With the continuous expansion of the on-chain ecosystem, on-chain transactions have gradually evolved into an indispensable daily operation for Web3 users. User assets are accelerating the migration from centralized platforms to decentralized networks. This trend also means that the responsibility for asset security is shifting from platforms to users themselves. In the on-chain environment, users need to be responsible for every step of interaction, whether it is importing wallets, accessing DApps, or signing authorization and initiating transactions. Any blind signature or operational error may become a security risk, leading to serious consequences such as private key leakage, authorization abuse or phishing attacks.

Although the current mainstream wallet plug-ins and browsers have gradually integrated phishing identification, risk reminder and other functions, it is still difficult to completely avoid risks by relying solely on passive defense tools in the face of increasingly complex attack methods. In order to help users more clearly identify potential risk points in on-chain transactions, our security team has sorted out high-risk scenarios throughout the entire process based on actual combat experience, and combined protection recommendations with tool usage skills to develop a set of systematic on-chain transaction security guidelines to help every Web3 user build an "autonomous and controllable" security line of defense.

Core principles for safe trading:

  • Refuse to sign blindly: Never sign a transaction or message that you do not understand.
  • Verify repeatedly: Before making any transaction, be sure to verify the accuracy of the relevant information multiple times.

Zero Mistakes in On-Chain Interactions: Keep this Web3 Secure Transaction Guide

1|Safe Trading Advice

Safe transactions are key to protecting digital assets. Research shows that using secure wallets and two-step verification (2FA) can significantly reduce risk. Here are some specific recommendations:

  • Use a secure wallet:

Choose a reputable wallet provider, such as a hardware wallet like Ledger or Trezor, or a software wallet like Metamask. Hardware wallets provide offline storage, reducing the risk of online attacks and are suitable for storing large amounts of assets.

  • Double check the transaction details:

Always verify the receiving address, amount, and network (e.g., make sure you are using the correct chain, such as Ethereum or BNB Chain, etc.) before confirming a transaction to avoid losses due to typos.

  • To enable two-step verification (2FA):

If your exchange or wallet supports 2FA, be sure to enable it for added security, especially when using a hot wallet.

  • Avoid using public Wi-Fi:

Do not conduct transactions on public Wi-Fi networks to prevent phishing and man-in-the-middle attacks.

2. How to conduct safe transactions

A complete DApp transaction process includes multiple links: wallet installation, access to DApp, wallet connection, message signature, transaction signature, and post-transaction processing. Each link has certain security risks. The following will introduce the precautions in actual operation.

Zero Mistakes in On-Chain Interactions: Keep this Web3 Secure Transaction Guide

Note: This article mainly discusses the secure interaction process on Ethereum and various EVM-compatible chains. The tools and specific technical details used by other non-EVM chains may be different.

1: Wallet installation:

At present, the mainstream use of DApp is to interact through browser plug-in wallets. The mainstream wallets used by EVM chain include MetaMask, etc.

When installing a Chrome extension wallet, you need to confirm that you download and install it from the Chrome App Store and avoid installing it from a third-party website to prevent the installation of wallet software with backdoors. Users who have the conditions are recommended to use a hardware wallet in combination to further improve the overall security in terms of private key custody.

When installing your wallet backup seed phrase (usually a 12-24 word recovery phrase), it is recommended to store it in a safe place, away from digital devices (e.g. write it on paper and keep it in a safe).

2: Access DApp

Phishing is a common method used in Web3 attacks. A typical case is to lure users to visit phishing DApp applications in the name of airdrops, and then induce them to sign token authorization, transfer transactions or token authorization signatures after connecting to their wallets, resulting in asset losses.

Therefore, when accessing DApp, users need to be vigilant and avoid falling into the trap of web phishing.

Before accessing the DApp, please confirm the correctness of the URL. Suggestions:

  • Avoid accessing directly through search engines: Phishing attackers may purchase advertising space to make their phishing websites rank higher.
  • Avoid clicking on links in social media: URLs posted in comments or messages could be phishing links.
  • Double-check the correctness of the DApp URL: You can check it through DApp markets such as DefiLlama, the project’s official social media accounts, and other sources.
  • Add secure websites to your browser's favorites: access them directly from your favorites later.

After opening the DApp webpage, you also need to perform a security check on the address bar:

  • Check domain names and URLs to see if they look fake.
  • Check if it is an HTTPS link, the browser should show a lock 🔒 symbol.

The mainstream plug-in wallets on the market currently also integrate certain risk warning functions, which can display strong reminders when visiting risky websites.

Zero Mistakes in On-Chain Interactions: Keep this Web3 Secure Transaction Guide

3: Connect your wallet

After entering the DApp, the wallet connection operation may be triggered automatically or after actively clicking Connect. The plug-in wallet will perform some checks and information display on the current DApp.

After connecting to the wallet, the DApp will not actively call up the plug-in wallet when the user does not perform other operations. If the DApp frequently calls up the wallet to request signature messages and transactions after logging in, or even pops up the signature after refusing to sign, it is likely to be a phishing website and needs to be handled with caution.

4: Message Signature

In extreme cases, for example, if an attacker attacks the protocol's official website or replaces the page content through front-end hijacking, it is difficult for ordinary users to identify the security of the website in such a scenario.

At this time, the signature of the plug-in wallet is the ultimate barrier for users to save their own assets. As long as malicious signatures are rejected, their assets can be protected from loss. Users should carefully review the signature content when signing any message and transaction, and refuse blind signatures to avoid asset losses.

Common signature types include:

  • eth_sign: Sign the hash data.
  • personal_sign: Signs plain text information, which is most common when verifying user login or confirming a license agreement.
  • eth_signTypedData(EIP-712):Sign structured data, commonly used in ERC20 Permit, NFT orders, etc.

5: Transaction Signature

Transaction signatures are used to authorize blockchain transactions, such as transferring money or calling smart contracts. Users sign with their private keys, and the network verifies the validity of the transaction. Currently, many plug-in wallets will decode the message to be signed and display the relevant content. Be sure to follow the principle of non-blind signing. Security recommendations:

  • Double-check the recipient address, amount, and network to avoid mistakes.
  • It is recommended to sign large transactions offline to reduce the risk of online attacks.
  • Pay attention to gas fees, make sure they are reasonable, and avoid scams.

For users with certain technical reserves, some common manual inspection methods can also be used: by copying the interactive target contract address to a blockchain browser such as etherscan for review. The review content mainly includes whether the contract is open source, whether there are a large number of transactions recently, and whether Etherscan has marked the address with an official label or a malicious label.

6: Post-Transaction Processing

Avoiding phishing pages and malicious signatures does not mean that everything is fine. Risk management is still required after the transaction.

After the transaction, the transaction should be checked in time to confirm whether it is consistent with the expected status when signing. If any abnormality is found, stop-loss operations such as asset transfer and authorization release should be carried out in time.

ERC20 Approval authorization management is also very important. In some cases, after users authorized tokens for certain contracts, these contracts were attacked many years later, and the attackers used the token authorization quota of the attacked contracts to steal user funds. To avoid such situations, our security team recommends that users follow the following standards for risk prevention:

  • Minimize authorization. When authorizing tokens, you should authorize a limited number of tokens based on the transaction requirements. For example, if a transaction requires authorization of 100 USDT, the authorization amount should be limited to 100 USDT instead of using the default unlimited authorization.
  • Revoke unnecessary token authorizations in a timely manner. Users can log in to revoke.cash to check the authorization status of the corresponding address, revoke the authorization of protocols that have not been interacted with for a long time, and prevent subsequent loopholes in the protocol from exploiting the user's authorization limit to cause asset losses.

Zero Mistakes in On-Chain Interactions: Keep this Web3 Secure Transaction Guide

3. Fund Isolation Strategy

With risk awareness and adequate risk prevention measures, it is also recommended to effectively isolate funds in order to reduce the extent of fund damage in extreme cases. The recommended strategies are as follows:

  • Use Gnosis Safe multi-signature wallet or cold wallet to store large amounts of assets;
  • Use a plugin wallet or EOA wallet (such as MetaMask) as a hot wallet for daily interactions;
  • Change the hot wallet address regularly to prevent the address from being continuously exposed to risky environments.

If you are phished by mistake, we recommend that you take the following measures immediately to reduce the loss:

  • Use tools such as Revoke.cash to cancel high-risk authorizations;
  • If the permit signature is signed but the assets have not been transferred, a new signature can be initiated immediately to invalidate the old signature nonce;
  • If necessary, quickly transfer remaining assets to a new address or cold wallet.

4|How to safely participate in airdrop activities

Airdrops are a common way to promote blockchain projects, but they also carry risks. Here are a few suggestions:

  • Project background research: ensure that the project has a clear white paper, public team information and community reputation;
  • Use a dedicated address: Register a dedicated wallet and email address to isolate the main account risks;
  • Be careful when clicking on links: only obtain airdrop information through official channels and avoid clicking on suspicious links on social platforms;

5. Selection and use suggestions of plug-in tools

There are many contents in the blockchain security code. It may not be possible to conduct a detailed inspection for every interaction. It is very important to choose a safe plug-in to assist us in making risk judgments. The following are specific suggestions:

  • Trusted extensions: Use widely used browser extensions such as Metamask (for the Ethereum ecosystem). These plugins provide wallet functionality and support DApp interaction.
  • Check ratings: Before installing a new plugin, check the user ratings and number of installations. High ratings and a large number of installations generally indicate a more reliable plugin, reducing the risk of malicious code.
  • Keep them updated: Update your plugins regularly to get the latest security features and fixes. Outdated plugins may contain known vulnerabilities that can be easily exploited by attackers.

VI. Conclusion

By following the above safe transaction guidelines, users can interact more calmly in the increasingly complex blockchain ecosystem and effectively improve their asset protection capabilities. Although blockchain technology has decentralization and transparency as its core advantages, this also means that users need to independently deal with multiple risks including signature phishing, private key leakage, and malicious DApps.

To achieve truly safe on-chain, it is far from enough to rely on tool reminders alone. The key is to establish systematic security awareness and operating habits. By using hardware wallets, implementing fund isolation strategies, regularly checking authorizations and updating plug-ins, and implementing the concept of "multiple verifications, rejection of blind signatures, and fund isolation" in transaction operations, we can truly achieve "free and safe on-chain".