Web3 Security Hub

Control, not storage. Crypto assets live on a blockchain; your wallet is software or hardware that manages cryptographic keys. You "own" the private key to an account, not the coins themselves. A public key and address can be shared freely — but the private key unlocks the right to move assets. Losing it means losing access forever.

Public vs. private key. Public keys act like account numbers and are safe to share. Your private key is the secret password that signs transactions — it is used to derive your public key and blockchain address. Only the private-key holder can authorise transactions.

Irreversibility. Once a transaction is signed and included in the blockchain it cannot be reversed — there is no customer-service undo button. If someone has your key or you approve a malicious transaction, the funds are gone forever.

No one will ever ask. Legitimate platforms never ask for your secret recovery phrase or private key. If anyone asks — it is a scam, every time.

Seed phrase and private keys. These are master keys to all your assets. Sharing them with anyone, entering them on any website, or storing them in plain text gives attackers full, immediate control of your wallet.

Recovery codes and passphrases. Treat any backup phrase or passkey as confidential. Keep them offline in multiple secure physical locations. Never take a screenshot, save to cloud storage, or paste them into any app or chat.

Fake websites and log-in pages. Social engineers mimic legitimate sites, wallets and marketplaces to trick you into entering keys or signing malicious transactions. Watch for subtle spelling differences, fake ads and copy-cat interfaces — a single wrong character in a URL can cost you everything.

Fake airdrops and mints. Scammers send worthless tokens to your address, then redirect you to a malicious site where you're asked to reveal your recovery phrase or approve a transaction that drains your wallet.

Ice-phishing, DNS hijacking and SEO poisoning. Phishing comes in many forms. Always navigate to sites via official bookmarks or verified links — never via search-ad results or unsolicited messages.

Signing = giving permission. A signature authorises smart contracts to move your assets. Not all signatures are equal: some transfer assets immediately; others grant ongoing access called approvals, which can be exploited long after you've signed.

Beware unlimited approvals. Many dApps request unlimited token approvals by default, allowing them — or any attacker who later compromises the contract — to move all your tokens. Wallet drainers exploit these dormant approvals.

Read before you sign. If the wallet doesn't show human-readable transaction details, use a transaction-simulation tool to preview the outcome first. Blind-signing raw hex data leaves you fully exposed.

Only install trusted software. Malicious browser extensions and cracked apps frequently contain clipboard hijackers or keyloggers. Download software exclusively from official sources and review permissions before granting access.

Keep your system updated. Regularly update your operating system, browser and security software. Unpatched vulnerabilities are the most common initial access vector for malware.

Enable MFA everywhere. Protect email, Discord and exchange accounts with strong unique passwords and an authenticator app. Avoid SMS-based 2FA wherever possible — it is vulnerable to SIM-swap attacks.

Human error, not bugs. Social-engineering attacks prey on trust and urgency. Attackers impersonate colleagues, support staff or project founders to extract secrets — the "hack" never touches the code at all.

• Phishing — luring victims into revealing keys or approving malicious transactions via fake sites or messages.
• Baiting & scareware — fake reward promises or panic-inducing alerts that push you to download malware.
• Tech-support impersonation — fake admins asking you to install remote-access tools or share your screen.
• Business-email compromise — spoofed invoices or payment instructions redirecting funds to attacker-controlled wallets.

Slow down, verify through official channels, and remember: urgency is a weapon.

Malicious smart contracts. Many scam dApps hide code that requests unlimited token approvals. Once granted, attackers can drain assets at any time without further interaction from you — even weeks later.

FOMO tactics. Scammers manufacture urgency ("limited mint", "your wallet is compromised") to pressure you into approving quickly. Always verify a project's legitimacy independently and limit approvals to the exact minimum required.

Revoke unnecessary approvals. Use tools like Revoke.cash to regularly audit and revoke token allowances. The small transaction fee is worth the protection — lingering approvals are open doors.

URL spoofing. Attackers register domains that look nearly identical to official sites, often running sponsored ads to appear above the real site in search results. Always verify the full URL character by character; look for typos, extra hyphens or different TLDs (.io vs .com).

Clone interfaces. Phishing sites replicate legitimate wallet and NFT-mint pages down to the pixel. Use bookmarks for sites you visit regularly. Never click links from unsolicited DMs, emails or social media ads.

Unlimited approvals are a liability. When interacting with a smart contract, the default approval amount is often unlimited. Adjust the allowance to only what is needed for the current transaction and revoke it afterwards.

Account-abstraction delegation. Features like EIP-7702 let your account temporarily behave like a smart contract, enabling powerful delegations. Delegating to an unaudited or malicious contract can transfer full control of your funds — treat delegation requests with the same scrutiny as seed-phrase requests.

The bait. Scammers airdrop tokens or NFTs into random wallets. When you attempt to swap or "claim" them, you are redirected to a third-party site that requests your recovery phrase or a transaction granting unlimited token approval to a malicious contract.

How to stay safe. Ignore all unsolicited tokens and NFTs. Never input your recovery phrase on any website for any reason. Always verify token contract addresses against official project channels before interacting with them. If a token appears in your wallet from nowhere, treat it as a trap.

How it works. Clipboard malware runs in the background and monitors your clipboard. The moment you copy a crypto address, it replaces it with the attacker's address. Victims paste what they believe is the correct address and send funds directly to the attacker.

How it spreads. Via malicious browser extensions, fake wallet apps, cracked software and phishing email attachments.

Protection. Always verify the full address before confirming any send — not just the first and last few characters. Use a hardware wallet that displays the recipient address on its own secure screen for independent confirmation.

Man-in-the-middle attacks. Attackers set up rogue Wi-Fi hotspots — "evil twins" — that mimic legitimate networks. Once you connect, they can intercept credentials, session tokens and unencrypted traffic, or inject malware into downloads.

Stay safe. Avoid transacting over public Wi-Fi entirely — airports, cafés and hotels are prime targets. Use a reputable VPN if you must connect to a public network. Prefer mobile data or a personal hotspot for anything involving wallets or exchanges.

Hot wallets are always connected to the internet — convenient for daily use, higher attack surface. Cold wallets are offline or air-gapped, used for long-term storage, never directly exposed to web threats.

Segmentation. Maintain separate wallets for trading, minting and long-term storage. A compromise of your hot trading wallet should never be able to touch your cold storage. Think of it like a bank account (hot) and a safe deposit box (cold) — you don't carry the contents of both at once.

Consider multi-sig for large long-term holdings and distribute keys across physically separate locations.

Blind signing is dangerous. Signing raw hex calldata without understanding it puts you at serious risk. EIP-712 and transaction-simulation tools can present human-readable details, but you should always verify the call matches your intent before signing.

Unaudited contracts. Avoid interacting with contracts that haven't been reviewed by a reputable security firm. Malicious or buggy code can drain funds instantly, rug-pull liquidity or permanently lock tokens. Look for audits from recognised firms and check that the audit covers the current deployed version.

DYOR. Do your own research. Read the audit reports, check if the team is doxxed, look for on-chain activity patterns and review community sentiment across multiple sources.

Preview before you sign. Transaction simulation runs a proposed transaction against a snapshot of current blockchain state so you can inspect the expected changes — asset movements, approval grants, contract interactions — without committing them.

Modern wallets use it. Leading wallets surface simulation results to warn about suspicious asset drains, unexpected approvals or transactions that are likely to fail, saving both gas fees and potential losses.

Not a guarantee. Simulation is counter-factual execution. A malicious contract can detect simulation and behave differently at execution time. Treat simulation as a strong warning layer, not an absolute guarantee — always read the details it surfaces.

Multiple approvals required. Unlike single-key wallets, multi-sig wallets require M-of-N private keys to authorise any transaction. A common configuration is 2-of-3: if one key is lost or compromised, the remaining two can still control the wallet — and the compromised key alone cannot move funds.

Pros. Eliminates the single point of failure; widely used by institutions and DAOs; provides internal controls and audit trails for treasury management.

Cons. Increased complexity and coordination overhead. Distribute keys in physically separate secure locations and designate backup signers to avoid getting locked out if a quorum becomes unreachable.

How they work. Passkeys use WebAuthn/FIDO2 technology. Your device's secure enclave generates a cryptographic key pair; biometric authentication (Face ID, fingerprint) unlocks it locally. The private key never leaves the secure hardware — it is physically incapable of being phished.

Pros. No seed phrase to lose or mistype; resistant to phishing by design (the key is bound to the domain); fast and intuitive to use.

Cons. Platform lock-in — passkeys are bound to specific devices. Use MPC or multi-device backup schemes to avoid losing access if a device is lost or broken. Evaluate whether the implementation has hardware-backed storage or only software-level protection.

Keys stored offline. Hardware wallets keep private keys in a dedicated secure element completely isolated from your computer. Transactions are signed internally after you physically confirm them on the device — the private key never leaves the hardware under any circumstances.

Assume the host is compromised. Well-designed hardware wallets operate safely even when the connected computer is infected with malware. They display transaction details on their own screen so you can independently verify the recipient address and amount before approving. Never trust only what your computer displays.

Pairing a hardware wallet with account-abstraction features gives you both maximum key security and modern UX.

Separate devices and accounts. Use a dedicated device for crypto transactions; keep a separate device for general browsing and communication. Use unique email addresses and usernames for crypto services — linking your real identity to your on-chain activity increases your attack surface significantly.

Avoid public networks and patch constantly. Never perform transactions over public Wi-Fi. Keep all devices fully patched. Use a reputable no-log VPN, especially when accessing exchanges or wallets from non-home networks.

Keep backups offline. Store seed phrases and hardware wallets in physically separate secure locations. Consider a metal backup plate or a Shamir secret-sharing scheme to protect against single-location disaster (fire, flood, theft) without centralising risk.