DeFi and smart contract risks: approvals, composability, and bridges
Unlimited approvals are silent liabilities
Many dApps default to max uint256 allowances for gas efficiency. Any later compromise of the approved spender contract—or a malicious upgrade path—can drain supported tokens. Routine hygiene: use scoped allowances, revoke after use where practical, and segregate “hot experiment” wallets from long-term savings.
Malicious airdrops and dusting
Unsolicited tokens may bait you into visiting scam sites “to claim value.” Some contracts revert on transfer except for insiders. Treat unknown assets as untrusted UI until verified.
Bridge incidents
Bridges wrap assets and concentrate custody risk. When bridges are exploited, individual users may be last in line for any restitution plan. Tracing still helps document exposure for insurance or class actions where they exist.
What recovery teams document
Transaction traces showing router paths, pool addresses, and subsequent CEX deposits—if any—support escalations. For pure smart contract bugs with no criminal counterparty, outcomes often depend on protocol governance rather than “hacking back.” Pair technical work with counsel when amounts justify it. See services.