are not a developer, you can still check the verification status. The green checkmark on Etherscan's "Contract" tab tells you the code is at least public and verifiable by others. For a deeper understanding, see our guide on how to verify smart contracts.

5. Team Transparency

Are the founders and core developers publicly known? Do they have real identities, professional histories, and a reputation to protect?

This is nuanced. Bitcoin was created by the pseudonymous Satoshi Nakamoto, and it is the most successful cryptocurrency in history. Anonymous teams are not inherently bad. However:

  • Anonymous team + new protocol + high APY = maximum risk. There is no accountability. If the team rug-pulls, there is no one to hold responsible.
  • Known team with professional backgrounds (previous companies, LinkedIn profiles, conference talks) = more accountability. They have a reputation to lose.
  • Registered legal entity (company incorporated in a known jurisdiction) = even more accountability. There is a legal structure that can be held liable.

Check the protocol's website for team information, look for the team on LinkedIn and Twitter/X, and see if founders have spoken at major conferences (ETHDenver, Devcon, Token2049). Public visibility is a form of trust signal.

6. Bug Bounty Program

A bug bounty program means the protocol pays security researchers to find and responsibly report vulnerabilities — rather than exploiting them. This is a strong signal that the team takes security seriously.

  • Major protocols offer $1M+ bounties. Aave's maximum payout is $1M. Uniswap offers up to $2.25M. MakerDAO offers up to $10M. These amounts make it more profitable to report a bug than to exploit it.
  • Mid-tier protocols should offer at least $100K. Anything less may not be enough to incentivize skilled researchers.
  • No bounty program at all means the protocol either doesn't care about security or can't afford to. Either way, it is a risk factor.

Where to check: Immunefi is the leading bug bounty platform for DeFi. Search for the protocol there. If it is listed with an active bounty, that is a positive signal.

7. Governance Structure

Who controls the protocol? Who can upgrade the smart contracts, change parameters, or pause operations? This is perhaps the most overlooked safety check.

Governance models, from safest to riskiest:

  • Immutable contracts: No one can change the code after deployment. Uniswap V2 and V3 core contracts work this way. Safest from a governance perspective, but can't be patched if a bug is found.
  • DAO governance with timelock: Changes require a community vote (token holders) and a mandatory waiting period (24-48 hours) before execution. This gives users time to exit if they disagree with a change. Aave and MakerDAO use this model.
  • Multisig with timelock: A group of trusted signers (e.g., 5 of 9) must approve changes, with a delay before execution. Common in newer protocols that plan to transition to full DAO governance.
  • Multisig without timelock: Same as above but changes take effect immediately. Riskier — the signers could push a malicious update without warning.
  • Single admin key: One person or entity controls everything. They can drain the protocol, change any parameter, or pause withdrawals. This is the highest governance risk. If you see this, think very carefully before depositing.

Where to check: Look at the protocol's documentation for their governance model. Check the "Owner" or "Admin" of the main contracts on the block explorer. If it is an EOA (externally owned account — a regular wallet), that means one person has control.

8. Incident History

Has the protocol ever been exploited, hacked, or experienced a significant bug? How did they respond?

Ironically, a protocol that has been exploited and handled it well can be more trustworthy than one that has never been tested. What matters is the response:

  • Good response: Immediate disclosure, transparent postmortem, users compensated, code patched and re-audited. Euler Finance was exploited for $197M in March 2023, recovered the funds through negotiation, and compensated users — then relaunched with improved security.
  • Bad response: Delayed disclosure, blame-shifting, no compensation, no code changes. Or worse — the team disappears.

Where to check: Rekt.news maintains the most comprehensive database of DeFi exploits, ranked by amount lost. Search for the protocol name. Also check our crypto security report for recent incident data.

9. Documentation Quality

Good documentation is a proxy for team professionalism and long-term commitment. Writing and maintaining clear documentation takes effort — scam projects rarely bother.

What to look for:

  • Technical docs explaining how the protocol works at a smart contract level
  • User guides with clear instructions on how to use the protocol
  • Risk disclosures that honestly describe what could go wrong
  • Regularly updated to reflect the current version of the protocol
  • API documentation if the protocol offers integrations

Red flags: No documentation at all, a single page that only says "deposit and earn 100% APY," broken links, docs that describe a different version than what is deployed, or documentation copied from another protocol.

10. Community and Ecosystem

A healthy protocol has an active community and integrations with the broader DeFi ecosystem.

  • Active Discord or governance forum with real discussions (not just bot spam or price talk). Look for technical questions being answered, governance proposals being debated, and developer activity.
  • Integrations with other protocols. When other DeFi protocols integrate with this one (e.g., Aave accepting an LP token as collateral), it means those teams have also evaluated the code.
  • Listed on aggregators. Presence on DefiLlama, CoinGecko, and major portfolio trackers indicates the protocol is recognized by the ecosystem.
  • Developer activity. Check the protocol's GitHub. Regular commits, active pull requests, and multiple contributors suggest ongoing development. A dormant GitHub is a warning sign.

Red Flags That Mean "Stay Away"

If you see any of these, think twice — or don't think at all, just leave:

  • Promises of >20% APY on stablecoins without a clear yield source. Where does the yield come from? If the protocol can't explain it clearly, you are probably the yield (your deposited principal is being used to pay earlier depositors — a Ponzi structure).
  • No audit, or "self-audited." A self-audit is not an audit. It is a team reviewing their own homework. Independent third-party review is non-negotiable for any protocol handling real money.
  • Anonymous team AND new protocol AND high APY. Any one of these is manageable. All three together is the classic rug-pull profile.
  • Locked withdrawals or withdrawal fees >1%. Legitimate DeFi protocols let you withdraw at any time. If there is a lock period, it should be clearly stated before you deposit — not discovered when you try to leave.
  • No timelock on admin functions. If the admin can change critical parameters (fees, interest rates, withdrawal limits) instantly, they can rug-pull without warning.
  • Contract not verified on block explorer. As discussed above, if the code is hidden, you are flying blind.
  • Forked code with no modifications or audits. Some rug pulls simply copy Uniswap's or Aave's code, deploy it, and add a hidden backdoor. If a protocol claims to be "based on Aave" but has no independent audit, the modifications could be malicious.

Green Flags — Signs of a Trustworthy Protocol

These are the signals that give you confidence:

  • Multiple independent audits from top-tier firms (Trail of Bits, OpenZeppelin, Spearbit, Sigma Prime). Each additional audit significantly reduces the chance of an undiscovered critical bug.
  • Active on multiple chains. Deploying on Ethereum, Arbitrum, Optimism, Base, Polygon, and Solana requires significant engineering investment. It shows long-term commitment and resources.
  • Bug bounty >$100K on Immunefi. The protocol is putting money where its mouth is — betting that its code is secure enough that no one can claim the bounty.
  • Timelock on governance actions (24-48h delay). This gives users time to review proposed changes and exit if they disagree. It is a voluntary restraint on power — a good sign.
  • Listed on DefiLlama with accurate TVL tracking. DefiLlama's methodology is transparent and community-verified. Being listed means the protocol's smart contracts have been identified and mapped.
  • Transparent fee structure. You can see exactly what you pay (swap fees, interest spreads, performance fees) before you deposit. No hidden charges.
  • Insurance coverage available. If protocols like Nexus Mutual or InsurAce offer coverage for the protocol, it means underwriters have assessed the risk and consider it insurable.
  • Formal verification. Beyond audits, some protocols have their critical functions mathematically proven to behave correctly. This is the highest standard of code verification, used by protocols like Uniswap V4 and some parts of MakerDAO.

How to Check in Practice — Tools and Steps

Here is a step-by-step process you can follow every time you evaluate a new protocol. Bookmark this section and come back to it.

Step 1: Check TVL and chain breakdown

Go to DefiLlama and search for the protocol. Check:

  • Current TVL and 90-day trend (growing, stable, or declining?)
  • Which chains it is deployed on
  • Whether there have been sudden TVL drops (possible exploit or bank run)
  • How it compares to peers in its category (lending, DEX, yield, etc.)

Step 2: Verify contracts on block explorer

Find the protocol's contract addresses (usually listed in their docs). Go to the relevant block explorer:

Check: Is the contract verified? Who is the owner/admin? Is there a proxy pattern (upgradeability)?

Step 3: Review code activity on GitHub

Find the protocol's GitHub organization. Look at:

  • Commit frequency — is the code actively maintained?
  • Number of contributors — is it a one-person project or a team?
  • Open issues and pull requests — is the community engaged?
  • Last commit date — has the project been abandoned?

Step 4: Check bug bounty status

Search the protocol on Immunefi. Note the maximum bounty amount and whether it covers the contracts you are planning to use.

Step 5: Check incident history

Search the protocol on Rekt.news. Also search Twitter/X and Google for "[protocol name] exploit" or "[protocol name] hack." Review any incidents and how they were handled.

Step 6: Check your exposure after depositing

After you deposit, use CleanSky to scan your wallet. CleanSky will show you:

  • Your position in the protocol (type, value, earnings)
  • Risk analysis across six dimensions
  • Concentration risk — what percentage of your portfolio is in this protocol
  • Token approvals — what permissions you granted and whether they need to be revoked

For a detailed walkthrough of what CleanSky shows, see our guide on reading your scan.

Examples: Rating Real Protocols

Let's apply the checklist to five protocols across the safety spectrum. This is not financial advice — it is an illustration of how to use the framework.

Criteria Aave V3 Uniswap V3 Lido New L2 Lending Unaudited Farm
Audit history 5+ audits (Trail of Bits, OpenZeppelin, Sigma Prime, etc.) Multiple audits (Trail of Bits, ABDK) + formal verification 10+ audits from multiple firms 1 audit from mid-tier firm None ("coming soon")
TVL >$10B >$4B >$15B ~$5M ~$200K
Time in production 5+ years (since Jan 2020) 7+ years (since Nov 2018) 4+ years (since Dec 2020) 4 months 2 weeks
Open-source Yes, verified on all chains Yes, verified + formally verified Yes, verified on all chains Yes, verified No, unverified
Team Public (Aave Labs, Stani Kulechov) Public (Uniswap Labs, Hayden Adams) Public (Lido DAO, multiple contributors) Pseudonymous on Twitter Fully anonymous
Bug bounty $1M on Immunefi $2.25M on Immunefi $2M on Immunefi $10K self-hosted None
Governance DAO + timelock Immutable core + governance for fee switch DAO + multisig + timelock Multisig (3 of 5), no timelock Single admin key
Incident history Minor flash loan incident (2022), handled well No major exploits on core contracts No major exploits None (too new) Unknown
Documentation Excellent, comprehensive Excellent, includes technical papers Very good Basic, incomplete One-page landing page only
Community Very active governance forum, large community Massive ecosystem, thousands of integrations Active DAO, governance forum, ecosystem Small Discord (~500 members) Telegram group only, mostly bots
Overall Very safe Very safe Very safe Moderate risk Extremely risky

The pattern is clear. Established protocols like Aave, Uniswap, and Lido check every box. They have been live for years, audited extensively, governed by DAOs with timelocks, and backed by massive communities. The new L2 lending protocol has some positive signals (one audit, open source) but lacks the track record, bug bounty, and governance maturity. The unaudited farm fails almost every check — depositing there is essentially gambling.

This doesn't mean you should only use the top three. Innovation happens at the edges. But if you use a newer protocol, you should do so with a smaller amount of capital, fully aware of the risk, and after running through this entire checklist. For more on balancing risk, see our guide on understanding risk in DeFi.

Practical Risk Management

Even after thorough due diligence, no protocol is 100% safe. Here are principles to manage that residual risk:

  • Diversify across protocols. Don't put all your DeFi capital into one protocol, no matter how safe it appears. Spread across 3-5 protocols to limit the impact of any single exploit.
  • Start small. When trying a new protocol, deposit a small test amount first. Wait a few days. Check that deposits and withdrawals work as expected. Then scale up gradually.
  • Revoke unused approvals. After you withdraw from a protocol, revoke the token approval. This eliminates the risk of an approval-based exploit. Use CleanSky to see all your active approvals. Read more in our guide on staying safe in crypto.
  • Monitor regularly. DeFi conditions change. A protocol that was safe six months ago might have changed its governance structure, lost key team members, or suffered an exploit. Scan your wallet regularly with CleanSky and re-evaluate your positions.
  • Consider insurance. For large positions, DeFi insurance protocols (Nexus Mutual, InsurAce) can provide coverage against smart contract exploits — at a cost of 2-5% per year.

Frequently Asked Questions

How do I know if a smart contract is safe?

Check whether the contract code is verified and publicly readable on a block explorer like Etherscan or Solscan. Then look for independent security audits from reputable firms such as Trail of Bits, OpenZeppelin, or Spearbit. A contract that is open-source, audited by multiple firms, and has operated for over two years without exploits is significantly more trustworthy than one that is closed-source or unaudited. You can also check the governance structure — who controls upgrades and whether there is a timelock protecting users from sudden changes.

What does "audited" mean for a DeFi protocol?

An audit means an independent security firm has reviewed the protocol's smart contract code for vulnerabilities, logic errors, and potential exploits. Audits are not guarantees of safety — they are professional reviews that reduce risk. The quality of the audit depends on the firm's reputation, the scope of the review, and whether the protocol implemented the recommended fixes. Multiple audits from different firms provide stronger assurance than a single audit. Always check that the audit report is publicly available and covers the version of the contracts currently deployed.

Is high TVL a guarantee of safety?

No. High Total Value Locked indicates market trust and means many people have deposited funds, but it does not guarantee safety. Terra/Luna had over $20 billion in TVL before collapsing in May 2022. However, protocols with high TVL are generally more scrutinized by security researchers, more likely to have been audited, and more likely to offer large bug bounties — all of which reduce risk. Use TVL as one data point in your evaluation, not the only one. Combine it with audit history, governance structure, and time in production for a complete picture.

Can a DeFi protocol steal my money?

Yes, in several ways. A malicious protocol can include backdoors in its smart contracts that allow the team to drain user funds (a "rug pull"). Even legitimate protocols can lose user funds through smart contract bugs, oracle manipulation, or governance attacks. An admin with a single key and no timelock can change contract parameters to steal deposits. To minimize this risk, use the 10-point checklist above: check audit history, governance structure (who controls upgrades), whether contracts have timelocks on admin functions, and the protocol's track record over time. For more about DeFi safety, read Is DeFi safe?

Where can I check a DeFi protocol's audit?

Most reputable protocols publish their audit reports on their official documentation site or GitHub repository. You can also check the websites of major audit firms — Trail of Bits, OpenZeppelin, Spearbit, Certik, and Hacken all publish completed audit reports. Additionally, DefiLlama lists audit information for many protocols, and Immunefi shows which protocols have active bug bounty programs, which is another indicator of security commitment. If you cannot find an audit report after searching these sources, treat the protocol as unaudited.

Conclusion

Evaluating a DeFi protocol is not complicated, but it does require discipline. The 10-point checklist — audit history, TVL, time in production, open-source contracts, team transparency, bug bounty, governance, incident history, documentation, and community — gives you a systematic way to assess risk before depositing your money.

No single factor is sufficient on its own. A protocol can be audited but have terrible governance. It can have high TVL but be only weeks old. It can have a known team but no bug bounty. The checklist works because it covers all the angles.

The goal isn't zero risk — that doesn't exist in DeFi or anywhere else in finance. The goal is informed risk: understanding exactly what you are exposed to and deciding whether the potential reward justifies it.

Already deposited in DeFi? Scan your wallet with CleanSky to see your full exposure — positions, risk analysis, concentration, and token approvals — all from a single address.

Scan your wallet now →