Q01-Q25: Creation / Backup
True or False
Q01: The essence of a digital wallet is a vault used to store cryptocurrency. ( )
Correct Answer: False
Analysis:
Key takeaway: A wallet does not store your coins. Your assets always remain on the blockchain. A wallet is simply a tool for managing your Private Key / Recovery Phrase.
Best practice: Store your Recovery Phrase (or Private Key) safely offline. Even if you change devices or apps, you can still restore your assets in a legitimate wallet with your Recovery Phrase.
Q02: Whoever controls a wallet's private key has full control over the on-chain assets in that wallet. ( )
Correct Answer: True
Analysis:
Key takeaway: Private Key = asset control. If anyone gets your Private Key / Recovery Phrase, they can move your assets on any device.
Best practice: Never photograph, screenshot, or store your Recovery Phrase online. Never enter it into unknown apps or websites.
Q03: A Recovery Phrase is a seed that can derive all private keys, so backing up the Recovery Phrase alone is enough. ( )
Correct Answer: True
Analysis:
Key takeaway: It is essentially a seed that can derive all private keys, public keys, and addresses through a deterministic algorithm. Therefore, as long as you keep your Recovery Phrase safe, you can fully restore your wallet and assets even if your device is lost or replaced.
Backup tips: Write it down offline and store copies separately (paper / metal backup). Do not photograph it, screenshot it, or save it in cloud drives or chat tools.
Q04: If you forget your wallet PIN or password, you can still recover your assets as long as you still have the Recovery Phrase. ( )
Correct Answer: True
Analysis:
Key takeaway: A wallet password only protects local access and decryption on that device. Your assets can still be restored in any compatible wallet with the Recovery Phrase.
Best practice: Download the wallet app only from official sources, restore the wallet by entering the Recovery Phrase offline, and then set a strong password and biometric protection again.
Q05: After creating a new wallet, you should first deposit a small amount for testing, and only send a large amount after confirming everything is correct. ( )
Correct Answer: True
Analysis:
Key takeaway: A small test transfer verifies whether the address is correct, whether the right network is selected, and whether the wallet can send and receive normally.
Best practice: Test with a small amount first, confirm receipt, and then move larger amounts in batches. Enable your address book and whitelist, and for important transfers, verify the details on a hardware wallet screen whenever possible.
Q06: A wallet address is generated directly from a private key. ( )
Correct Answer: False
Analysis:
Key takeaway: The standard process is Private Key -> Public Key -> Address (derived through hashing / encoding). The address is not generated directly from the Private Key.
Best practice: Remember that public keys and addresses can be shared, but your Private Key and Recovery Phrase must never be exposed.
Q07: If you photograph your Recovery Phrase and save it in your phone's photo album, it is absolutely safe as long as your phone has a password. ( )
Correct Answer: False
Analysis:
- Why it's unsafe: Photos in albums are often automatically synced to the cloud or read by apps with media permissions.
- Risks: Cloud sync (iCloud/Google), app permissions, malware, or accidental sharing/screen mirroring.
- Best practice: Reject digitization. Write it down on paper or engrave it on metal. Keep it clear, waterproof, and fireproof.
Q08: You can use the same Recovery Phrase in different wallet apps to restore your assets. ( )
Correct Answer: True
Analysis:
Key takeaway: Most mainstream wallets follow BIP39 / BIP44 rules, so cross-wallet recovery is usually possible.
Best practice: Download wallets only from official channels, and confirm the chain and derivation path match before proceeding.
Q09: A Recovery Phrase and a Private Key are the same thing and can be used interchangeably. ( )
Correct Answer: False
Analysis:
Recovery Phrase: A set of words used to generate a seed, which can then derive a full set of private keys and addresses through derivation paths (across multiple chains and accounts).
Private Key: Usually corresponds to a single address and is used to sign transactions for that address.
Relationship:
Recovery Phrase -> Seed -> Derivation path (such as BIP44) -> many Private Keys / addresses.
You can derive a Private Key from a Recovery Phrase, but you cannot recover the original Recovery Phrase from a single Private Key.
Common misconceptions:
Backing up one Private Key does not equal backing up the entire wallet. After switching wallets, you may not see your other addresses.
Losing the Recovery Phrase may mean losing an entire set of addresses and assets, not just one.
Best practice:
Back up and store the Recovery Phrase safely (offline on paper / metal, in separate locations). If needed, also record the derivation path and whether a passphrase is used.
After importing into a new wallet, compare the addresses first and run a small test before further use. Never enter your Recovery Phrase casually into websites or unknown apps.
Q10: Writing a Recovery Phrase on paper is a common backup method, but you still need extra protection against fire, water, and loss. ( )
Correct Answer: True
Analysis:
Key takeaway: Paper is flammable, vulnerable to moisture, easy to tear, and can fade over time. A single storage location also creates fire, flood, or moving-related risks.
Best practice: Seal paper backups in moisture-proof bags, keep at least two copies in separate locations, upgrade to metal backups for critical use cases, and control access with a safe or secure deposit box.
Q11: When a hardware wallet is connected to a computer, if the computer is infected with malware, my private key may be stolen. ( )
Correct Answer: False
Analysis:
Key takeaway: A hardware wallet is designed to isolate the Private Key. Even if it is connected to an infected computer, the Private Key remains safely stored inside the secure chip of the hardware wallet.
Best practice:
Trust only the device screen: Verify the recipient address and amount character by character on the hardware wallet itself, rather than relying on the computer screen.
Refuse blind signing, disable unnecessary unlimited approvals, and revoke old approvals regularly.
Q12: If you switch from one wallet app to another, importing the Recovery Phrase directly into the new app is the correct approach. ( )
Correct Answer: True (with conditions)
Analysis:
Key takeaway: Recovery Phrases generally follow standards such as BIP39 / BIP44, so cross-wallet recovery is valid. However, the new app must be trustworthy. If you import into a fake wallet, your assets may be stolen immediately.
Best practice:
Download only from the official store or official website.
Verify the developer name, version number, and signature.
Use a clean device or an offline environment.
Run a small test first after recovery.
Multiple Choice
Q13: When backing up a Recovery Phrase, which method is most recommended? ( )
A. Save a screenshot or photo in your phone gallery
B. Write it on paper and keep it in a secure place
C. Upload it to cloud storage service
D. Send it to your own email or chat app
Correct Answer: B
Analysis:
Why: Offline physical backups such as paper or metal have the lowest overall risk because they are not exposed to the internet.
Best practice: Use paper with moisture-proof/fireproof protection, or upgrade to a metal backup. Store copies in multiple locations and control access carefully.
Q14: Which of the following counts as secondary verification of a Recovery Phrase? ( )
A. After creating the wallet, import the Recovery Phrase into another new device to confirm it can restore the wallet
B. Ask a friend to help check whether you copied the Recovery Phrase correctly
C. Copy the Recovery Phrase three times to make sure it is correct
D. Photograph the Recovery Phrase and upload it to the cloud for easy checking
Correct Answer: A
Analysis:
Why: The point of secondary verification is to perform a real recovery test and confirm that no words were copied incorrectly or omitted.
Best practice: Test the import on a clean, offline second device, and only start formal use after confirming it works.
Q15: If a stranger accidentally sees your Recovery Phrase before a transaction, what should you do? ( )
A. Do not worry. As long as the Private Key is not exposed, it is fine.
B. Immediately transfer all assets in that wallet to a brand-new, secure wallet.
C. Immediately change the wallet password.
D. Uninstall and reinstall the wallet immediately.
Correct Answer: B
Analysis:
Why: Once the Recovery Phrase is exposed, an attacker can restore the wallet on any device at any time and move your assets.
Best practice: Create a new wallet on a new device immediately. After a small test, migrate all assets out of the old wallet.
Q16: When downloading a wallet app from an app store, what should you check to avoid fake apps? ( )
A. Download volume and reviews
B. Whether the app icon looks clear
C. The developer name
D. All of the above
Correct Answer: D
Analysis:
Why: Cross-checking multiple signals significantly reduces risk: whether the developer matches the official website, whether download volume and reviews look reasonable, how often the app is updated, and whether the official site links to the store page.
Best practice: Use the official website landing page to jump to the store, verify the developer and signature, and review permissions and update logs.
Q17: What is the safest environment for generating a Recovery Phrase when creating a wallet? ( )
A. A computer connected to public Wi-Fi
B. A trusted device kept offline, in a private space with no cameras
C. A friend's phone
D. An open network in a coffee shop
Correct Answer: B
Analysis:
Why: Seed generation should be fully offline to avoid eavesdropping, synchronization, or malware reporting.
Best practice: Use a cold environment such as an offline phone or hardware wallet, back up the Recovery Phrase physically right away, and verify that it can restore the wallet.
Q18: Why should you never photograph, screenshot, or upload a Recovery Phrase to the cloud? ( ) [Multiple Choice]
A. Your phone or computer may be infected, and the photo could be stolen
B. Cloud storage may be hacked or leaked
C. Even if deleted, screenshots or photos may still remain in cache or albums
D. Digital backups are safer and more reliable than paper backups
Correct Answer: A / B / C
Analysis:
Why: Digital backups leave plaintext traces that can be copied, such as in galleries, cache, cloud storage, and chat history. Once leaked, the damage is irreversible.
Best practice: Use offline physical backups (paper / metal) and store them separately. If digital storage is absolutely necessary, use offline encrypted media that never goes online and apply strict access control.
Q19: When importing a wallet, where does the biggest security risk come from? ( )
A. Entering the Recovery Phrase in the wrong order
B. Importing on an unfamiliar device
C. Using a fake wallet app or phishing website
D. Unstable internet during import
Correct Answer: C
Analysis:
Key takeaway: The greatest risk during import is a fake wallet or phishing site. If you enter your Recovery Phrase there, your root credentials are exposed instantly, and the attacker can restore the wallet on any device and move your assets.
Best practice:
Download through the official website landing page to the official app store, and verify the developer and domain.
Never enter a Recovery Phrase into a web form. Use only a local app or hardware device.
Use your own clean, non-jailbroken device. If needed, check addresses in watch-only mode first before taking action.
Q20: If someone offers to help you import your wallet, what is the biggest risk you may face? ( ) [Multiple Choice]
A. They may steal your Recovery Phrase or Private Key and take all your assets
B. They may install malware on your device for long-term monitoring and theft
C. They may move your assets to a new address they control without your knowledge
D. They may leak your personal information, such as your phone number or home address
Correct Answer: A / B / C
Analysis:
Key takeaway: Letting someone else import or operate your wallet means handing over control. A, B, and C can all directly lead to asset theft and are the biggest risks. D is also bad, but it is not the primary control-risk issue.
Best practice:
Never lend out or display your Recovery Phrase.
Import the wallet yourself on a clean, offline device.
If the phrase has already been exposed, migrate your assets to a new wallet immediately and retire the old Recovery Phrase.
Q21: Why should you ask yourself whether a device is secure before importing a Recovery Phrase? ( ) [Multiple Choice]
A. The device may contain malware or trojans that can steal the Recovery Phrase
B. The system may be jailbroken or rooted, making it more vulnerable to malicious software
C. As long as the device has enough storage, it is safe to import
D. As long as the network connection is stable, the import process is safe
Correct Answer: A / B
Analysis:
Key takeaway: Malware, credential-stealing plugins, and the weaker isolation on jailbroken or rooted devices can leak your Recovery Phrase in plaintext as soon as you enter it.
Best practice:
Use a clean device that is not jailbroken or rooted, has the latest system patches, and contains only necessary apps.
Disconnect from the internet to inspect the environment beforehand, and keep the device offline during import when possible.
Run a small test right after import.
Q22: Besides paper backups, which method can store a Recovery Phrase more securely for the long term? ( )
A. Save it on a USB flash drive
B. Use a professional stainless-steel Recovery Phrase backup and keep it in a secure place
C. Save it in an email draft
D. Save it in a phone note app
Correct Answer: B
Analysis:
Key takeaway: Offline physical storage, or offline encrypted media, is better suited for long-term preservation. A stainless-steel backup protects against fire and water and offers stronger durability.
Best practice: Use a professional stainless-steel Recovery Phrase backup and store copies separately.
Q23: What is the main purpose of setting a strong PIN? ( ) [Multiple Choice]
A. To improve wallet performance speed
B. To prevent someone with physical access to the device from opening your wallet directly
C. To increase the difficulty of cracking the wallet even if the device is lost
D. To reduce the risk of network attacks
Correct Answer: B / C
Analysis:
Key takeaway: A PIN, local screen lock, and biometrics mainly protect against physical access and slow down offline brute-force attacks.
Best practice:
Set a strong PIN and avoid birthdays or simple sequences.
Enable device encryption and auto-lock.
Combine local protection with offline Recovery Phrase protection to form a dual defense.
Q24: Why is it not recommended to import a Recovery Phrase on a public computer or an unfamiliar device? ( ) [Multiple Choice]
A. These devices may already contain pre-installed trojans that record your Recovery Phrase
B. Browser plugins or cached data may be exploited to steal wallet information
C. Public devices may have keyloggers that monitor your input
D. As long as you change the PIN right after import, the risk is avoided
Correct Answer: A / B / C
Analysis:
Key takeaway: Public or unfamiliar devices are not under your control. Entering a Recovery Phrase on them makes plaintext interception very likely. Changing the PIN only affects local unlocking, not a seed that has already been exposed.
Best practice: Import only on your own clean device, run a small test after import, and use a hardware wallet when appropriate.
Q25: Why is it recommended to back up a Recovery Phrase with a professional stainless-steel backup? ( ) [Multiple Choice]
A. It is fireproof and waterproof,and more durable than paper
B. It can be stored for a long time without becoming blurry or damaged
C. It will not fade or grow mold over time
D. It is physically isolated and avoids the leakage risk of electronic devices
Correct Answer: A / B / C / D
Analysis:
Key takeaway: A professional stainless-steel Recovery Phrase backup is heat-resistant, corrosion-resistant, pressure-resistant, and durable, making it suitable for long-term storage of critical credentials. It also does not rely on electronic systems, so it is naturally isolated from network exposure.
Q26-Q50: Transactions / Approvals
True or False
Q26: It is safe to verify only the first and last few characters of a wallet address before transferring funds. ( )
Correct Answer: False
Analysis:
Key takeaway: Checking only the beginning and end of an address makes you vulnerable to "Address Poisoning" or "Similar Address" scams.
Best practice: Verify the full address character by character, pay special attention to several characters in the middle, enable your address book or whitelist, and send a small test amount before large transfers.
Q27: Disconnecting a wallet from a DApp is the same as revoking all on-chain approvals. ( )
Correct Answer: False
Analysis:
Key takeaway: Disconnecting only ends the front-end session and automatic prompts. It does not change on-chain state. An approved contract may still transfer your tokens. To revoke approval, you must do it on-chain, for example with Revoke.cash.
Best practice: Review each Token + approved Spender + allowance in an approval management tool, revoke unnecessary or unlimited approvals, and wait for on-chain confirmation.
Q28: If you use a DApp frequently, it is fine to keep it connected all the time for convenience. ( )
Correct Answer: False
Analysis:
Key takeaway: A connection alone does not move your funds, but keeping a DApp connected lets the site request signatures or approvals at any time. If the site is compromised or hijacked, you are more likely to sign something by mistake.
Best practice: Disconnect after use, clear permissions regularly, and use separate addresses or accounts for sensitive operations.
Q29: Interacting with DApps through a browser extension wallet is more secure than using a mobile wallet. ( )
Correct Answer: False
Analysis:
Key takeaway:
The browser environments have a larger attack surface: the extension shares the browser environment with webpages and is more exposed to malicious extensions, phishing pages, and script injection.
Desktop isolation is weaker: desktop systems often contain many apps and extensions, and clipboard hijacking or keylogging is more common. Mobile wallets operate inside a sandbox, so exposure is generally more limited.
The form factor itself is not inherently safer: an extension is not automatically safer, and mobile is not absolutely safe either. Security depends on your habits and whether you use hardware signing.
Best practice:
Use a hardware wallet for large amounts and verify the address, chain, and amount on the device screen before signing.
Minimize exposure: use extension wallets in a dedicated browser or separate profile, install only essential extensions, and avoid pirated software.
Minimize connections: give only limited approvals, review and revoke them regularly with a revoke tool, and start with a small test each time.
Q30: When approving a token, entering only a small approval amount fully guarantees asset safety. ( )
Correct Answer: False
Analysis:
Key takeaway: A small allowance only reduces the maximum loss per drain attempt. It is not absolute protection, because it cannot prevent repeated requests, upgraded approvals, or logic flaws in the contract. If the contract is malicious or later hacked or backdoored, even a small approval may still put all of your holdings of that token at risk.
Best practice: Approve only when needed, with limited amount and limited duration, and revoke approvals promptly after use.
Q31: When you receive a very small amount of airdropped tokens (Dust), the best thing to do is nothing, not even transferring them away. ( )
Correct Answer: True
Analysis:
Key takeaway: Dusting or phishing airdrops often try to lure you into interacting with a malicious contract, which may trigger approvals or other traps.
Best practice: Ignore or hide the token. Do not approve it, swap it, or transfer it. If needed, block it from display in your wallet.
Q32: The most reliable way to reduce transfer errors is to use the wallet's address book feature. ( )
Correct Answer: True
Analysis:
Key takeaway: An address book or whitelist stores verified recipient addresses and reduces the risk of clipboard tampering or manual mistakes during temporary copy-and-paste.
Best practice: Add frequently used addresses to the address book, enable extra confirmation for sensitive recipients, and run a small test transfer before large transfers.
Multiple Choice
Q33: Before connecting to a DApp, what should you check carefully? ( ) [Multiple Choice]
A. Whether the DApp is official and from a trusted source
B. Whether the website link is correct and secure (HTTPS, no look-alike domain)
C. Whether the wallet asks for unnecessary high-level permissions upon connection
D. Whether you reached it only through official channels
E. You do not need to check anything - just connect directly
Correct Answer: A / B / C / D
Analysis:
Key takeaway: Trusted entry point, correct domain, and least privilege are the three core checks.
Best practice: Enter through the official website, verify the domain certificate and spelling, and review each permission request carefully.
Q34: What is a phishing website? ( )
A. A fake website that imitates an official website and tricks you into entering your Recovery Phrase or Private Key
B. A site used only for trading obscure tokens
C. A site that only provides information and does not support trading
D. A site that offers free airdrops
Correct Answer: A
Analysis:
Key takeaway: A phishing site is designed to steal your credentials, signatures, or approvals.
Best practice: Never enter a Recovery Phrase on a website, verify the domain carefully, and use anti-phishing lists or browser protections.
Q35: What should you do if the token name prompted by the wallet during authorization does not match the name shown in your wallet? ( ) [Multiple Choice]
A. Ignore the warning and approve it anyway
B. Cancel the approval immediately and disconnect from the site
C. Try to edit the token name manually
D. Reconnect the wallet
E. Verify the contract address and token contract on a block explorer to confirm it is official
Correct Answer: B / E
Analysis:
Key takeaway: A mismatch in token name is a high-risk signal. Stop immediately and verify the contract address.
Best practice: Check the contract address, symbol, and official announcement on a block explorer. Only proceed with the minimum required approval after confirming it is safe.
Q36: What is a token approval management tool? ( )
A. A tool for checking historical token prices
B. A tool for checking all token approvals in your wallet
C. A tool for checking token issuer information
D. A tool for checking on-chain transaction status
Correct Answer: B
Analysis:
Key takeaway: A token approval management tool lets you review all token approval records for your wallet, and usually supports revoking approvals or reducing allowances.
Best practice: Review approvals regularly and revoke anything unnecessary or excessively large.
Q37: Why is transaction confirmation the most important security protection provided by a hardware wallet? ( )
A. Because transaction confirmation is done online
B. Because the hardware wallet screen shows complete transaction details, letting you confirm physically while the Private Key stays offline
C. Because a hardware wallet can block any transaction
D. Because the confirmation button is harder to press
Correct Answer: B
Analysis:
Key takeaway: A hardware wallet isolates the Private Key inside the device and shows critical transaction details on its own screen, including the address, chain, amount, and permissions. Only after you physically confirm on the device will it sign offline. This prevents you from signing something different from what you see on a compromised computer or webpage.
Best practice: Always verify the address, amount, chain, and contract on the hardware wallet screen before confirming.
Q38: What is a "Paste Hijacking" attack? ( )
A. Malware changes the address you copied in your clipboard
B. An attacker tricks you into clicking a fake approval link
C. A phishing email asks you to enter your Recovery Phrase
D. A stranger sends a small amount of tokens to your wallet to track your transactions
Correct Answer: A
Analysis:
Key takeaway: Clipboard hijacking means malware modifies clipboard contents and swaps the address you copied with the attacker's address.
Best practice: Verify the address character by character after pasting, prefer your address book or QR codes, and scan for malware regularly.
Q39: If your wallet prompts you to approve a contract during a transfer, what does that mean? ( )
A. You are sending assets directly to that contract
B. You are allowing that contract to transfer a specified amount of tokens from your wallet in the future
C. You are confirming an off-chain instruction
D. You are sharing your Private Key with that contract
Correct Answer: B
Analysis:
Key takeaway: An approval grants a contract future spending permission within the amount you set, so it can transfer that token from your wallet later without prompting you every time.
Best practice: Use the minimum required approval, keep it limited in amount and duration, and revoke it after use.
Q40: What risk do you take when you give a DApp an unlimited approval? ( )
A. Your wallet may be remotely controlled by a hacker
B. The contract can transfer all tokens of that type from your wallet without asking again
C. The contract can steal your Private Key
D. Unlimited approvals carry no real risk because they can always be revoked later
Correct Answer: B
Analysis:
Key takeaway: An unlimited approval means the contract can move an unlimited amount of that token without asking for permission again.
Best practice: Limit approval amounts, approve only when needed, revoke after use, and keep core assets in separate wallets.
Q41: If you receive an unknown token in a very small amount, what should you do? ( )
A. Transfer it out immediately to avoid being tracked
B. Sell it for another token
C. Ignore it and do not interact with it in any way
D. Contact the sender and ask what it is
Correct Answer: C
Analysis:
Key takeaway: Interacting with it may trigger malicious approvals or contract traps.
Best practice: Ignore or hide it. Do not interact.
Q42: If your last approval or transfer remains Pending for a long time, how should you handle it safely? ( )
A. Use the speed-up function in the same wallet to increase gas and prioritize the same transaction
B. Submit the same transaction repeatedly until one succeeds
C. Switch to another wallet or unknown DApp and resubmit the same transaction
D. Import your Recovery Phrase into a third-party website or tool that promises instant confirmation
Correct Answer: A
Analysis:
Key takeaway: A long Pending state is usually caused by low fees or network congestion. The safest method is to use the speed-up function in the same wallet and raise the fee moderately so validators prioritize that transaction.
Best practice:
Use Speed Up on the earliest pending transaction in the original wallet. If needed, top up a small amount of native token first to cover the higher fee.
If you want to cancel it, send a 0-value self-transfer or cancellation transaction with the same nonce and a higher fee.
Avoid operating the same account from multiple wallets or devices at the same time.
Never import your Recovery Phrase into unfamiliar websites or tools.
Check the mempool or network congestion and wait for fees to fall if necessary.
Q43: Before making a large transfer, what is the safest thing to do? ( )
A. Ask the recipient for their Private Key to verify identity
B. Send a small test transfer first, then send the larger amount after confirming receipt
C. Disconnect all network connections during the transaction
D. Save a screenshot of the transfer record
Correct Answer: B
Analysis:
Key takeaway: A small test transfer confirms that the address, network, and tags are correct.
Best practice: Confirm with a small transfer first, then move larger amounts in batches.
Q44: What should you do when you receive an airdropped token from a stranger that requires authorization to claim? ( )
A. Authorize and claim immediately to avoid missing out
B. Ignore the airdrop; do not perform any authorization or transaction
C. Transfer the token to another wallet first
D. Contact the project team to confirm whether it is real
Correct Answer: B
Analysis:
Key takeaway: Claiming an airdrop by approving a contract is a high-risk action and is often a phishing contract.
Best practice: Ignore it and do not interact. Participate only in trusted activities through official channels.
Q45: What is the main purpose of the signing function in a Web3 wallet? ( )
A. To confirm the uniqueness of a transaction
B. To verify identity and prove that you control the wallet
C. To transfer assets directly
D. To encrypt the Recovery Phrase
Correct Answer: B
Analysis:
Key takeaway: A signature proves that you control an address and confirms your intent. Both transactions and messages rely on signatures to verify origin.
Best practice: Sign only requests you fully understand, and stay alert to blind signing and approval-related signatures.
Q46: Why should you be especially cautious about unlimited approvals when interacting with a DApp? ( )
A. Because unlimited approvals consume more gas
B. Because unlimited approvals may let someone remotely control your wallet
C. Because a malicious contract, once granted unlimited allowance, can drain your assets at any time
D. Because unlimited approvals expose your Private Key
Correct Answer: C
Analysis:
Key takeaway: An unlimited approval gives the contract ongoing power to move that token.
Best practice: Use limited approvals, revoke after use, and keep core tokens in separate wallets.
Q47: If a DApp looks suspicious even though the page feels smooth and polished, what should you do? ( ) [Multiple Choice]
A. Connect your wallet immediately to test it
B. Close the page immediately and review / disconnect your wallet connection
C. Contact the site's customer service
D. Verify authenticity through the project's official channels or communities
Correct Answer: B / D
Analysis:
Key takeaway: A polished interface does not mean the site is safe. Fake sites often imitate the user experience closely.
Best practice: Disconnect and clear permissions first, then verify the domain and official announcements through the official website, X account, Discord, or Telegram.
Q48: What is the essence of approval risk? ( )
A. Authorizing your Private Key
B. Authorizing a malicious contract to transfer your assets
C. Authorizing your personal information
D. Authorizing your transaction history
Correct Answer: B
Analysis:
Key takeaway: What you are authorizing is spending power over your tokens, not your Private Key or personal privacy.
Best practice: Use the minimum approval necessary, approve only when needed, revoke after use, and review your approval list regularly.
Q49: What should you do if the wallet prompts you to pay high gas fees during a transaction? ( ) [Multiple Choice]
A. Cancel the transaction immediately
B. Check network congestion or wait for gas fees to drop
C. Contact customer support to understand the reason
D. Pay it immediately to make sure the transaction goes through fast
Correct Answer: B / C
Analysis:
Key takeaway: When a wallet shows high gas fees, do not act blindly. This is usually caused by network congestion or incorrect fee settings, such as an overly high priority fee.
Best practice:
Check the reason first: confirm current congestion and real-time gas levels on the relevant block explorer. If the network is congested, wait for fees to fall.
Contact support if you are confused by the fee prompt or settings, or if you suspect the wallet itself may have an issue.
Q50: Which of the following is the most effective way to reduce authorization risk? ( )
A. Give unlimited approvals to all commonly used DApps to avoid repeated confirmations
B. Use approval management tools regularly to review and revoke unnecessary approvals
C. Save your Recovery Phrase in a password manager so approvals are more convenient
D. Ignore the contract address and look only at whether the token name matches
Correct Answer: B
Analysis:
Key takeaway: An approval gives a contract permission to spend your tokens. Regularly reviewing and revoking unnecessary approvals is one of the most important habits for reducing long-term risk.
Best practice:
Use minimum approvals: approve only when needed, with limits on amount and duration.
Review and revoke regularly: use approval management tools to revoke approvals you no longer use or that have excessive allowances.
Verify the target: check whether the contract address and token contract are official before approving.
Separate accounts / use hardware wallets: keep high-value assets in separate addresses and verify transaction details on a hardware wallet screen.
Q51-Q75: Scam Prevention and Risk Response
True or False
Q51: If you forget your wallet's local password or fingerprint, your assets will be permanently lost. ( )
Correct Answer: False
Analysis:
Key takeaway: A local password only restricts access on that device. Your Recovery Phrase / Private Key is the final source of control.
Best practice: Restore the wallet in a compatible wallet with your Recovery Phrase or Private Key, and keep your Recovery Phrase stored safely offline.
Q52: Anyone who asks for your Recovery Phrase by any method is a scammer. ( )
Correct Answer: True
Analysis:
Key takeaway: Official staff, customer support, and administrators will never ask for your Recovery Phrase. Exposure means losing control of your assets.
Best practice: Never reveal it. If it has been exposed, migrate your assets to a new wallet immediately.
Q53: If someone has seen your Recovery Phrase but your assets have not yet been stolen, the wallet is still safe. ( )
Correct Answer: False
Analysis:
Key takeaway: Once seen, it can be restored on any device at any time. The attacker may simply not have acted yet.
Best practice: Immediately transfer your assets to a wallet created with a new Recovery Phrase and retire the old one.
Q54: If you accidentally visit a phishing website but do not enter any information, there is no risk. ( )
Correct Answer: False
Analysis:
Key takeaway: You may still trigger a wallet connection, blind signature request, permission grant, or malicious script injection.
Best practice: Close the page, disconnect the site in your wallet, clear permissions, and check for unusual approvals to revoke.
Q55: A wallet address can be made public because it does not grant permission to transfer assets. ( )
Correct Answer: True
Analysis:
Key takeaway: A wallet address is like your bank account number. Its only purpose is to receive assets. The spending power belongs to your Private Key, which is like the account password.
Best practice: Wallet addresses can be shared. Private Keys and Recovery Phrases must never be shared.
Q56: It is redundant to perform a small test transfer before a large one. ( )
Correct Answer: False
Analysis:
Key takeaway: A small test can reveal the wrong chain, wrong address, or missing Memo / Tag before a major mistake becomes expensive.
Best practice: Send a small test first, confirm it, and then move larger amounts in batches.
Q57: Only computers can get viruses. Phones do not affect wallet security. ( )
Correct Answer: False
Analysis:
Key takeaway: Phones can also be affected by trojans, clipboard hijacking, fake apps, and similar threats.
Best practice: Do not jailbreak or root the device, install as few unknown apps as possible, grant only necessary permissions, and use security or anti-phishing tools when appropriate.
Q58: If you choose the wrong network for a token transfer, the recipient will still receive the asset as long as the address is correct. ( )
Correct Answer: False
Analysis:
Key takeaway: Different chains are not automatically interoperable. Sending on the wrong network is often difficult or impossible to recover directly.
Best practice: Confirm the chain, network, and any Memo / Tag requirements before sending.
Q59: Paste hijacking only affects text messages and does not affect wallet addresses in the clipboard. ( )
Correct Answer: False
Analysis:
Key takeaway: Replacing copied transfer addresses is one of the most common forms of clipboard hijacking.
Best practice: Verify the address after pasting, prefer your address book or QR codes, and scan your device regularly for malware.
Q60: Keeping your phone or computer system and apps up to date helps defend against known security vulnerabilities. ( )
Correct Answer: True
Analysis:
Key takeaway: Security patches fix known vulnerabilities and significantly reduce risk.
Best practice: Use only official firmware and official app stores, and update through the official website or store entry.
Q61: Since blockchain transactions are irreversible, there is no need to take action after assets are stolen. ( )
Correct Answer: False
Analysis:
Key takeaway: Irreversible does not mean helpless. Although confirmed on-chain transfers are difficult to reverse, you can still reduce further loss through containment, tracking, freezing, and evidence preservation, and sometimes improve the odds of partial recovery or legal enforcement.
Best practice:
Contain the loss immediately: move remaining assets to a brand-new wallet with a new Recovery Phrase or new hardware wallet.
Report quickly: organize the theft transaction hash, destination addresses, and flow of funds, then contact exchange risk teams and wallet support to request on-chain labels or blacklisting where possible.
Preserve evidence: keep screenshots of transaction links, chat records, recipient addresses, and the timeline, and submit them in police reports or platform tickets.
Investigate the cause: review your device, browser extensions, approvals, recent signatures, and connected DApps; remove malicious extensions or apps; update your system and wallet to the latest official version.
Strengthen security afterward: separate hot and cold storage, use a multisig vault for large holdings, keep approvals minimal and reviewed regularly, enable whitelists, run small tests, and verify details on trusted device screens.
Multiple Choice
Q62: You receive a DM from an "admin" on Discord/Telegram asking you to click a link to "verify your wallet" or "sync assets." What is the correct action? ( )
A. Click the link and connect your wallet immediately
B. Ask for the admin's ID badge before proceeding
C. Ignore and block the sender, then return to the project's pinned official announcement to verify the link, and report if necessary
D. Try signing with a small amount first
Correct Answer: C
Analysis:
Key takeaway: Official teams do not ask for wallet operations in private messages. Verification or synchronization requests are often phishing.
Best practice: Trust only official websites and public announcements. Block and report suspicious private-message links.
Q63: A stranger claims they can remotely help solve your wallet problem and asks you to install remote-control software. What should you do? ( ) [Multiple Choice]
A. Accept the remote support
B. Stop communication immediately and report to the platform
C. Try to negotiate first
D. Download the software but only allow view access
E. Seek help only through verifiable official customer support channels or ticket systems
Correct Answer: B / E
Analysis:
Key takeaway: Remote control is extremely high risk and is commonly used to steal credentials or induce malicious approvals.
Best practice: Cut off contact, report the account, and use only verifiable official support channels.
Q64: How should you handle a project claiming "guaranteed high returns" and "zero risk" ( ) [Multiple Choice]
A. It is highly likely to be a Ponzi or scam, so stay cautious
B. Test it with a small amount first and add more after breaking even
C. Trust only the official website and public announcements, and never connect, approve, or transfer on an unfamiliar page
D. If it shows an audit report and profit screenshots, it is safe to join
Correct Answer: A / C
Analysis:
Key takeaway: Promises like guaranteed principal, high yield, or daily returns are classic Ponzi-style language.
Best practice: Use only official entry points. Never connect, approve, or transfer on unfamiliar pages.
Q65: What are the core risks of "Vanity Address" (premium address) scams? ( ) [Multiple Choice]
A. The seller may keep or record the Private Key or Recovery Phrase and take the funds at any time
B. Such addresses are often mass-generated by scripts and archived for later theft
C. If the address can be found on-chain, it proves the purchased vanity address is safe
D. After purchase, you can simply change the Private Key or reset the Recovery Phrase and keep using the address safely
Correct Answer: A / B
Analysis:
Key takeaway: If someone else generated it, someone else knows the key.
Best practice: Generate your own Recovery Phrase and addresses. Never buy pre-made addresses.
Q66: What are common scams in over-the-counter (OTC) trading? ( ) [Multiple Choice]
A. Suddenly canceling the transaction
B. Receiving the asset but refusing to pay / chargeback after payment
C. Planting malware on your device
D. Forging or tampering with payment screenshots or on-chain proof
Correct Answer: B / C / D
Analysis:
Key takeaway: Fake proof, technical compromise, and refusing payment after receiving assets are the most common patterns.
Best practice: Rely on actual on-chain confirmation or confirmed fiat settlement, and use escrow or trusted intermediaries whenever possible.
Q67: Which of the following are signs that you are facing a fake official loan scam? ( ) [Multiple Choice]
A. Claiming to be official support, promising low interest and instant approval, but asks you to pay a "security deposit" or "unfreezing fee" first
B. Asking you to download non-official software or visit unknown websites
C. Asking you to transfer funds to a "regulatory account" for verification
D. Asking for your Recovery Phrase due to a "system upgrade" or "limit freeze."
E. Only asking for your bank card and personal info.
Correct Answer: A / B / C / D
Analysis:
Key takeaway: Anyone claiming to be official support while asking you to transfer funds to a so-called supervision or verification account, download software through unofficial channels, visit unfamiliar sites, or provide your Recovery Phrase or verification codes is definitely running a scam. Legitimate institutions will not ask you to transfer funds off-platform or reveal your Recovery Phrase.
Best practice:
Use only official channels: operate only through the official app or the official website of a known platform. Do not click unknown links or download unknown software.
Protect sensitive information: never reveal your wallet's Recovery Phrase or Private Key to anyone under any circumstances.
Q68: What is a hardware wallet "Supply Chain Attack"? ( ) [Multiple Choice]
A. A hardware wallet is tampered with by malicious parties before sale, such as through malicious firmware or chips
B. A dishonest seller raises the price maliciously
C. An attacker impersonates the official brand and offers free tampered devices in a giveaway
D. A scammer sells tampered and repackaged genuine devices through unauthorized channels at a low price
Correct Answer: A / C / D
Analysis:
Key takeaway: If the device is compromised at the source, later caution may not be enough to save you.
Best practice:
Buy only from official channels.
Inspect the tamper seal and serial number, and verify activation time through the official check where available.
Initialize the device yourself from scratch, generate the Recovery Phrase on the device itself, and never photograph or upload it.
If you notice anything abnormal, such as a pre-set Recovery Phrase or suspicious packaging, stop using the device and contact official support immediately.
Q69: What are the correct habits when using a browser extension wallet with DApps? ( ) [Multiple Choice]
A. Approve unlimited allowances immediately
B. Verify the domain, HTTPS, and official entry point
C. Enter your Recovery Phrase on the webpage for verification
D. Close the browser and restart the computer
E. Use only the minimum required approvals and revoke them promptly after use
Correct Answer: B / E
Analysis:
Key takeaway: Trust the entry point and minimize permissions.
Best practice: Use only the official domain, grant limited approvals, and revoke them after use.
Q70: What is a "Multi-signature Scam"? ( ) [Multiple Choice]
A. Scammers use fake wallets/phishing to get your key, then change your account to a multi-sig so you can't move funds without them.
B. In a TRX wallet, a transfer error such as SIGERROR may indicate the permissions were tampered with and changed to multisig, so you can no longer transfer alone
C. This scam happens only on Bitcoin and has nothing to do with TRX
D. The scammer tricks you into continuing to deposit assets, then uses co-signature or permission control to steal them all at once later
Correct Answer: A / B / D
Analysis:
Key takeaway: A multisig scam is an advanced fraud pattern. The scammer steals your wallet control or Private Key, then changes the account permissions to multisig. After that, you can no longer transfer funds alone, and your assets are effectively under their control.
Best practice: If transfers start failing abnormally, especially with errors like SIGERROR, and you suspect your key may be exposed, stop transferring funds into that wallet immediately. Create and use a new secure wallet address as soon as possible, and move any other assets you still control on other chains.
Q71: Besides checking the address, what is a safer way to prevent "Address Poisoning"? ( )
A. Enter the address manually every time
B. Add frequently used addresses to an address book / whitelist and choose only from there
C. Transfer only to people you know
D. Use only centralized exchanges
Correct Answer: B
Analysis:
Key takeaway: An address book or whitelist significantly reduces the risk of look-alike addresses and clipboard tampering.
Best practice: Build a trusted address book and send a small test amount before large transfers.
Q72: While browsing a webpage, your wallet suddenly pops up a signature request even though you were not taking any action. What should you do? ( )
A. Sign immediately
B. Close the webpage, check and disconnect the wallet connection, then review and clear approvals
C. Refresh the page
D. Contact the webpage's support team
Correct Answer: B
Analysis:
Key takeaway: A signature request that appears when you did nothing is often caused by a malicious script, phishing front end, or deep-link trick. Close the page immediately, disconnect the site in your wallet, clear the connected-session history, and review suspicious approvals with an approval tool such as Revoke.cash.
Best practice: Disconnect, clear permissions, and investigate the source, including installed plugins.
Q73: If the recipient address shown during a transfer is different from the one you copied, what is the most likely cause? ( )
A. A system error on the trading platform
B. Device is infected with "Paste Hijacking" malware
C. An unstable network
D. The wallet has been hacked directly
Correct Answer: B
Analysis:
Key takeaway: If the pasted address differs from the one you copied, the most likely cause is clipboard-hijacking malware on your device. This type of malware monitors your clipboard and replaces wallet addresses with the scammer's address as soon as it detects one.
Best practice:
Build the habit of checking: after pasting an address, always verify the beginning and end characters and, ideally, more of the address.
Keep the device secure: scan your phone or computer regularly, install apps only from official channels, and avoid suspicious links.
Use a hardware wallet for large transfers so final address verification and signing happen on the trusted device.
Q74: Why is it not recommended to back up wallet data or Recovery Phrases to the cloud? ( )
A. It takes up space
B. It may be hacked or leaked, and it can automatically sync across multiple devices
C. It slows the device down
D. It costs money
Correct Answer: B
Analysis:
Key takeaway: Cloud storage means online exposure. Once leaked, you lose control.
Best practice: Store Recovery Phrases offline on paper or metal, and keep copies separately when needed.
Q75: You receive a text from a stranger claiming your wallet will stop service and asking you to click a link to "update." What should you do? ( ) [Multiple Choice]
A. Click the link immediately and follow the instructions to restore withdrawals
B. Contact the official customer service to verify the message
C. Ignore and delete the message, because a decentralized wallet would not know your phone number
D. Visit the official website via your browser for a self-check
Correct Answer: B / C
Analysis:
Key takeaway: This is a classic phishing text scam. Any message claiming suspended withdrawals or frozen accounts and demanding urgent action through an unknown link is a scam.
Best practice:
Recognize the scam: your assets are recorded on the blockchain, and no third party can suspend your withdrawals.
Verify through trusted channels: official teams do not proactively contact users by text or phone. If you have doubts, use the official channel you already know, not the information in the text message.
Protect your assets: delete the message, do not click any links, and do not call any numbers provided in the message.
Q76-Q100: Advanced Practices and Concept Corrections
True or False
Q76: Even if a hardware wallet is connected to a virus-infected computer, the assets remain safe. ( )
Correct Answer: True
Analysis:
Key takeaway: The core design of a hardware wallet is to fully isolate the Private Key from internet-connected devices. Even when connected to an infected computer, the Private Key never leaves the secure chip inside the hardware wallet.
Best practice: Stay alert anyway. The hardware wallet itself may remain secure, but malware on the computer may tamper with the displayed transaction details and try to trick you into confirming the wrong transaction. Always verify the address and amount on the hardware wallet screen.
Q77: A Recovery Phrase is equivalent to the wallet itself. As long as it is not leaked, the assets are safe. ( )
Correct Answer: False
Analysis:
Key takeaway: A Recovery Phrase is the master key to your wallet, but it does not protect you from malicious signature or approval scams. Even if the Recovery Phrase is not leaked, your assets can still be at risk if your wallet address is tricked into approving a malicious contract.
Best practice:
Protect the Recovery Phrase: keep it offline in a secure location. Do not photograph it, put it online, or store it on any electronic device.
Be cautious with approvals: every transfer and transaction needs your signature. Before approving anything, verify the details carefully and make sure you are interacting with a trusted official contract.
Review approvals regularly: use approval tools such as Revoke.cash to check your wallet address and remove unnecessary or high-risk approvals in time.
Q78: DApp links found via Search Engines/AI can be trusted as long as they look official. ( )
Correct Answer: False
Analysis:
Key takeaway: Search engine or AI results may contain ads or phishing sites disguised as official websites. Once you connect your wallet and sign or approve, you may be giving permissions to a malicious contract or confirming a high-risk transaction that drains your assets.
Best practice: Verify official links through multiple channels, check the domain carefully, and review every signature / approval request before confirming. Cancel anything you do not understand.
Q79: If I give a DApp an unlimited approval, my assets are safe as long as I do not make any transactions. ( )
Correct Answer: False
Analysis:
Key takeaway: A contract with unlimited approval can transfer that token at any time, whether or not you actively initiate a transaction.
Best practice: Use limited approvals, revoke them after use, and grant only the necessary amount to trusted contracts.
Q80: If a pop-up says Sign rather than Transfer, it is safe to confirm because signing does not create asset risk. ( )
Correct Answer: False
Analysis:
Key takeaway: Sign does not mean safe. A signature may still be used to authorize a contract, grant transfer permissions, or confirm a high-risk action that can drain assets or give long-term control over the wallet.
Best practice:
Check the source and domain first: sign only through official or trusted links.
Review the content carefully: if you do not understand the request, cancel it.
When in doubt, refuse: reject any signature request that did not come from an action you intentionally initiated, disconnect the site, and review approvals if needed.
Q81: Any decentralized wallet can fully restore all my assets as long as the Recovery Phrase is correct. ( )
Correct Answer: False
Analysis:
Key takeaway: Different wallets may use different derivation paths or default chain support. Not everything can always be restored automatically from a single Recovery Phrase alone.
Best practice:
Confirm the derivation path: most wallets follow BIP39 / BIP44, but when switching wallets, confirm that the same derivation path is used.
Add tokens manually if needed: some wallets do not display all tokens automatically, so you may need to add token contract addresses yourself.
Watch for special cases: if the wallet used a BIP39 passphrase or a multisig setup, you must also provide that additional information during recovery.
Q82: Multi-sig wallets are primarily suitable for individual daily transactions. ( )
Correct Answer: False
Analysis:
Key takeaway: Multi-sig focuses on risk control and shared custody. It is better suited to team treasuries or large-value storage than to frequent small daily spending.
Best practice: For everyday personal use, use a hot wallet or hardware wallet instead.
Q83: Writing down a Recovery Phrase on paper and locking it in a safe is an absolutely secure backup method. ( )
Correct Answer: False
Analysis:
Key takeaway: Paper is vulnerable to fire, water, and decay.
Best practice: Use a metal backup or store multiple copies in separate locations.
Q84: Official customer support will never proactively contact you through private messages, phone calls, or text messages. ( )
Correct Answer: True
Analysis:
Key takeaway: Genuine official support communicates only through the official website, in-app support channels, or ticket systems. They will not contact you first by private message or phone.
Best practice: No matter who contacts you, verify them independently on the official website first. Never provide your keys or click unfamiliar links.
Q85: In OTC trading, even if the counterparty provides proof of payment, you should still wait for on-chain confirmation before releasing assets. ( )
Correct Answer: True
Analysis:
Key takeaway:
Proof does not equal settlement: bank screenshots, receipts, and even TXID links can be forged. Fiat transfers may be frozen or reversed, and on-chain screenshots can also be faked.
Use actual confirmation as the standard: rely on the block explorer result you verify yourself, and release assets only after the funds have reached your address and the usual confirmation count is met.
Best practice: Use escrow or a trusted guarantee service, and do not release assets before confirmed settlement.
Q86: Even if I forget my wallet's local password, I can still recover my assets by re-importing the wallet as long as my Recovery Phrase backup is intact. ( )
Correct Answer: True
Analysis:
Key takeaway: The Recovery Phrase is the final recovery credential.
Best practice: Restore with the Recovery Phrase in a compatible wallet and keep the phrase stored safely offline.
Q87: A blockchain explorer such as Etherscan can be used to track transaction status and view all tokens and history under an address. ( )
Correct Answer: True
Analysis:
Key takeaway: A block explorer provides public data such as transactions, token holdings, approvals, and history.
Best practice: Learn how to use an explorer to check transaction status, approvals, and token contracts.
Q88: If a phone is infected, uninstalling and reinstalling the wallet app will remove all security risks. ( )
Correct Answer: False
Analysis:
Key takeaway: Malware often persists at the system level, so removing the wallet app is not enough. Once credentials are exposed, asset loss may already be possible.
Best practice:
Create a new wallet with a new Recovery Phrase on a brand-new clean device or hardware wallet, and move assets to the new address.
On the infected phone, perform a factory reset or reinstall official firmware, remove suspicious profiles or certificates, update the system fully, and install apps only from official stores.
Afterward, revoke high-risk approvals, change important account passwords, and enable 2FA.
Q89: When using a hardware wallet to make a transaction, the signature is completed inside the device's secure chip. ( )
Correct Answer: True
Analysis:
Key takeaway: The Private Key is generated and used for signing inside the secure chip and never leaves the device.
Best practice: Verify the information on the device screen before confirming.
Q90: As long as a wallet app is official, you can ignore other security warnings. ( )
Correct Answer: False
Analysis:
Key takeaway: Even an official app can still be used unsafely and remains exposed to phishing links, malicious approvals, and clipboard hijacking.
Best practice: Download from the official entry point, approve cautiously, revoke regularly, and keep system security updates enabled.
Multiple Choice
Q91: What is a "Derivation Path"? ( )
A. The random algorithm used by a wallet to generate a Recovery Phrase
B. A tool for tracking the path of a transaction on the blockchain
C. A path rule used to determine how addresses are derived and arranged in a wallet
D. The algorithm that turns a Recovery Phrase into a Private Key
Correct Answer: C
Analysis:
Key takeaway: A derivation path, such as m / 44' / 60' / 0' / 0 / 0, defines the position rule from a seed to a specific address or Private Key. Common standards include BIP32 and BIP44.
Best practice: Keep the same derivation path when restoring across wallets so the addresses remain consistent.
Q92: What should you do if the transaction info on your hardware wallet screen doesn't match the computer?? ( )
A. Ignore the hardware wallet screen and trust the computer screen
B. Stop immediately and disconnect the hardware wallet
C. Refresh the computer page and see whether it syncs
D. Complete the transaction first and ask official support for help later
Correct Answer: B
Analysis:
Key takeaway: The hardware wallet screen is the final trusted source because it shows transaction data parsed by the device itself in an offline, trusted environment. The computer, browser, and DApp front end can all be tampered with by malicious scripts, phishing pages, or man-in-the-middle attacks. If the two displays do not match, treat it as a risky transaction and stop immediately.
Best practice:
Unplug the cable or disconnect Bluetooth, and cancel the signing request.
Close suspicious webpages or extensions, clear cache and review installed plugins, and re-enter only through the official website.
Compare the recipient address, amount, chain, and contract method carefully through a block explorer and the hardware wallet screen.
If necessary, switch to a clean computer or browser profile and update firmware and the official app.
If you already signed by mistake, revoke approvals as soon as possible, move assets to a new address, and monitor for abnormal activity.
Q93: What is a "Multi-signature Wallet"? ( )
A. A wallet that can manage assets across multiple chains at the same time
B. A wallet that requires multiple Private Keys to co-sign a transaction
C. A wallet that can be used simultaneously on multiple devices
D. A wallet that supports many tokens for trading
Correct Answer: B
Analysis:
Key takeaway: A multisig wallet requires multiple Private Keys to sign together before a transfer can be completed. Common setups include 2-of-3 or 3-of-5.
Best practice:
Set a reasonable threshold and separate signers across different people, devices, and locations, ideally using hardware wallets as signing devices.
Back up each key and all recovery parameters separately, including the threshold, signer addresses / public keys, contract address, and chain.
Run small drills to verify the signing flow, signer replacement, and recovery process before using it for large funds.
Q94: What is the purpose of a security-tool navigation site? ( )
A. To check approvals, monitor risk, and improve security
B. To generate tokens
C. To claim free airdrops
D. To increase internet speed
Correct Answer: A
Analysis:
Key takeaway: It provides a central entry point for approval scanning, blacklist or phishing monitoring, risk assessment, incident response guides, and other security tools.
Best practice: Review your wallet regularly with approval scans and risk alerts, revoke suspicious permissions promptly, and use these tools only through official entry points.
Q95: What should you do first after discovering that assets have been stolen from your wallet? ( )
A. Immediately transfer the remaining assets to a secure address
B. Report to the police and contact wallet support immediately
C. Delete the wallet app and disconnect from the internet
D. Stay calm and analyze the cause first
Correct Answer: A
Analysis:
Key takeaway: Once theft is detected, the Recovery Phrase or Private Key should be treated as exposed. All addresses under the same Recovery Phrase may be unsafe. Your first priority is to stop further loss by moving the remaining assets.
Best practice:
Move the assets: create a new wallet with a new Recovery Phrase on a clean device, ideally with a hardware wallet, and transfer all remaining assets to the new address.
Record evidence: save the transaction hash, suspicious links or chat records, and the related addresses.
Investigate and respond: revoke high-risk approvals, update your device and wallet, and avoid importing the old Recovery Phrase on the old device again.
Seek external help: report to law enforcement and contact any involved exchanges or platforms to request assistance with tracking or freezing.
Improve future protection: separate storage, use hardware wallets or cold-signing for important funds, and review approvals regularly.
Q96: Why is it not recommended to keep all large-value assets in a single hot wallet? ( )
A. Hot wallets are slower than cold wallets
B. Hot wallets are more exposed to online threats and network-based attacks
C. Hot wallets do not support multiple tokens
D. Hot wallets have higher transaction fees
Correct Answer: B
Analysis:
Key takeaway:
A hot wallet stays connected to the internet and often interacts with websites and contracts, so its attack surface is larger.
Its Private Key is stored locally on the phone. If the phone is compromised by malware, malicious apps, or system vulnerabilities, local data such as the Private Key, Recovery Phrase, or clipboard content may be stolen.
Putting all large funds into one hot wallet creates a single point of failure.
Best practice: Separate hot and cold storage.
Store large or long-term holdings in a hardware wallet or multisig vault.
Keep only smaller daily-use amounts in a hot wallet for payments and DApp interactions.
Install apps only from official sources, keep the system updated, and review and revoke approvals regularly.
Q97: What is the greatest risk of using an unverified browser extension wallet? ( )
A. The extension may be a phishing tool designed to steal your Recovery Phrase or Private Key
B. Your browser may become slow
C. You may be unable to interact with DApps
D. Your transaction history may not be saved
Correct Answer: A
Analysis:
Key takeaway: An untrusted or unofficial extension may contain malicious code that shows fake approval prompts, forges signature pages, or tricks you into entering your Recovery Phrase or Private Key, leading directly to asset theft.
Best practice: Use only officially released or openly audited wallets, and access them through the official website landing page.
Q98: What is an "On-chain Label/Tag"? ( )
A. A note attached to a suspicious address on the blockchain to warn users
B. A permanent label created for a token on the blockchain
C. A record of all token names in your wallet
D. A record of the timestamp when a transaction was included
Correct Answer: A
Analysis:
Key takeaway: On-chain labels are commonly added by security teams, block explorers, or the community to identify scam addresses, hacker addresses, money-laundering addresses, and other suspicious entities.
Best practice:
Check before sending: search the counterparty address in a block explorer or security tool and look for risk labels or unusual history.
Review after receiving: if you receive assets from an unknown address with a risk label, do not interact with them and report if necessary.
Cross-check multiple sources: labels may be delayed or imperfect, so compare several trusted sources before making a decision.
Maintain anti-scam habits: be careful with dusting transactions and unknown sources.
Q99: In DApp interactions, what is the main difference between a signature and an approval? ( )
A. A signature confirms intent, while an approval grants spending permission over assets
B. A signature can be revoked, but an approval cannot
C. A signature requires gas, but an approval does not
D. A signature can be used for login, while an approval can only be used for trading
Correct Answer: A
Analysis:
Key takeaway:
Signature: you use your Private Key to confirm or acknowledge a piece of content, such as logging in, agreeing to terms, or initiating a transaction. By itself, it does not grant token spending rights.
Approval: you allow a contract or address to spend a specific token from your wallet within a defined allowance. Once it takes effect, that party can transfer your tokens according to the rule until you change or revoke the approval.
Best practice:
Use minimum approvals: if a one-time or limited approval works, do not choose unlimited approval.
Review and revoke regularly: set unused or unknown approvals back to 0.
Read signatures carefully: for EIP-712 pop-ups, verify the domain, contract, method, amount, and duration. On a hardware wallet, trust the device screen.
If you do not understand it, do not sign it.
Q100: Which of the following is NOT an advantage of a Cold Wallet? ( )
A. Assets are stored offline for the long term, providing a high level of security
B. It is less vulnerable to hackers
C. The transaction process is relatively complex and not suitable for high-frequency use
D. It is suitable for long-term storage of large-value assets
Correct Answer: C
Analysis:
Key takeaway:
A Cold Wallet is advantageous because it stays offline, is harder to attack, and is suitable for storing large-value assets for the long term.
A more complex transaction process and lower convenience for frequent use are disadvantages, not advantages. That is why C is not an advantage.
Best practice:
Separate hot and cold storage: keep large, long-term assets in a Cold Wallet and use a hot wallet for small, frequent interactions.
When transferring, verify the address and amount on the device screen, back up your Recovery Phrase and any passphrase properly, and update firmware and apps only through official channels.
Important Notice:imKey sells physical security hardware products only and does not provide any virtual asset trading, custody, or funds-related services. References to third-party wallets, exchanges, or decentralized applications are for compatibility purposes only; related functions and services are provided independently by third parties.
0 comments
Article is closed for comments.