Web3 Security Fundamentals: Protect Your Wallet from Day One
Web3 wallets have no fraud department, no chargebacks, and no identity verification to freeze a bad actor. Every protection is your responsibility. This guide covers wallet hygiene, phishing recognition, transaction signing safety, and the most common on-chain attack patterns.
Web3 wallets operate without any of the safety nets that traditional finance provides. There's no fraud department to call, no chargeback process, no identity verification that can freeze a bad actor's account. Every protection in Web3 is your responsibility to set up. This guide covers what those protections are and how to implement them.
Understand What You're Signing
The most important security habit in Web3 is reading what you're approving before you confirm it. This sounds obvious. Almost no one does it consistently.
When you interact with a dApp, your wallet presents a transaction or a signature request. Most users glance at the wallet popup and click “Confirm” because they already decided to use the dApp. But the contents of that transaction are what actually matter, not your intention.
Transaction Types and What They Mean
There are several distinct types of things your wallet asks you to sign, each with different implications.
An ETH transfer is straightforward - it moves ETH from your wallet to another address. The wallet shows the amount and destination. Verify the destination address character by character before confirming.
A contract interaction is more complex. When you swap tokens on a DEX, stake in a protocol, or mint an NFT, you're calling a function on a smart contract. Your wallet shows the contract address and the function being called. If your wallet shows raw hex data with no human-readable description, that's a warning sign. Modern wallets like Rabby and recent versions of MetaMask decode the function call and show you what it does.
A token approval grants a contract permission to spend your tokens. This is a separate transaction from the actual swap. Pay attention to the approval amount - if a protocol is requesting “unlimited” access to a token you hold in large quantity, consider setting a lower custom limit.
setApprovalForAll is the NFT equivalent of unlimited token approval. It gives a contract permission to transfer any NFT you own from a given collection. Legitimate NFT marketplaces use this, but so do scammers. Confirm you're on the actual marketplace website before approving this.
An eth_sign or personal_sign request is a signature, not a transaction. It costs no gas. Some are harmless - they prove wallet ownership. But some signature requests actually sign a transaction that can be submitted on your behalf. MetaMask and other wallets now display warnings for risky signature types.
Permit Signatures Are the New Phishing Vector
Phishing: How Web3 Attacks Actually Work
The vast majority of Web3 wallet drains start with phishing. The attacker doesn't need to break any cryptography. They just need you to visit a site that looks legitimate and sign something you didn't mean to sign.
Attack Pattern
Fake Website via Search Ad
Attackers buy Google and Bing ads for terms like “MetaMask download,” “Uniswap swap,” or “OpenSea NFTs.” The ad looks identical to the legitimate result. The landing page is a pixel-perfect copy of the real site. The only difference is the URL - something like metamask-extension.io instead of metamask.io. The fake site either downloads malware or immediately prompts a drain transaction.
Attack Pattern
Discord Compromise
An attacker compromises a Discord server's admin account (often through phishing the admin) and posts an announcement about a “surprise mint” or “exclusive airdrop” with a link. The urgency creates pressure to act fast. The link goes to a drainer site. This has happened to verified, large Discord servers including major NFT projects.
Attack Pattern
Address Poisoning
Attackers monitor the blockchain for large transactions and send a small transaction from an address that looks similar to one you recently transacted with. The fake address has the same first and last characters as your real contact address. When you copy-paste an address from your transaction history, you may grab the poisoned address instead. Always verify the full address, not just the first and last few characters.
Attack Pattern
Fake Customer Support
You post in a Discord or Telegram that you're having trouble with a wallet or protocol. Within minutes, someone DMing you claims to be official support. They ask for your seed phrase or direct you to a “support portal” that prompts a transaction. No legitimate protocol will DM you unsolicited or ask for your seed phrase. Ever.
Wallet Setup for Security
Use a Dedicated Browser for Web3
Your everyday browsing browser carries your cookies, history, and probably several extensions. Using the same browser for banking, email, and DeFi increases the attack surface for each. Many security-conscious Web3 users maintain a dedicated browser profile (or a separate browser) used only for wallet interactions. Nothing else runs in that profile - no email, no social media, no extensions besides the wallet itself.
Minimize Extensions
Browser extensions run in the same context as your wallet. A malicious extension can read data from your wallet, intercept clipboard content, and inject code into pages you visit. The fewer extensions you run alongside your wallet, the smaller the attack surface. Only install extensions from official sources, and check the developer and permissions before installing anything.
Bookmark Your dApps
Type the URL once, confirm it's correct, then bookmark it. Every time you use Uniswap, Aave, or any other protocol, go through your bookmark - not through a search result. This one habit eliminates the entire “fake search result” attack vector.
Use a Burner Wallet for New Protocols
When trying a new dApp for the first time, use a fresh wallet with only the funds you need for that specific interaction. If the dApp is malicious, only the funds in that wallet are at risk. Your main wallet never touched it. This is called blast radius reduction - you're limiting the damage a single mistake can cause.
Rug Pulls: Recognizing Exit Scams Before They Happen
A rug pull is when a project's team drains liquidity or mints tokens to sell, abandoning the project and taking user funds. The term comes from DEX liquidity pools, where a project adds liquidity, attracts buyers, then removes all the liquidity leaving buyers with worthless tokens.
Signs that a project carries elevated rug pull risk:
- Fully anonymous team with no prior history in the space
- No liquidity lock - the team can pull liquidity from the pool at any time
- Contract has a mint function that allows the deployer to create unlimited tokens
- High concentration of token supply in a small number of wallets (check tokensniffer.com or Etherscan's holder distribution)
- Unrealistic yield promises with no clear source of revenue
- No audit, or audit by an obscure firm
- Aggressive marketing with artificial urgency (“whitelist closes in 2 hours”)
Tools like Token Sniffer (tokensniffer.com) and Honeypot.is scan token contracts for common rug pull characteristics. They're not perfect, but they catch the most obvious patterns. Running any new token through these before buying is a 30-second habit worth building.
Managing Multiple Wallets
Most experienced Web3 users maintain at least three distinct wallets for different purposes.
A cold storage wallet (hardware wallet) for long-term holdings. This wallet signs transactions rarely - maybe a few times a year. It never interacts directly with new or unvetted protocols.
A primary hot wallet for regular DeFi activity with established protocols. This wallet has a larger balance than the interaction wallet but is still kept at a level where total loss would be painful but not catastrophic.
An interaction wallet for new protocols, minting, and anything risky. This wallet holds only what's needed for the current activity. It gets topped up from the primary wallet when needed and drained back after activity is complete.
Using different wallets for different risk levels means a single compromised interaction doesn't drain your entire portfolio. It's the same principle as not keeping all your cash in your front pocket.
On-Chain Privacy Basics
Ethereum addresses are pseudonymous, not anonymous. Every transaction you make is permanently recorded on a public blockchain and visible to anyone. If your wallet address becomes associated with your real identity - through a KYC'd exchange withdrawal, a public ENS name, or simply by posting it publicly - your complete transaction history becomes visible.
This has practical security implications beyond privacy. If your wallet shows a large Bitcoin or ETH balance publicly linked to your identity, you become a target for targeted attacks including SIM swaps, physical threats, and social engineering.
Using separate addresses for different purposes limits the correlation risk. An address you use publicly for receiving tips or NFT showcasing shouldn't be the same address where you hold substantial long-term savings.
Social Engineering: The Human Attack Surface
Technical security is only half the problem. The other half is the attacks that target you directly rather than your software.
Principle of least disclosure applies: the fewer people who know what crypto you hold, where you hold it, and how much it's worth, the fewer people can target you. “Crypto Twitter” culture encourages sharing gains publicly. This is a security trade-off. Every screenshot of a large portfolio balance posted publicly is a potential targeting signal.
Your seed phrase should be known to exactly one person: you. Not your spouse, not your accountant, not your trusted friend - unless you've deliberately set up an inheritance plan with proper security controls. The seed phrase grants instant, irrevocable access. Sharing it “for safety” with someone who then gets phished or coerced creates a single point of failure.
Your Security Checklist