How to Research DeFi Protocols Before You Deposit: A Step-by-Step Guide Using the March 2024 Dolomite and ParaSwap Exploits

On March 20, 2024, two DeFi exploits hit within hours of each other. The Dolomite exchange lost $1.8 million through a reentrancy vulnerability in a contract deployed five years earlier. ParaSwap’s newly launched Augustus V6 contract contained a flaw that exposed user funds across Ethereum, Polygon, Avalanche, BNB Chain, Arbitrum, and Optimism. For users who lost money, the damage was done. But for everyone else, these incidents provide a detailed case study in how to evaluate DeFi protocols before trusting them with your funds. This guide walks through a practical research framework using the Dolomite and ParaSwap examples as teaching tools.

Step 1: Check Contract Age and Audit History

The single most important signal for DeFi safety is how long a contract has been deployed and whether it has been audited. Dolomite’s vulnerable contract was deployed in 2019. Five years is a long time in crypto — long enough for best practices to evolve, for new attack vectors to emerge, and for the original development team’s attention to shift elsewhere. When you encounter a protocol with legacy contracts, check whether those contracts have been re-audited since their original deployment. A 2019 audit is virtually worthless in 2024.

ParaSwap’s case is the opposite problem. The Augustus V6 contract had been live for approximately 48 hours when the vulnerability was discovered. It launched on March 18, 2024, and the exploit occurred on March 20. The lesson here is straightforward: new contracts carry elevated risk. When a protocol announces a major upgrade or new contract deployment, wait. Give the security community time to review the code. A patient user who waited even one week after the V6 launch would have been spared.

To check contract age, use Etherscan or the relevant block explorer. Navigate to the contract address and look at the “Contract Creator” transaction. The timestamp tells you when it was deployed. For audit history, check the protocol’s documentation or governance forum. Reputable protocols publish their audit reports publicly. If you cannot find an audit report, that is a red flag.

Step 2: Review Your Token Approvals

Both the Dolomite and ParaSwap exploits required users to have granted token approvals to the vulnerable contracts. In DeFi, an approval allows a smart contract to spend your tokens on your behalf. Most users approve the maximum amount for convenience, but this means the contract can drain your entire balance if compromised.

After the Dolomite exploit, security researchers urged users to revoke all approvals to the old Dolomite contract at address 0x6B9C86a1e7154146B727EB876C45341deE77F86E. After the ParaSwap V6 vulnerability, users needed to revoke approvals to the Augustus V6 contract across all supported chains. The critical insight is that you should not wait for an exploit to review your approvals.

Use Revoke.cash to review your active approvals across all chains. The interface is straightforward: connect your wallet, select a network, and view every contract you have approved. For each approval, ask yourself: Do I still use this protocol? Is the approval amount larger than necessary? When was the last time I interacted with this contract? Revoke anything you no longer need. This single habit would have protected users in both the Dolomite and ParaSwap incidents.

Step 3: Monitor Security Channels

Speed matters when exploits happen. The Dolomite team confirmed the exploit on March 20 and published the vulnerable contract address within hours. ParaSwap responded quickly as well, patching the V6 vulnerability and urging users to revoke approvals. But this information only helps you if you see it in time.

Set up a security monitoring routine. Follow blockchain security firms like SlowMist, CertiK, and Trail of Bits on social media. Join the Discord or Telegram channels of protocols you use regularly, as they typically post incident reports there first. Consider using on-chain monitoring tools like Forta or Hypernative that can alert you to suspicious transactions in real time.

The timeline matters. In the ParaSwap case, the vulnerability was discovered and patched within a relatively short window, but an attacker still managed to extract approximately $24,000 from users who had approved the V6 contract. The faster you learn about an exploit, the faster you can revoke approvals and move your funds.

Step 4: Evaluate the Team and Governance

Understanding who builds and maintains a protocol is essential. Dolomite was originally built in 2019 by a team that later shifted focus. The legacy contract that was exploited was not part of the active Dolomite V2 system — it was a remnant from an earlier version that had been largely forgotten. This raises a governance question: who is responsible for monitoring legacy contracts? If a protocol has upgraded to a new version, what happens to the old contracts? Are they formally deprecated? Are users notified to revoke approvals?

ParaSwap’s governance structure is more centralized, with the core team controlling contract upgrades. The V6 launch was a team decision, and the rapid response to the vulnerability suggests competent incident management. However, the fact that a vulnerability made it into production also raises questions about the pre-launch testing process.

When researching a protocol, look at the team’s track record. Have they had security incidents before? How did they respond? Do they have a formal bug bounty program? Protocols that invest in security infrastructure — auditors, bug bounties, formal verification — are generally more trustworthy than those that do not.

Step 5: Size Your Exposure

The final principle is the most practical: never expose more capital to any single protocol than you can afford to lose. This is not just generic advice — it is a mathematical reality given the frequency of DeFi exploits. March 2024 alone saw approximately $139 million in Web3 security losses across 33 incidents. Even well-audited, reputable protocols can be exploited.

Divide your DeFi capital across multiple protocols and chains. If you have $10,000 in DeFi, consider spreading it across three to five protocols rather than concentrating it in one. This way, a single exploit affects only a fraction of your total exposure. The Dolomite users who lost the most were those who had concentrated their holdings in the protocol and had granted unlimited token approvals to the legacy contract.

For protocols with new or upgraded contracts, start with a small test deposit. Interact with the contract, verify that everything works as expected, and then gradually increase your exposure over days or weeks. This approach would have limited losses in both the Dolomite and ParaSwap cases.

Checklist Summary

Before depositing funds into any DeFi protocol, work through this five-step checklist. Check the contract age and audit history — look for deployments older than three months and multiple independent audits. Review your token approvals and revoke any you no longer need. Set up security monitoring through social media and protocol communication channels. Evaluate the team’s track record and governance structure. And finally, size your exposure appropriately across multiple protocols.

The Dolomite and ParaSwap exploits of March 20, 2024 are not outliers. They are representative of the risks inherent in DeFi. The difference between users who lose funds and users who do not is almost always preparation. This checklist takes less than 30 minutes to complete and can save you thousands of dollars. Use it.

Disclaimer: This article is for informational and educational purposes only and does not constitute financial or investment advice. Always conduct your own research before making any financial decisions.