Essential information to help you stay afloat in the sea of DeFi.

Need a crypto wallet that gives you full control of your assets? You can download Exodus here.

Never enter your 12-word secret recovery phrase or private keys into a web3 app. If a web3 app requests your secret recovery phrase or private keys, it is trying to steal your crypto.

In DeFi, when you give a web3 app permission to make changes to or have certain access to your wallet, you expose yourself to risk.

When you use a web3 app, you're not sending your funds from your wallet to the app in order to use the service. Instead, you're agreeing to a contract with the web3 app that when certain conditions are met, it can take certain actions with your funds. This allows the web3 app's smart contracts to make changes to your wallet.

These conditions and actions are outlined and available in the web3 app's documentation for public review. The design of a protocol's smart contracts is integral to web3 apps.

Interacting with smart contracts carries possible risks from malicious third parties, market conditions, or the design of the smart contracts.

If you're new to all things web3 and DeFi, you may want to be aware of some of these risks. Not to worry! There are also strategies that will help you to navigate the web3 ecosystem a little more safely.

Exodus is a self-custody software wallet that provides the interface for you to connect to the world of DeFi and web3. Web3 apps are platforms that are external to Exodus, so make sure you do your own research before connecting!

Some of the most notorious risks of using web3 and DeFi come from the potential for a protocol's code to be hacked or exploited. Code can also malfunction in different ways.

Determined hackers can find holes and exploits in a protocol's code. Sometimes they find a way in through a bug or through a protocol's use of oracles. It's possible for hackers to interfere with the mechanics of the protocol to alter its expected behavior.

While DeFi protocols may not have custody of your funds, they can transact on your behalf if certain conditions are met. A hacker can exploit this by artificially meeting the conditions and then being able to access your funds.

In some circumstances, the developers of a protocol are bad actors. Some web3 apps may have devious designs or back door functionality that can steal your money after you've allowed the web3 app access to your wallet.

In all these cases, it's important to research each web3 app to make sure they have a safe track history and that they're being maintained by experienced developers. More information can be found in this section: Do your own research.

If you receive an unknown NFT in your wallet do not transfer it or list it for sale. Sometimes scammers airdrop NFTs with malicious intent, hoping you will interact with the NFT or click on a suspicious link. This can result in the theft of your assets.

Depending on how established a protocol is and how experienced its developers are, a web3 app could have built-in shortcomings that may compromise its security or cause the protocol to behave in unexpected and undesirable ways.

Impermanent loss is a risk specific to yield farming. This happens if the assets you provide as liquidity increase in value.

Let's say that 1 SOL equals $100. Let's also say you were to provide a 1-1 ratio of 1 SOL and 100 USDC as liquidity to a DEX. In exchange for your liquidity, the DEX provides you with $200 worth of liquidity provider (LP) tokens.

Now let's say that the price of SOL doubles and 1 SOL now equals $200, and you want to cash in your LP tokens to get your assets back.

In this scenario, the DEX would give you back only 0.5 SOL as well as the 100 USDC. This is because you are only given enough LP tokens to reclaim the dollar amount of what you provided initially. In this example, $200 worth of liquidity.

This is where impermanent loss comes in. Had you kept your 1 SOL instead of providing it as liquidity, you would have gained $100 in value just by holding it.

Keep in mind that this only happens if you decide to cash out. Over time, the value of SOL may drop from $200 back down to $100 and you would be able to reclaim your 1 SOL and 100 USDC.

Also remember that by providing liquidity, the DEX is paying you interest in exchange fees proportional to your percentage of the liquidity pool. Depending on the amount of liquidity you've provided and how long you provide it for, it might net you more profits in the long term.

A good way to get familiar with providing liquidity is to provide stablecoin pairs like USDC/USDT. Because their prices are stable, the possibility for impermanent loss is much lower than using more volatile assets.

Intrinsic protocol risk refers to the mechanics of a protocol and its smart contracts. Even if everything works as expected, a protocol may produce an unfavorable outcome.

When you engage with a DeFi smart contract, you're giving it permission to transact your assets when certain conditions are met. You can find out more about how this works here: How is DeFi non-custodial?

As an example, say you took out an overcollateralized loan through a lending protocol. You deposit 1 ETH valued at $2,000. Since you're able to borrow up to 50% of your collateral, you borrow $1,000 worth of Dai.

Now say the price of ETH fell by just a dollar, and you were unable to provide more ETH as collateral. Your ETH could be liquidated by the protocol because your collateral was no longer sufficient for the amount you borrowed.

Your collateral could also be liquidated if you failed to pay back what you borrowed at the specified time.

This is an inherent protocol risk. While these DeFi protocols are functioning as expected and can be great financial tools, they also carry risks if they're used without proper caution or understanding.

Always do your due diligence to understand the protocols you use and what conditions may result in an unfavorable outcome.

Before entrusting your funds to the wild west of web3, some extra research will go a long way in keeping you safe and successful on your DeFi journey. Before connecting to a web3 app, make sure you do your own research and familiarize yourself with the web3 app, so you know the features and the potential risks of using it.

It's always recommended to check that the web3 app you are connecting to is trusted and that you have accessed it with the correct URL. Never connect to web3 apps that you don't trust.

Below are a few different ways to research a web3 app that you're interested in using.

A web3 app's code and documentation should be transparent and open to the public.

A good place to start researching a web3 app is its documentation. Reading the docs will help you understand how it works and what the web3 app has to offer you.

Since a web3 app requires your trust in order to use it, a web3 app with good documentation will do a good job of explaining itself to you.

After reading a web3 app's documentation, you should be able to answer these questions for yourself:

If you're unable to answer these questions after reading a web3 app's documentation, you may need to do more research before choosing to use that web3 app.

There are several tools and websites that audit different web3 apps to check for security flaws, trustworthy developers, or issues a web3 app may have. Here is a list of different auditing tools you may find useful when researching a web3 app:

Doxxed developers are accountable developers. It can help in your research to see if you can find the names of the web3 app's developers.

Publicly known developers are a good sign as they can be identified and held accountable if something intentionally malicious occurs with the web3 app.

Another place to check when researching a web3 app is its community pages. Check if a web3 app has a Twitter account or Discord page where you can ask members of the community what their experience has been.

However, if you find that a web3 app's social media pages are full of spam posts or activity unrelated to crypto, it could be a sign that the community is inactive or unmoderated, both of which indicate that the web3 app may not be trustworthy.

Once you've researched a web3 app you want to connect your wallet to, you should still exercise caution. It's a good idea to only invest funds that you are willing and prepared to lose. While a web3 app could appear solid and trustworthy, an update to the code or a newly discovered exploit could compromise your funds.

It also helps to be skeptical of DeFi protocols that promise larger-than-normal returns. If a high APY sounds too good to be true, it probably is. Big numbers alone don't guarantee a good investment - especially if you can't tell where the money is coming from.

Always make sure you keep enough gas on hand to cover the smart contract fees for the Web apps you choose to use. Not having enough funds for gas could interrupt your web3 app activity.

It's also important to use a secure web3 app browser. Secure web3 app browsers will often take the time to review and vet a web3 app before listing it for search.

After you're finished using a dApp or web3 app, it's a good security practice to disconnect your wallet. If you want to use the web3 app again, you can always reconnect.

By disconnecting, you ensure the web3 app can't view your wallet's details, such as your token balances and public addresses.

For help with disconnecting your Exodus wallet from web3 apps, you can check out our guides below:

However, disconnecting from a web3 app will not revoke any smart contract permissions or token allowances.

When connecting your Exodus wallet with a dApp or web3 app, you shouldn't be asked to enter your 12-word secret recovery phrase or any of your private keys to connect to the web3 app.

If you are asked to share this information, it is a scam trying to steal your funds.

Never enter your 12-word secret recovery phrase or private keys into a web3 app!

Smart contracts and token allowances allow web3 apps to perform actions on your behalf, such as moving tokens or NFTs.

Always remove permissions you don't trust. It's also a good security practice to remove permissions you no longer use.

If a web3 app is compromised or exploited, and you haven't revoked its smart contract and token permissions, your funds might be at risk.

There are several ways you can revoke permissions. In most cases, the easiest way is from a specialized website that focuses on allowing you to revoke permissions for web3 apps.

Here are some tools (by network) that you can connect to in order to view and revoke web3 app permissions: