Try Simulation
Back to CourseBack to Lesson 7
Beginner15–20 minLesson 8

DeFi & NFT: Awareness & Risks

Learn how DEX swaps, liquidity pools, and staking work. Understand approvals, rug pulls, fake tokens, and NFT scams. Practice with a testnet simulator and build your risk checklist.

Lesson Progress0%
What you will learn
  • Understand basic DeFi mechanics: swaps, liquidity pools, staking, and impermanent loss.
  • Recognize why approvals/allowances are dangerous when set to unlimited.
  • Identify risk patterns: rug pulls, admin keys, fake tokens, and drainer contracts.
  • Learn NFT basics: what ownership means, where to trade, and common scams.
  • Practice: simulate a swap on testnet and spot 3 red flags on mock DeFi/NFT sites.
  • Take home a printable DeFi/NFT risk checklist.

8.1DeFi basics: swaps, liquidity, staking

DeFi = smart contracts that replace exchanges and banks. You interact directly with code, not a company.

DEX Swaps

Exchange one token for another via a liquidity pool. Price depends on pool balance and slippage (price change during transaction).

Liquidity Pools

You deposit a pair of assets (e.g., ETH/USDC) and earn fees from trades. Risk: impermanent loss — if prices diverge, your LP value may be less than simply holding.

Staking & Yield Farming

Lock assets to earn rewards. Evaluate the yield source — 'too-good-to-be-true' APY often means high risk or unsustainable tokenomics.

Network & Gas

DeFi actions occur on specific networks (Ethereum, BSC, Solana, etc.). Gas fees can make small trades uneconomical.

Right approach

  • Start with small test amounts
  • Set low slippage (0.1–0.5%) to avoid frontrunning
  • Verify contract addresses on block explorers
  • Use established protocols with audits

Risky behavior

  • High slippage 'just to make it go through'
  • Single pool with low liquidity
  • Unknown contracts without verification
  • Chasing 1000% APY promises

8.2Approvals/allowances: the hidden risk

An approval lets a smart contract spend your tokens. Often it's unlimited and permanent until revoked.

Why approvals exist

Contracts need permission to move your tokens for swaps, deposits, or staking. Without approval, the transaction fails.

The danger

If the contract is hacked or malicious, it can drain your tokens without asking again. Unlimited approvals = unlimited risk.

Best practices

Approve only the exact amount needed. Use a separate 'experiment' wallet. Periodically revoke old approvals using trusted tools.

Mock Approvals Demo

This is a simulation. Practice revoking approvals on testnet before managing real assets.

TokenSpenderAllowanceDateAction
TEST-USDCRouterV1Unlimited2025-03-12
TEST-DAILendingPool10002025-03-10
TEST-ETHStakingV2Unlimited2025-03-08

Tip: Before depositing a large sum, check and revoke old approvals. Think of it as a 'security speedrun'.

Right approach

  • Approve exact amounts, not unlimited
  • Use a burner wallet for experiments
  • Revoke approvals after done
  • Check approvals before large deposits

Risky behavior

  • Approving unlimited for convenience
  • Never checking existing approvals
  • Using main wallet for every new protocol
  • Ignoring approval requests in wallet popups

8.3Risk patterns: rug pulls, admin keys, fakes

Most losses come from repeating scenarios. Learn to recognize them.

Rug PullHigh Risk

Creators drain liquidity or change rules, making the token worthless. Signs: no audit, unlocked liquidity, top wallets hold >50%, anonymous team with no track record.

Admin KeysHigh Risk

A single admin can change fees, pause withdrawals, or mint tokens. Look for multi-sig, timelock, or renounced ownership on the explorer.

Fake Tokens/ContractsHigh Risk

Clones with similar tickers and domains. Always get the contract address from official sources, not search results or DMs.

HoneypotsMedium Risk

Contract allows buying but blocks selling. Test with tiny amounts; check independent analyzers (but trust cautiously).

Drainer SignaturesHigh Risk

Wallet popup asks you to sign a transaction that transfers all your assets. Never sign unclear messages; disconnect if suspicious.

8.4NFT basics and common scams

An NFT is a record of token ownership on a blockchain — not necessarily rights to the media or commercial use.

Where to trade

Use major, reputable marketplaces. Verify the collection: check contract address, number of holders, volume, and age.

Utility claims

Access, memberships, in-game items — verify if utility actually works now, not just promised.

Media hosting

On-chain metadata is rare; most NFTs link to IPFS or centralized servers. If the server goes down, the image may disappear.

Common NFT Scams

Phishing mint sites

Fake minting pages that drain your wallet. Always verify the official link.

Compromised socials

Hacked Discord/Twitter announces 'surprise drop' — real team rarely does urgent mints.

'Mint now or miss out'

Pressure tactics. Legitimate projects give time to verify.

Blind signing

Wallet shows unclear transaction details. Disable blind signing; if you can't read it, don't sign it.

Right approach

  • Verify collection contract from official sources
  • Use a burner wallet for mints
  • Disable blind signing in wallet settings
  • Take time to verify before signing

Risky behavior

  • Clicking mint links from DMs
  • Signing without reading the message
  • Using your main wallet for random mints
  • FOMO-buying without research

8.5Practice: DEX simulation & red flag hunt

Task A: Simulate a DEX swap (testnet mode)

Use mock data to understand swap mechanics without risking real funds. This is a local simulation only.

Task B: Find 3 red flags on a mock site

Review a simulated DeFi/NFT project page and identify warning signs. Get instant feedback and explanations.

Suspicious domain (typosquatting, non-official TLD)

Example: uniswap-defi.xyz

'Audited' claim with no verifiable link

Example: Audited by TopSecurity™

Requests unlimited approval for unknown token

Example: Approve MAX for $SCAM token

Guaranteed fixed super-high APY

Example: Earn 500% APY guaranteed!

Contract address not in official docs

Example: CA: 0x...different from coingecko

Social accounts created recently with no history

Example: Twitter joined Dec 2024

Drainer signature in transaction popup

Example: Sign to claim airdrop (transfers all NFTs)

'Mint ends in 5 minutes!' urgency

Example: LAST CHANCE! Only 3 spots left!

8.6Deliverable: DeFi/NFT Risk Checklist

Your personal risk assessment tool. Do not enter private keys, seeds, or passwords. Generated locally; nothing is sent anywhere.

Progress0/15 (0%)

Contract & Addresses

Liquidity & Market Data

Approvals & Wallets

Domain & Communications

NFT-Specific

We do not store this document. Never record seed phrases or passwords here. Educational checklist only.

Optional resources

Non-affiliated; verify domains yourself

  • Block explorers: Etherscan, BscScan, Polygonscan, Solscan
  • Approval management: revoke.cash-like services (use at your own risk)
  • Testnets: Ethereum Sepolia, Polygon Amoy, BSC Testnet, Solana Devnet
  • Wallet security guides from your wallet provider

Important Notice

Educational content only, not financial or investment advice. DeFi and NFTs carry significant risk of loss. Always verify domains and contract addresses. Use testnets and small amounts to practice. We never ask for your private keys or seed phrases.

8.7Quick Quiz

Mini-Quiz

Test your understanding with 6 questions. Pass with 4/6 correct.

Back to Lesson 7Next: Processors & Cards