DeFi Safety Glossary

Developers suddenly drain all liquidity from a protocol and disappear with user funds. Usually via backdoor admin functions or liquidity removal.

A token contract coded to allow buying but block selling. Users can purchase but can never exit their position.

A bug where a malicious contract repeatedly calls a vulnerable function before the first execution updates state, draining funds each time.

A single EOA (externally owned account) controls critical protocol functions like minting, pausing, or upgrading. If compromised, funds are at risk.

Unintended code behaviour that doesn't constitute a classic exploit but still causes financial loss — even in audited contracts.

A smart contract whose source code is not verified on a block explorer. You cannot read what the contract actually does.

Attacker borrows a large uncollateralized sum within a single transaction to manipulate prices or exploit protocol logic, then repays — all atomically.

Approving a contract to spend unlimited tokens. If that contract is compromised later, all approved tokens can be drained.

Feeding false or manipulated price data into a protocol's price oracle, causing incorrect valuations, bad liquidations, or exploitable arbitrage.

Delay between real-world price changes and on-chain oracle updates. Can cause incorrect liquidations or allow MEV during volatile markets.

A single entity controls the price feed. If that server goes down or is compromised, the protocol is blind or exploitable.

The difference in value between holding tokens in an LP position versus holding them outright. Occurs when token prices diverge after deposit.

A chain reaction where falling prices trigger liquidations, which depress prices further, triggering more liquidations until the market stabilises (or collapses).

The difference between the expected price of a trade and the actual executed price, caused by pool imbalance or low liquidity.

Undercollateralised borrowing positions that cannot be liquidated profitably. Losses are socialised across remaining protocol depositors.

Fake websites or interfaces designed to look identical to legitimate protocols, capturing seed phrases or approving malicious transactions.

A token with the same name/symbol as a legitimate project, deployed to trick users into buying the wrong contract.

Malware that silently replaces wallet addresses in your clipboard. You copy address A, but paste address B (attacker's wallet).

Coordinated buying drives up a token's price, creating FOMO. Organisers sell at the peak, price collapses, retail investors are left holding losses.

Malicious tokens sent to wallets that, when users try to sell or interact with them, approve a contract that drains legitimate funds.

A malicious actor acquires enough governance tokens to pass proposals that drain the treasury, alter parameters, or change protocol rules.

High token emission rates reduce the value of existing holdings. Common in yield farming where rewards are paid in native tokens.

Cross-chain bridge contracts are complex and frequently exploited. Funds locked in a bridge can be stolen by bridge smart contract exploits.

The failure of one major protocol triggering cascading failures across the DeFi ecosystem due to composability and shared liquidity.

The total USD value of assets deposited in a protocol. Higher TVL generally indicates more user trust but is not a guarantee of safety.

A wallet requiring M-of-N signatures to execute transactions. Used for admin functions in protocols to reduce single-key risk.

The ratio of collateral value to borrowed value. Protocols liquidate positions when this ratio falls below a threshold.

APR is simple annual rate. APY accounts for compounding. Most DeFi shows APY which looks higher. Also: neither accounts for token price decay.