Does an audit mean a DeFi project is safe?

No. An audit checks the code at one point in time, and some projects fake or misquote one. Confirm the audit exists on the auditor's own site, and treat it as one signal among many, not a guarantee.

What is a honeypot token?

A token you can buy but cannot sell, because the contract blocks selling for everyone but insiders. A tool like Honeypot.is simulates both a buy and a sell to catch it before you spend real money.

If I get scammed in DeFi, can I get my money back?

Usually not. DeFi has no support desk and no chargeback, so a sent transaction is final. That is why checking before you sign matters far more than reacting after.

Why should I revoke old token approvals?

An approval lets a contract move your tokens, and it stays active until you cancel it. If that contract is later exploited, the attacker inherits your approval, so review and revoke unused ones at revoke.cash.

🧭 Guide 🔰 Beginner 🪜 Step by step

🛡️ How to Spot Scams in DeFi How to Spot Scams in DeFi

Run these checks before you connect a wallet, so a bad project shows its tells before it costs you anything.

DeFi is open to anyone, which is also what makes it easy for scammers to set up shop. No bank or company can claw back stolen funds for you. No single warning sign proves a scam, so the trick is to stack several quick checks: if a project fails three of them, you walk away.

1Verify the official domain

Scammers buy lookalike domains that differ by one letter, then pay to sit at the top of search results. Type the address yourself or use a saved bookmark instead of clicking a search hit or sponsored link. Download wallet apps only from the project's own site.

Save the real URL the first time you visit, then only ever use that bookmark.
2Check the project basics

Read what the project actually does, who the team is, and whether their code is active in public (a real GitHub with recent commits beats a glossy website). A named team with a track record is far harder to walk away from than an anonymous one.
3Find the audit and verify it yourself

Look for a smart contract audit from a known firm such as CertiK, SlowMist, or PeckShield, and open the report on that firm's own site. A badge on the project page is not proof. The De.Fi scanner also gives an automated DeFi Score you can cross-check.
4Scan the token with scam-detection tools

Before you interact, paste the token's contract address into a scanner. Token Sniffer and GoPlus Security flag scam scores, mint rights, hidden taxes, and backdoors. Honeypot.is simulates both a buy and a sell to catch a honeypot, where you can buy but never sell. Bubblemaps and Arkham reveal wallet clusters that hint at insiders.
5Check the liquidity

Open the token on DexScreener or DEXTools and look at the liquidity pool: how big it is, how old the pair is, and whether the liquidity is locked. Legit projects often lock it for months. Liquidity that is unlocked, or locked for only a few days, lets the team drain the pool and disappear.
6Check holder spread and token age

One wallet holding more than half the supply can crash the price in a single sale. A contract created only days ago has no history to judge. Both raise the risk, so read holder distribution and creation date as part of the same picture.
7Understand what you are signing

Use a wallet or tool that previews a transaction before you confirm it. Rabby, Pocket Universe, and Tenderly show what a signature will actually do. If the preview moves tokens you did not expect to move, reject it. Never approve something you do not understand.
8Grant minimal approvals

When a dApp asks to spend your tokens, set a capped amount instead of an unlimited token approval. Every approval uses the standard ERC-20 permission system, and a capped allowance limits the damage if that contract is ever exploited.
9Review and revoke approvals regularly

Old approvals stay active until you cancel them. Connect read-only to a tool like revoke.cash, find any unlimited or unknown spenders, and revoke them (this costs a little gas). Etherscan's Token Approvals page and wallets like Rabby and DeBank do the same job.
10Cross-check every announcement

Confirm news across more than one official channel before you act, and distrust any unsolicited message offering help or free tokens. A legitimate project does not slide into your DMs to walk you through a transaction.

🚩 Common mistakes that drain wallets

♾️ Leaving unlimited approvals active long after you stop using a dApp
✍️ Approval phishing: signing a request that quietly hands a stranger permission to spend your tokens
📋 Address poisoning: copy-pasting a lookalike address a scammer planted in your history (see address poisoning)
🔁 Bulk-revoking blindly, which can break a protocol you still use
📱 Storing your seed phrase next to the device, and using SMS codes instead of an authenticator app

Want to learn the moves without the risk? Connect a wallet, grant a small capped approval on a tool like Uniswap, then revoke it. The whole loop costs only a little gas and teaches you what every step feels like.

❓ FAQ

Does an audit mean a DeFi project is safe?: No. An audit checks the code at one point in time, and some projects fake or misquote one. Confirm the audit exists on the auditor's own site, and treat it as one signal among many, not a guarantee.
What is a honeypot token?: A token you can buy but cannot sell, because the contract blocks selling for everyone but insiders. A tool like Honeypot.is simulates both a buy and a sell to catch it before you spend real money.
If I get scammed in DeFi, can I get my money back?: Usually not. DeFi has no support desk and no chargeback, so a sent transaction is final. That is why checking before you sign matters far more than reacting after.
Why should I revoke old token approvals?: An approval lets a contract move your tokens, and it stays active until you cancel it. If that contract is later exploited, the attacker inherits your approval, so review and revoke unused ones at revoke.cash.

🔗 Related

How we research the codex