DeFi for beginners: Yields, lending, staking and the real tisks

The most dangerous misconception about decentralised finance is this: high yields mean high profits. Across social media, forums, and marketing materials, you will see eye-watering annual percentage yields (APYs) advertised at 20%, 50%, even 200%. These numbers look like free money, especially when compared to the paltry interest rates offered by traditional banks. But here is what those advertisements do not tell you: high yields in DeFi are not interest rates in the traditional sense. They are compensation for risk.

When a UK savings account offers 4% interest, that rate reflects the time value of money plus a small risk premium, backed by deposit protection schemes up to £85,000 through the Financial Services Compensation Scheme (FSCS). When a DeFi protocol offers 40% APY, that rate reflects smart contract vulnerabilities, token price volatility, liquidity risks, potential protocol exploits, and the very real possibility that the entire project could collapse overnight. The yield is not a gift. It is a warning label.

This fundamental misunderstanding has cost investors billions. In 2022 alone, DeFi protocols lost over $3.1 billion to exploits and hacks, with users discovering too late that their "safe" 30% yield was actually exposure to unaudited smart contracts, anonymous development teams, or outright fraud. By 2024, reentrancy attacks alone had caused over $300 million in losses, continuing a pattern that has plagued DeFi since its inception.

The promise of DeFi is genuine: a financial system without intermediaries, accessible to anyone with an internet connection, operating 24/7 on transparent blockchain rails. By 2025, DeFi protocols held approximately $100 billion in total value locked (TVL), facilitating lending, borrowing, trading, and complex financial strategies that would be impossible in traditional finance. But this innovation comes with risks that most beginners do not understand until it is too late.

This guide takes a risk-first approach. Before we explain how DeFi works, we will show you how it fails. Before we discuss potential returns, we will detail potential losses. And before you connect your wallet to any protocol, you will have a checklist to protect yourself from the most common and costly mistakes.

How returns are actually generated in DeFi

DeFi yields come from real economic activity, not thin air. Understanding the source of returns is essential to evaluating whether they are sustainable or a red flag.

Lending protocols generate returns by connecting borrowers and lenders directly through smart contracts. When you supply assets to protocols like Aave or Compound, you are depositing into a liquidity pool that borrowers can access by providing collateral. Your yield comes from the interest that borrowers pay, which is determined algorithmically based on supply and demand. When demand for borrowing is high and supply is low, interest rates rise. When the opposite occurs, rates fall. Aave, one of the largest DeFi lending protocols, has facilitated over $100 billion in cumulative deposits, with lenders earning interest that has historically ranged from 2% to 15% on stablecoins, depending on market conditions.

The key mechanism here is overcollateralisation. Unlike traditional finance, where banks assess creditworthiness, DeFi lending protocols require borrowers to deposit collateral worth more than the loan value. If you want to borrow $1,000 worth of USDC, you might need to deposit $1,500 worth of ETH. This protects lenders: if the borrower defaults or if the collateral value drops too far, the protocol automatically liquidates the collateral to repay lenders. This system works without credit checks, identity verification, or legal enforcement, but it also means that borrowers are not taking out loans to buy houses or start businesses. They are typically borrowing to leverage trading positions or to access liquidity without selling their holdings.

Liquidity provision on decentralised exchanges (DEXs) generates returns through trading fees. Platforms like Uniswap use automated market makers (AMMs) instead of traditional order books. When you provide liquidity, you deposit equal values of two tokens (for example, ETH and USDC) into a liquidity pool. Traders then swap tokens against this pool, paying a small fee (typically 0.05% to 1%) that is distributed proportionally to liquidity providers. Uniswap has processed over $1 trillion in trading volume, with liquidity providers earning fees on every trade.

The returns here depend on trading volume and the fee tier you select. High-volume pairs like ETH/USDC generate consistent fees, while exotic pairs might offer higher percentage returns but with far less volume and far more risk. The constant product formula (x × y = k) that governs AMM pricing means that as traders buy one token, its price increases relative to the other, automatically adjusting the pool's balance.

Staking generates returns by securing proof-of-stake blockchains. When you stake ETH, for example, you are locking your tokens to help validate transactions and secure the Ethereum network. In return, you receive newly minted tokens as rewards, typically ranging from 3% to 7% annually. This is perhaps the most straightforward DeFi yield: you are being paid to provide a service (network security) that has genuine economic value.

Yield farming and liquidity mining offer additional returns by rewarding users with governance tokens. Protocols distribute their native tokens to early users as an incentive to provide liquidity and build network effects. These token rewards can dramatically boost APYs, sometimes into triple digits. However, these yields are only sustainable if the token maintains or increases its value. If the token price collapses (as many do), your actual returns can be negative despite the high nominal APY.

The crucial insight is this: sustainable yields in DeFi typically range from 3% to 15% annually for stablecoins and established protocols. Anything significantly higher is either temporary (due to token incentives that will decrease), extremely risky (due to protocol vulnerabilities or token volatility), or fraudulent. According to research on DeFi lending, the search for yield has been a primary driver of liquidity provision, particularly during low interest rate environments in traditional finance. But as rates have normalised, the risk-reward calculation has shifted dramatically.

How losses occur

DeFi losses fall into three categories: protocol failures, token collapses, and user errors. Each has destroyed fortunes.

Smart contract exploits are the most technically sophisticated form of loss. Reentrancy attacks, where malicious actors repeatedly call a withdrawal function before the contract updates its balance, have stolen hundreds of millions. The infamous 2016 DAO hack, which drained $60 million through a reentrancy vulnerability, nearly destroyed Ethereum itself. More recently, reentrancy attacks have continued to cause over $300 million in losses since January 2024.

Smart contracts are immutable once deployed. If there is a bug in the code, it cannot be patched like traditional software. Attackers have exploited integer overflows, access control failures, and logic errors to drain funds from protocols that had been audited by reputable firms. In 2025, approximately 27% of audited contracts still had at least one access control misconfiguration, demonstrating that even professional review does not guarantee safety.

Oracle manipulation attacks exploit the price feeds that DeFi protocols rely on. Oracles provide external data (like token prices) to smart contracts. If an attacker can manipulate the oracle, they can trick the protocol into accepting false prices. Flash loan attacks, which allow borrowing massive amounts without collateral within a single transaction, have been used to manipulate prices and drain liquidity pools. These attacks surged by 31% year-over-year through 2025, with attackers borrowing funds, manipulating prices across multiple protocols, profiting from the discrepancy, and repaying the loan, all within seconds.

Rug pulls are exit scams where developers drain liquidity and disappear. A rug pull occurs when project creators remove liquidity from pools or dump their token holdings, leaving investors with worthless tokens. These scams are particularly common with new, unaudited projects offering unsustainably high yields. Anonymous teams, unlocked liquidity, and excessive developer token allocations are warning signs, but many investors ignore them in pursuit of high returns.

Governance attacks exploit voting mechanisms in decentralised autonomous organisations (DAOs). The Compound Finance treasury was drained of $25 million due to governance exploits, where attackers accumulated enough voting tokens (sometimes via flash loans) to pass malicious proposals. Governance vulnerabilities represented 4% of DeFi incidents in 2024, but their impact can be catastrophic when they succeed.

Impermanent loss is a unique risk for liquidity providers. When you deposit tokens into an AMM pool, you are exposed to price changes between the two assets. If one token appreciates significantly relative to the other, you would have been better off simply holding the tokens rather than providing liquidity. This "loss" is impermanent because it only crystallises when you withdraw, but it can be substantial. Impermanent loss occurs because the AMM's constant product formula automatically rebalances your position, selling the appreciating asset and buying the depreciating one. In volatile markets, impermanent loss can exceed the trading fees you earn.

Token volatility can wipe out yields instantly. If you are earning 20% APY on a token that drops 50% in value, you have lost money. Many DeFi protocols distribute rewards in their native governance tokens, which can be highly volatile. The search for yield has driven liquidity provision, but token price crashes have repeatedly destroyed the value of those yields.

Liquidation cascades occur when collateral values drop rapidly. If you have borrowed against your crypto holdings and the price falls, your position may be automatically liquidated to protect lenders. During market crashes, liquidation cascades can accelerate price declines as forced selling triggers more liquidations. DeFi lending protocols handled $350 million in liquidations during a recent drawdown without major protocol failures, demonstrating both the resilience of the system and the scale of losses users can face.

Regulatory risk is increasing. The SEC has classified some DeFi projects as unregistered securities, creating legal uncertainty that can cause token prices to collapse overnight. Regulatory actions can freeze assets, shut down protocols, or expose users to legal liability. The decentralised nature of DeFi does not provide immunity from regulation.

Before you connect your wallet: essential checklist

Never connect your wallet to a DeFi protocol without completing these steps:

1. Verify the protocol's audit history. Reputable protocols publish audits from established firms like Trail of Bits, OpenZeppelin, or Certik. Read the audit reports, not just the summary. Look for critical or high-severity findings and check whether they were resolved. Remember that even audited contracts can have vulnerabilities, but unaudited protocols are exponentially riskier.

2. Check the protocol's age and track record. New protocols are far more likely to fail or be exploited. According to research on DeFi exploit risk, daily loss rates have decreased significantly as protocols mature and are battle-tested. Protocols that have operated for over a year without major incidents are generally safer than brand-new launches.

3. Research the development team. Anonymous teams are a red flag. Look for developers with public identities, track records in the space, and active engagement with the community. Check whether the team has locked their token allocations or whether they can dump holdings at any time.

4. Examine the tokenomics. How are tokens distributed? What percentage does the team control? Are there vesting schedules? Protocols where insiders control large percentages of the supply can manipulate prices or execute rug pulls. Look for fair launches and transparent token distribution.

5. Assess the liquidity. Check whether liquidity is locked in time-locked contracts or whether developers can withdraw it at will. Services like Team Finance or Unicrypt provide liquidity locking. Unlocked liquidity is a major rug pull risk.

6. Understand the yield source. If you cannot identify where the yield comes from, do not invest. Unsustainable yields funded by token emissions will collapse. Legitimate yields come from trading fees, borrowing interest, or staking rewards.

7. Start with small amounts. Never invest more than you can afford to lose entirely. Test the protocol with a minimal deposit first. Understand the user interface, withdrawal process, and fee structure before committing significant capital.

8. Use a separate wallet for DeFi. Do not connect your main holdings to DeFi protocols. Create a separate wallet specifically for DeFi interactions. This limits your exposure if a protocol is compromised or if you accidentally approve a malicious contract.

9. Review and revoke token approvals regularly. When you interact with DeFi protocols, you grant them permission to access your tokens. These approvals persist even after you stop using the protocol. Use tools like Revoke.cash to review and revoke unnecessary approvals.

10. Enable transaction simulation. Wallet providers like MetaMask now offer transaction simulation, showing you what will happen before you confirm. This can prevent you from approving malicious transactions that would drain your wallet.

11. Beware of front-end compromises. Attackers can compromise a protocol's website through DNS hijacking or JavaScript injection, tricking you into signing malicious transactions. Always verify the URL, use bookmarks rather than search engines, and consider accessing protocols through decentralised front-ends on IPFS.

12. Understand the liquidation threshold. If you are borrowing, know exactly at what price your collateral will be liquidated. Set alerts and maintain a safe buffer above the liquidation threshold. Market volatility can trigger liquidations faster than you can react.

DeFi explained: lending, staking, and liquidity provision

Decentralised lending removes banks from the borrowing and lending process. Instead of applying for a loan and waiting for approval, you interact directly with a smart contract. Protocols like Aave and Compound maintain liquidity pools where lenders deposit assets and borrowers take loans by providing collateral.

The interest rates are determined algorithmically based on utilisation: the percentage of available liquidity that is currently borrowed. When utilisation is low, rates are low to encourage borrowing. When utilisation is high, rates increase to encourage more lending and discourage borrowing. This creates a self-balancing system without human intervention.

Borrowers must overcollateralise their loans. If you want to borrow $10,000 in stablecoins, you might need to deposit $15,000 in ETH. This protects lenders from default risk. Each asset has a specific collateral factor (typically 60% to 80%), determining how much you can borrow against it. If your collateral value drops and your loan-to-value ratio exceeds the liquidation threshold, the protocol automatically sells your collateral to repay lenders.

Decentralised exchanges replace traditional order books with liquidity pools and automated market makers. Uniswap pioneered this model, allowing anyone to create a trading pair by depositing equal values of two tokens.

The AMM uses a simple formula: x × y = k, where x and y are the quantities of each token in the pool, and k is a constant. When someone buys token x, they add token y to the pool, which decreases x and increases y, automatically adjusting the price. This constant product formula ensures that the pool always has liquidity, though large trades relative to pool size cause significant price slippage.

Liquidity providers earn a portion of trading fees (typically 0.05% to 1% per trade) proportional to their share of the pool. Uniswap V3 introduced concentrated liquidity, allowing providers to specify price ranges where their liquidity is active. This increases capital efficiency but requires more active management.

Staking secures proof-of-stake blockchains. When you stake ETH, you are running (or delegating to) a validator node that proposes and validates new blocks. Validators are rewarded with newly minted tokens and transaction fees. The staking yield (currently around 3% to 5% for ETH) compensates you for locking your tokens and for the risk that your validator could be penalised (slashed) for misbehaviour or downtime.

Liquid staking protocols like Lido allow you to stake ETH and receive a liquid token (stETH) representing your staked position. This token can be used in other DeFi protocols, allowing you to earn staking rewards while still accessing liquidity. However, liquid staking introduces additional smart contract risk and potential depegging risk if the liquid token's value diverges from the underlying staked asset.

Yield farming involves moving assets between protocols to maximise returns. Farmers might deposit stablecoins into a lending protocol, borrow against them, deposit the borrowed assets into a liquidity pool, stake the LP tokens in a yield aggregator, and receive multiple layers of rewards. This complexity amplifies both returns and risks.

Yield aggregators like Yearn Finance automate these strategies, but they introduce additional smart contract risk and fees. The composability of DeFi (the ability to stack protocols like "money legos") enables sophisticated strategies but also creates systemic risk: a failure in one protocol can cascade through the entire stack.

Smart contract risk, oracle risk, governance attacks, and rug pulls

Smart contract vulnerabilities are coding errors that attackers exploit to steal funds. The most common include:

Reentrancy attacks exploit contracts that send funds before updating their internal state. An attacker creates a malicious contract that, when it receives funds, immediately calls the withdrawal function again before the original transaction completes. This allows them to drain the contract by withdrawing the same funds multiple times.

Integer overflow and underflow occur when arithmetic operations exceed the maximum or minimum values a variable can hold, wrapping around to unexpected values. While Solidity 0.8.x introduced automatic overflow protection, many contracts still use older versions.

Access control failures happen when developers forget to restrict sensitive functions. If a function that should only be callable by administrators is accidentally left public, anyone can execute it. In 2025, 27% of audited contracts had access control misconfigurations.

Logic errors are flaws in the contract's business logic that allow unintended behaviour. These are often subtle and difficult to detect through automated analysis. They require careful manual review and formal verification.

Oracle risk arises because blockchains cannot access external data directly. Oracles provide price feeds and other off-chain information, but they can be manipulated or fail. If a DeFi protocol relies on a single oracle or a low-liquidity price source, attackers can manipulate the reported price to profit from the discrepancy.

Flash loan attacks often combine oracle manipulation with other exploits. An attacker borrows millions in a flash loan, uses those funds to manipulate a price oracle (by making large trades in a low-liquidity pool), exploits the manipulated price in another protocol (by borrowing against inflated collateral or buying underpriced assets), repays the flash loan, and keeps the profit. All of this happens in a single transaction, requiring no upfront capital.

Decentralised oracles like Chainlink aggregate data from multiple sources to reduce manipulation risk, but they introduce their own dependencies and potential failure points. Time-weighted average price (TWAP) oracles smooth out short-term price manipulation but can lag behind real market prices during volatile periods.

Governance attacks exploit voting mechanisms in DAOs. If an attacker accumulates enough governance tokens, they can pass malicious proposals to drain treasuries, change protocol parameters, or upgrade contracts to steal funds. Flash loans have been used to temporarily acquire voting power, pass a proposal, and return the borrowed tokens, all in one transaction.

Defences include time-locks (delays between proposal passage and execution), voting power delays (requiring tokens to be held for a period before they can vote), and quorum requirements (minimum participation thresholds). However, governance vulnerabilities represented 4% of 2024 incidents, and their impact can be catastrophic.

Rug pulls are exit scams where developers drain liquidity or dump tokens. Common warning signs include:

• Anonymous development teams with no track record
• Unlocked liquidity that developers can withdraw at any time
• Excessive token allocations to insiders with no vesting schedule
• Unaudited smart contracts or audits from unknown firms
• Unsustainable yields with no clear source
• Aggressive marketing focused on price rather than utility
• Copied code from other projects with minimal changes

Rug pulls are particularly common in new projects offering triple-digit APYs. The developers create hype, attract liquidity, then drain the pools and disappear. Some rug pulls are built into the smart contract code itself, with hidden functions that allow developers to mint unlimited tokens or withdraw all funds.

Protocol risk vs token risk vs user error risk

Understanding the distinction between these risk categories is essential for protecting yourself in DeFi.

Protocol risk refers to vulnerabilities in the smart contracts and infrastructure that underpin a DeFi application. This includes:

• Smart contract bugs that allow exploits
• Oracle failures or manipulation
• Governance vulnerabilities
• Economic design flaws (such as incentive misalignments)
• Composability risks (failures in connected protocols)

Protocol risk is largely outside your control as a user. You can mitigate it by choosing established, audited protocols with strong track records, but you cannot eliminate it. Even mature protocols can be exploited, though the risk decreases significantly with age and battle-testing.

Token risk refers to the volatility and potential collapse of the tokens you hold or earn. This includes:

• Price volatility of collateral assets leading to liquidation
• Governance token price crashes wiping out yield
• Stablecoin depegging events
• Token inflation from excessive emissions
• Regulatory actions targeting specific tokens

Token risk is partially within your control. You can choose less volatile assets (stablecoins rather than altcoins), diversify across multiple tokens, and avoid protocols with unsustainable token emissions. However, even stablecoins carry risk, as demonstrated by the Terra/UST collapse in 2022, which wiped out $40 billion in value.

User error risk refers to mistakes you make when interacting with DeFi protocols. This includes:

• Connecting your wallet to malicious contracts
• Approving unlimited token spending
• Sending funds to incorrect addresses
• Losing your private keys or seed phrase
• Falling for phishing attacks
• Failing to understand liquidation thresholds
• Not revoking old token approvals

User error risk is entirely within your control, yet it causes a substantial portion of DeFi losses. Social engineering attacks and phishing trick users into approving malicious transactions. Front-end compromises redirect users to fake websites that steal their funds.

The key insight is that you must protect yourself against all three risk categories simultaneously. Choosing a safe protocol does not help if you approve a malicious contract. Avoiding user errors does not protect you from protocol exploits. Managing token volatility does not prevent rug pulls.

A comprehensive risk management strategy addresses each category:

• For protocol risk: use established, audited protocols; diversify across multiple platforms; start with small amounts
• For token risk: favour stablecoins and established assets; understand liquidation thresholds; avoid unsustainable yields
• For user error risk: use hardware wallets; verify all transactions; revoke unnecessary approvals; maintain separate wallets for DeFi

Due diligence checklist: questions to ask before using any DeFi protocol

Protocol fundamentals:

• How long has the protocol been operating without major incidents?
• Has it been audited by reputable firms? Are the audit reports public?
• What is the total value locked (TVL)? Has it been stable or growing?
• Is the code open source and verifiable?

Team and governance:

• Who are the developers? Are they public or anonymous?
• What is their track record in the space?
• How is governance structured? Can a small group control the protocol?
• Are there timelocks on governance changes?

Economic model:

• Where does the yield come from? Is it sustainable?
• What are the token emissions? Will they cause inflation?
• How are tokens distributed? What percentage do insiders control?
• Are there vesting schedules for team tokens?

Security measures:

• Is liquidity locked? For how long?
• Are there circuit breakers or pause functions?
• How does the protocol handle oracle data?
• What is the liquidation mechanism?

User protections:

• Is there insurance available (through Nexus Mutual or similar)?
• What is the protocol's track record with exploits?
• How quickly does the team respond to security issues?
• Is there a bug bounty programme?

Practical considerations:

• What are the fees (protocol fees, gas fees, withdrawal fees)?
• How liquid are the pools? Can you exit your position easily?
• What is the user interface like? Is it clear and transparent?
• Are there any lock-up periods for your funds?

Risk-first glossary

Annual Percentage Yield (APY): The total return on an investment over one year, including compound interest. In DeFi, high APYs often indicate high risk.

Automated Market Maker (AMM): A smart contract that enables trading by maintaining liquidity pools and using mathematical formulas to set prices, rather than matching buyers and sellers.

Collateral: Assets deposited to secure a loan. In DeFi, loans are overcollateralised, meaning the collateral value exceeds the loan value.

Flash loan: An uncollateralised loan that must be borrowed and repaid within a single blockchain transaction. Used for arbitrage and, unfortunately, for exploiting protocol vulnerabilities.

Governance token: A token that grants voting rights in a protocol's decision-making process. Often distributed as rewards to users.

Impermanent loss: The opportunity cost of providing liquidity to an AMM pool compared to simply holding the tokens, caused by price divergence between the paired assets.

Liquidation: The automatic sale of collateral when its value falls below a threshold, used to protect lenders in borrowing protocols.

Liquidity pool: A smart contract holding reserves of two or more tokens, enabling trading and other DeFi functions.

Oracle: A service that provides external data (such as prices) to smart contracts, which cannot access off-chain information directly.

Overcollateralisation: Requiring collateral worth more than the borrowed amount, used to protect lenders from default risk in the absence of credit checks.

Reentrancy attack: An exploit where a malicious contract repeatedly calls a withdrawal function before the original transaction completes, draining funds.

Rug pull: An exit scam where developers drain liquidity or dump tokens, leaving investors with worthless holdings.

Slippage: The difference between the expected price of a trade and the executed price, caused by insufficient liquidity or market movement.

Smart contract: Self-executing code deployed on a blockchain that automatically enforces the terms of an agreement without intermediaries.

Staking: Locking tokens to secure a proof-of-stake blockchain or to participate in a protocol, earning rewards in return.

Total Value Locked (TVL): The total value of assets deposited in a DeFi protocol, used as a measure of its size and adoption.

Yield farming: Moving assets between DeFi protocols to maximise returns, often involving multiple layers of lending, borrowing, and liquidity provision.

Sources

• Investopedia: Understanding Decentralized Finance (DeFi)
• Rapid Innovation: DeFi Lending Guide 2024
• BIS: Why DeFi lending? Evidence from Aave V2
• Henley & Partners: DeFi Wealth Creation
• Aave Protocol
• QuillAudits: 30+ DeFi Attack Vectors 2025
• OxJournal: Cybersecurity Vulnerabilities in DeFi Platforms
• CryptoProcessing: Top DeFi Risks in 2025
• CoinLaw: Malware in Crypto Smart Contracts Statistics 2025
• Cicada Partners: The State of DeFi Exploit Risk
• CoinLaw: Smart Contract Security Risks and Audits Statistics 2025
• Financial Innovation: Automated market makers and decentralized exchanges
• Uniswap: What is an Automated Market Maker?
• LearnCrypto: AMM Explained
• Glassnode: Primer on Automated Market Making and Uniswap