Hashtag Web3 Logo

Web3 Safety

9 min
beginner

The number one rule

Most crypto losses are not from blockchain hacks. They are from social engineering — people being tricked into giving up their keys or approving malicious transactions.

The scammers are good at their job. They create perfect copies of real websites, impersonate project founders on Discord, and engineer urgency ("claim your airdrop in the next 10 minutes or it expires").

Your best defense: slow down and verify everything.

Common attack types

Phishing Fake websites and DMs that trick you into signing malicious transactions Most common attack Rug Pull Developer launches a project, attracts deposits, then drains all the funds Check for audits + lock-ups Bad Approvals Approving a contract to spend unlimited tokens, which it later drains Use revoke.cash regularly Defense checklist ✓ Bookmark real sites · ✓ Never click DM links · ✓ Verify contract addresses ✓ Use hardware wallet for savings · ✓ Separate wallets for daily/savings · ✓ Revoke old approvals ✓ Start with small amounts · ✓ Read what you sign · ✓ If it sounds too good, it is

The token approval problem

When you use a DeFi protocol, it asks permission to spend your tokens. This is called a token approval. Legitimate protocols need this to execute swaps, deposits, and withdrawals.

The danger: many approvals are set to "unlimited" by default. This means the contract can spend as many of your tokens as it wants, forever. If that contract gets hacked, or if it was malicious from the start, it can drain your entire balance.

How to protect yourself:

  1. Set custom approval amounts instead of unlimited (most wallets allow this)
  2. Regularly check and revoke old approvals at revoke.cash
  3. Never approve tokens on a site you do not fully trust

The wallet separation strategy

Use at least two wallets:

WalletPurposeTypeWhat goes here
Daily walletBrowsing DeFi, minting NFTs, trying new protocolsHot (MetaMask)Small amounts you can afford to lose
Savings walletLong-term holdingsCold (Ledger/Trezor)Main portfolio — never connects to risky sites

If your daily wallet gets drained by a phishing attack, your savings wallet is untouched. This is the simplest, most effective security measure.

Red flags checklist

If you see any of these, stop immediately:

  • A website URL that is slightly different from the real one (uniiswap.com instead of uniswap.org)
  • Anyone asking for your seed phrase, for any reason
  • "Send 1 ETH, get 2 ETH back" — this is always a scam
  • Urgency pressure ("Claim in the next 5 minutes")
  • Unsolicited DMs about airdrops, investment opportunities, or "support"
  • A token that appeared in your wallet that you did not buy (airdrop scam — interacting with it can drain your wallet)
  • Anonymous team with no public track record
  • No audit, no GitHub, no documentation

Key takeaways

  • Most losses come from social engineering, not blockchain hacking. Slow down and verify.
  • Phishing (fake sites and DMs) is the most common attack. Bookmark real URLs.
  • Token approvals are a hidden risk. Use limited approvals and check revoke.cash regularly.
  • Use separate wallets: a hot wallet for daily use, a cold wallet for savings.
  • If something seems too good to be true, it is a scam. Always.

Congratulations

You have completed the Web3 Fundamentals course. You now understand blockchains, wallets, tokens, smart contracts, DeFi, and how to stay safe.

Next paths to explore:

  • Decentralized Finance — learn how DEXs, lending, and yield strategies work
  • Smart Contract Development — learn to write and deploy your own contracts
  • Web3 Careers — how to get hired at a Web3 company

Quiz: Web3 Safety

1 / 5

What is the most common type of Web3 scam?