Preface
“Not Your Keys, Not Your Coins” is the most important principle for protecting crypto assets.
Crypto assets are becoming part of everyday life. Your blockchain wallet is not just an app for managing tokens. It is your gateway to Web3, tied to your identity, assets, and on-chain activity. Yet one reality is hard to ignore: most people are still not prepared to use it safely.
We keep seeing the same types of losses:
· saving a Recovery Phrase in cloud storage,
· downloading a fake wallet,
· tapping a suspicious airdrop link,
· signing approvals carelessly.
Most of these losses are not caused by technology failing. They are caused by misunderstanding, complacency, or neglect.
This manual does not pile on jargon or try to create fear. It explains the security points that truly matter in plain language. It is an entry-level wallet security handbook that you can use both as a quick reference and as a practical guide to building risk awareness and avoiding common traps.
Why did we write this manual?
Many users do not start with a safe foundation when they first use a wallet. For example:
· They only partly understand the difference between a Recovery Phrase and a Private Key.
· They do not understand the basic logic of on-chain transactions and account behavior.
· They underestimate the risks of approvals, signatures, and other critical actions.
· When something goes wrong, they do not know whether recovery is still possible or what to do next.
We hope this *Wallet Security Manual* can accompany you from the very beginning and help you gradually build both confidence and control in the way you use wallets.
Who is this manual for?
· If you just downloaded a wallet and do not know how to take the first step;
· If you have already made on-chain transactions but are still confused about approvals, signatures, and contracts;
· If you worry about how to recover your assets after losing a wallet or damaging a device;
· If you have run into problems but never found a clear explanation;
then this manual is for you.
You do not need to become a blockchain expert, but you should build the basic security skills needed to protect your on-chain assets.
What will you gain from this manual?
· Learn how to create and back up a wallet correctly and securely.
· Learn how to identify fake links, fake wallets, and phishing approval requests.
· Learn how to avoid common traps in transfers, approvals, and DApp interactions.
· Build security habits that fit your own needs.
· Develop basic judgment and response skills when problems arise.
We hope this manual is practical, clear, and easy to revisit—something you can keep as a long-term reference throughout your digital journey.
Final note
As the *Blockchain Dark Forest Self-Help Manual* puts it:
Always maintain zero trust, and keep verifying everything you suspect.
Even if you do not finish reading the entire manual, remembering those two points alone will greatly improve your ability to protect your assets.
We invite you to explore this world of opportunity and risk with steadier steps. That is why this manual exists.
Part I: 100 Wallet Security Questions
Chapter 1 | Wallet Basics: Essential Security Knowledge You Need
1.1 What Is a Wallet? How It Protects Your Crypto Assets
Q1: What is a blockchain wallet? Is it the same as a bank account?
A: A blockchain wallet is different from a bank account. It is more like a keychain or an identity credential manager. It does not store your crypto assets themselves. Instead, it stores a set of Private Keys used to access and manage your assets on the blockchain. Your crypto assets always remain on-chain. The wallet simply helps you hold the keys securely and provides an interface for using them.
Q2: What is the relationship between a wallet and crypto assets?
A: Crypto assets always exist on the blockchain, not inside the wallet. A wallet generates and stores your Private Keys and helps you use those keys to sign transactions, so you can transfer assets or grant approvals. The real value lies in the assets on-chain. A wallet is the security tool you use to manage them.
Q3: Why is control more important than ownership in a wallet?
A: In the blockchain world, whoever controls the Private Key effectively controls the assets. From the chain’s perspective, the only thing that matters is whether a transaction is signed with the correct Private Key. Holding a wallet does not automatically mean your assets are safe. Once the Private Key is exposed, someone else can make a valid on-chain transfer, and the system cannot tell who the “real owner” is or recover the funds for you. Exclusive and complete control of the Private Key is the true foundation of ownership.
Q4: How does a wallet connect to the blockchain?
A: A wallet is not the blockchain itself. It is a tool that helps you “talk” to the blockchain. When you make a transfer, you use your Private Key to digitally sign the transaction. The wallet then sends the signed transaction to nodes in the blockchain network. After the nodes verify the signature, the transaction is included in a block and written to the chain. Your on-chain asset state is then updated.
Q5: What is a custodial wallet? What are its features?
A: A custodial wallet is a wallet where a platform manages the Private Keys for you, such as an exchange account. You can register with a phone number or email address, send and receive crypto, and often recover your password. The experience is similar to online banking or a payment app. The trade-off is that the Private Keys are not in your hands. If the platform is hacked, becomes insolvent, freezes your account, or misuses funds, you share that risk.
Q6: What is a non-custodial wallet? What is the biggest difference between it and a custodial wallet?
A: A non-custodial wallet is a wallet where you control your own Private Keys. The keys are generated and stored locally, are not uploaded to a server, and cannot be recovered by the platform for you. The biggest difference from a custodial wallet is that you truly hold the keys and therefore truly control your on-chain assets. At the same time, you are fully responsible for backing up and protecting your Recovery Phrase or Private Key. If it is lost or exposed, there is no customer service channel that can restore it for you.
Q7: How should I choose between a custodial wallet and a non-custodial wallet?
A: A simple comparison is:
Custodial wallet
Best for beginners, small balances, and frequent trading. It is easy to use, supports account recovery, and usually offers customer service. The risk is that you must highly trust the platform, which may be hacked, freeze accounts, or misuse assets.
Non-custodial wallet
Best for long-term holding, larger balances, and users who value privacy and sovereignty. You keep the Private Keys yourself and have more independent control over your assets. The risk is that if your Private Key or Recovery Phrase is lost or exposed, the assets cannot be recovered.
Recommendation: Consider splitting assets by purpose. Keep smaller, frequently used funds on custodial platforms, and store larger long-term holdings in a non-custodial wallet.
1.2 Private Keys, Recovery Phrases, Public Keys, and Addresses Explained
Q8: What is a Private Key?
A: A Private Key is a secret string generated by cryptographic algorithms. It is often represented as a 64-character hexadecimal string, for example: `56f759ece75f0ab1b783893cbe390288978d4d4ff24dd233245b4285fcc31cf6` (example only; do not copy). It proves your control over a blockchain address and the assets associated with it. When you initiate a transaction, the wallet uses the Private Key to sign it.
Key points:
· Only you should know your Private Key. Never expose it.
· A Private Key is not stored on the blockchain. It is generated and stored locally on your device.
· Whoever holds the Private Key controls the assets at that address. You can also restore access on a new device by importing the Private Key or Recovery Phrase.
Q9: What is a Recovery Phrase? How is it related to a Private Key, and why is it better for backup?
A: A Recovery Phrase is a set of 12, 18, or 24 English words generated according to a standard algorithm. It is a human-readable backup form of your wallet’s root seed. From it, all of your Private Keys, Public Keys, and addresses can be derived. If you back up the Recovery Phrase securely, you can fully restore the wallet on a new device even if your phone is lost or replaced. Compared with backing up a Private Key directly, a Recovery Phrase is shorter, easier to write down, and less prone to mistakes, so it has become the mainstream backup method.
Important notes:
· A Recovery Phrase is not just any random group of words. It must come from a specific word list, such as BIP39, and follow the standard.
· Whoever has the Recovery Phrase controls all assets in that wallet.
· Never save a Recovery Phrase in screenshots, cloud storage, or email. Use offline backup methods instead, such as writing it down on paper or storing it in a dedicated metal backup device.
Q10: I only backed up my Recovery Phrase. If I lose the Private Key, can I still recover my assets?
A: Yes. The Recovery Phrase is the root seed of your wallet and can regenerate the corresponding Private Keys and addresses. As long as it was backed up accurately and securely, you can import it into any wallet that supports the same standards, such as BIP39 or BIP44, and fully regain control of the original wallet and its on-chain assets.
Q11: What is a Public Key? What is it mainly used for?
A: A Public Key is derived from a Private Key using a one-way cryptographic algorithm, such as elliptic curve cryptography. A Public Key can be derived from a Private Key, but it is almost impossible to reverse the process and derive the Private Key from the Public Key. Public Keys are mainly used to verify signatures generated by the Private Key and to serve as the basis for generating wallet addresses. A Public Key can be shared safely. It cannot be used to derive your Private Key or move your assets.
Q12: What is a wallet address? How is it related to a Public Key? Can I share it publicly?
A: A wallet address is a string generated from the Public Key through hashing and other processing. It is your public identifier on the blockchain and can be understood as your receiving account. It is derived one-way from the Public Key, and it is almost impossible to reverse it back to the Public Key or Private Key. You can safely share your wallet address so others can send assets to you. By itself, it cannot be used to control or move your assets. What you must protect are your Private Key and Recovery Phrase.
Q13: What is a Keystore? How is it different from a Private Key and a Recovery Phrase?
A: A Keystore is an encrypted Private Key file, usually in JSON format. Its purpose is to protect the Private Key with a password, so even if someone gets the file, they still need the correct password to unlock it.
Features:
· It must be unlocked with a password, so its security depends on password strength.
· If you forget the password, the Private Key cannot be decrypted, and no platform can recover it for you.
· In essence, it is still another way of storing a Private Key.
Recommendations:
· Set a strong and unique password for the Keystore.
· Back up both the Keystore file and its password carefully. You need both.
Q14: Can I share my Recovery Phrase or Private Key with someone else?
A: Absolutely not. Your Recovery Phrase and Private Key are the highest-level credentials for your assets. Anyone who gets them can move all of your assets without your consent. Whether they claim to be customer support, an official representative, technical support, or an “airdrop” or “event,” anyone asking for your Recovery Phrase or Private Key is a scam—without exception.
Q15: Can I share my wallet address with others?
A: Yes. A wallet address is like your receiving account. Others can use it to send assets to you or view transaction records associated with that address, but they cannot use it to control your assets. A wallet address does not contain Private Key information, so it is safe to share publicly.
1.3 Wallet Types and Their Use Cases
Q16: What is a software wallet?
A: A software wallet is a blockchain wallet that exists in the form of an application, including mobile apps, desktop clients, and browser extensions. It is convenient to use, easy to get started with, and suitable for daily transfers and DApp interactions. The downside is that the Private Key is stored on an internet-connected device, making it more vulnerable to malware, viruses, phishing sites, and similar threats. It is generally less secure than a hardware wallet.
Q17: What is a hardware wallet?
A: A hardware wallet is a physical device specifically designed to manage crypto assets. It usually contains a secure chip for generating and protecting Private Keys, ensuring that the keys do not touch the internet during use and typically cannot be exported or accessed remotely. Unlike software wallets, a hardware wallet completes transaction signing in an offline environment. Even if it is connected to an infected computer, the Private Key will not be exposed.
Main security features:
· The Private Key is stored only inside the device and does not connect to the internet.
· The secure chip provides tamper resistance.
· Transaction signing happens inside the device, and only signed data is sent out.
· You do not need to enter the Private Key on a computer or phone.
Because of this, a hardware wallet is one of the best options for storing large balances or long-term holdings.
Q18: What is a browser wallet (extension wallet)?
A: A browser wallet, also called an extension wallet, exists as a browser extension, such as MetaMask. It can be called directly from webpages, making it convenient for interacting with DApps. It is quick to install and useful for frequent on-chain interaction. Because it depends on the browser environment, however, it is more exposed to malicious sites, fake pages, phishing pop-ups, and extension vulnerabilities. Pay extra attention to download sources and approval requests.
Q19: What are cold wallets and hot wallets?
A: A cold wallet is a wallet whose Private Keys always remain offline and do not connect to the internet, such as a hardware wallet or software wallet on an offline device. It offers stronger security and is suitable for large balances or long-term holdings. A hot wallet stores Private Keys on an internet-connected device, such as a mobile wallet, browser extension wallet, or exchange account. It is convenient to use and suitable for small balances, daily transactions, and frequent interactions. The core difference is whether the Private Key is stored and used in an online environment.
Q20: How do I choose the right wallet for myself?
A: General recommendations:
· For small balances or daily use, choose an easy-to-use and reputable mobile wallet or browser wallet, such as imToken or MetaMask, and back up your Recovery Phrase properly.
· For medium to large balances or long-term holding, use a hardware wallet such as imKey to reduce theft risk through cold storage.
· For multi-chain asset management, use a combined setup such as a multi-chain software wallet plus a hardware wallet. Keep larger balances in the hardware wallet and smaller balances in the software wallet for daily use.
The core principle is to allocate assets based on size, usage frequency, and risk tolerance. Balance security and convenience, and do not keep everything in one place.
Chapter 2 | Wallet Creation and Backup: Reduce Risk at the Source
2.1 Creating a Wallet: Details You Must Pay Attention To
Q21: Where should I download and install a wallet app to avoid fake wallets?
A: To avoid downloading a fake wallet, follow these three rules:
1. Start from the official website only. Use the download link provided on the wallet’s official site to reach the app store or download page. For example, imToken’s official website is `token.im`.
2. Verify the developer name. In the App Store or Google Play, make sure the developer information matches the official website. For imToken, for example, the developer is `IMTOKEN PTE. LTD.`
3. Do not tap unknown links. Do not install wallets through search ads, chat groups, private messages, forums, or other untrusted links. Fake wallets are common on those channels.
Remember: The safest and simplest method is to start from the official website and click through from there. Decentralized wallets do not require your personal identity information.
Q22: If I create one wallet, does that mean I can manage every cryptocurrency on every blockchain?
A: Not necessarily. What a wallet can manage depends on which chains and token standards it supports.
· Wallet support is limited. Many wallets, such as imToken, MetaMask, and TokenPocket, support multiple chains, but not all of them. MetaMask, for example, mainly supports EVM-compatible chains such as Ethereum, Polygon, and BNB Chain. It does not support BTC or TRX directly.
· Address rules differ by chain. EVM chains can often use the same address format, but chains such as Bitcoin and Tron use different address rules. Even with the same Recovery Phrase, the derived addresses may differ.
· Token lists are not complete by default. Even if a wallet supports a chain, it may not preset every token on that chain. New or smaller tokens may need to be added manually by contract address.
Before choosing a wallet, make sure it explicitly supports the chain and tokens you want to use.
Q23: What details should I pay attention to when creating a wallet for the first time?
A: Build a strong security foundation from the very beginning:
1. Use a secure device. Make sure your phone or computer is free of malware and unknown plugins. If necessary, run a full scan and install system updates first.
2. Write down the Recovery Phrase by hand and check it repeatedly. Write it down with pen and paper. Check every word at least twice to make sure the order and spelling are completely correct. Do not take screenshots, photos, or save it in albums or cloud storage.
3. Record the wallet address for future verification. Save the current wallet address so you can compare it when restoring the wallet on a new device.
4. Set a strong password or PIN. Use a sufficiently long password or PIN with numbers, letters, and symbols. Avoid easy-to-guess information such as birthdays or phone numbers.
From the moment you create a wallet, you become the final person responsible for your assets.
Q24: How can I identify a fake wallet app or website?
A: Check from three angles:
1. Verify official information
- Domain: Make sure the domain matches the one published on the official website. Watch out for extra letters, strange suffixes, or suspicious combinations such as `imtoken-app-download.com`.
- Developer: In the app store, check whether the developer name matches the official information.
2. Look at the quality of details
- Icon and interface: Fake products often use blurry icons, rough layouts, or poor machine-translated text.
- Downloads and reviews: Official apps usually have higher download numbers and more natural reviews. Fake apps often have very low downloads or repetitive, unusual reviews.
3. Ask the official team directly
- If you are unsure, go back to the official website and use the published email address or official social account to ask whether the link or app is official.
If you discover a fake link or fake app, stop immediately. Never import your Recovery Phrase or Private Key.
Q25: Why do I need to set a PIN or password when creating a wallet?
A: A PIN or password is the lock for the wallet on your local device. Even if someone gets your phone or computer, they still cannot directly open the wallet or make a transfer. But a PIN or password is not the same as a Recovery Phrase. It only protects local access to the wallet on that device. It cannot replace a secure backup of your Recovery Phrase.
2.2 Recovery Phrase Storage Strategy: The Key to Protecting Your Assets
Q26: Why is it so strongly recommended not to take photos or screenshots of a Recovery Phrase, and never store it in the cloud?
A: Because these methods can leak your Recovery Phrase without you noticing.
· Photos and screenshots: Many apps can read your photo library. Malware, cloud albums, and backup services may scan or upload those images.
· Cloud storage: Online drives, email, and chat history can all be exposed through account compromise, service vulnerabilities, or internal abuse.
Once a Recovery Phrase is exposed, the assets are usually impossible to recover. Recovery Phrases should be backed up offline, in purely physical form only.
Q27: What is the most recommended way to store a Recovery Phrase?
A: The most recommended method is offline physical backup:
· write the Recovery Phrase neatly on paper and store it in a safe place; or
· use a reliable metal backup tool to improve resistance to fire, water, and moisture.
The core principle is simple: offline, durable, and understandable to you.
Q28: What should I pay attention to when backing up a Recovery Phrase on paper?
A: Paper backup is simple and effective, but keep these points in mind:
· Use suitable paper and pens. Choose thicker paper and pens with ink that does not bleed or fade easily.
· Write clearly. Record each word carefully and make sure spelling and order are correct. Avoid messy handwriting and corrections.
· Store copies in different places. You may make two or three copies and keep them separately in safe, discreet, fire-resistant, and moisture-resistant locations.
· Avoid obvious labels. Do not write “Recovery Phrase” or “wallet backup” on the paper in a way that immediately reveals what it is.
Never photograph the paper or upload it to the cloud.
Q29: What are the advantages of a metal Recovery Phrase backup compared with paper?
A: A metal Recovery Phrase backup stores your words on fire-resistant, water-resistant, and corrosion-resistant metal. Compared with paper, it has clear advantages:
· Greater durability: It can resist fire, water damage, moisture, tearing, and similar hazards.
· Better for long-term storage: It is less likely to fade or deteriorate over the years, making it suitable as one of the main backups for core assets.
There are many mature products on the market, including imKey’s products:
· Cryptobox S1: built with 304 stainless steel and able to store two sets of 12-word Recovery Phrases (or one set of 24 words).
· Cryptobox P1: includes the features of the S1 and also supports more flexible key storage with character-block combinations, making it more suitable for advanced users.
Whichever solution you choose, combine it with a safe storage location and a sensible access strategy so it is not lost or recognized too easily.
Q30: What is secondary encryption for a Recovery Phrase?
A: Secondary encryption means adding a self-designed layer of protection on top of the original Recovery Phrase backup, so that even if someone sees the backup, they still cannot directly reconstruct the real phrase.
Common methods include writing down only part of it and memorizing the rest, replacing some words according to a custom rule, or combining the Recovery Phrase with a Passphrase.
Important reminders:
· Secondary encryption is best suited to users with backup and security experience.
· If you forget your own rule or extra secret, no one can recover the assets for you.
If you are a beginner, first make sure you have a proper plain-text offline backup of the Recovery Phrase before considering advanced methods.
Q31: How can I apply secondary encryption to a Recovery Phrase?
A: The most common methods fall into two categories:
1. Add a Passphrase
- How it works: In addition to the standard Recovery Phrase, you add an extra secret known only to you. Only the correct combination of the Recovery Phrase and the Passphrase will generate the real wallet.
- How to use it: In wallets that support this feature, enable the Passphrase or Advanced Options setting when creating or importing a wallet.
Warning: If the Passphrase is forgotten or entered incorrectly, the assets cannot be recovered even if the Recovery Phrase itself is correct.
2. Physical obfuscation or split storage
- How it works: You disrupt the order, split the phrase into separate parts, or mix in decoy words so that other people cannot understand the real rule even if they see the backup.
- Examples: Split a 12-word phrase into two parts and store them in different places; or insert a few fake words that only you can identify.
Secondary encryption is for experienced users. Any rule that “only you know” becomes a risk if you forget it. Beginners should prioritize a correct, standard offline backup first.
Q32: If I forget the wallet password or PIN, can I still recover my assets?
A: Yes, as long as you have correctly backed up your Recovery Phrase or Private Key.
· The local password or PIN only protects access to the wallet on that particular device.
· What truly determines control is the Recovery Phrase or Private Key, because the assets are on-chain, not inside the app.
If you forget the local password, you can:
· delete the wallet from the app or reinstall the app;
· re-import the wallet using the previously backed-up Recovery Phrase or Private Key;
· set a new local password or PIN.
Remember this core point: if the Recovery Phrase or Private Key is still safe, the assets are still recoverable. If they are lost, knowing the local password does not help.
Q33: What is second verification of a Recovery Phrase, and why is it so important?
A: Second verification means performing a recovery test with the Recovery Phrase you wrote down before you formally start using the wallet, so you can confirm that it is correct and usable.
A common approach, using imKey as an example, is:
1. reset the original hardware wallet or use a new one;
2. import the Recovery Phrase you just wrote down;
3. confirm that the generated wallet address matches the original one.
Why it matters:
· It confirms that there are no spelling mistakes, missing words, or ordering mistakes.
· It prevents the disaster of discovering a backup error only after the original device is lost or damaged.
Treat second verification as a required step in Recovery Phrase backup, not an optional one.
Q34: If I wrote a few words incorrectly or put them in the wrong order, can I still recover my assets?
A: In most cases, recovery is almost impossible. Every word and its order participate in generating the wallet. If even one word is wrong, missing, or out of order, the result is effectively a different wallet. That is why this manual repeatedly emphasizes careful writing and second verification before you transfer any assets in.
In very rare cases involving very large amounts and strong clues—such as knowing roughly where the mistake occurred or retaining an original draft—some professional security teams may attempt technical recovery. But the success rate is still low, the cost is usually high, and the market is full of “Recovery Phrase recovery” scams. Be extremely cautious.
Q35: If someone saw my Recovery Phrase but no funds have been lost yet, what should I do?
A: Treat it as already exposed and change wallets immediately.
1. Use a brand-new device, or create a new wallet in the current app, to generate a completely new Recovery Phrase and back it up securely.
2. Move all assets from the old wallet to the new wallet address at once.
3. Stop using the wallet associated with the old Recovery Phrase permanently.
Once someone has seen your Recovery Phrase, they can transfer your assets at any time. Do not wait and do not take chances.
2.3 Importing a Wallet: A Guide to Avoiding High-Risk Mistakes
Q36: What should I be most cautious about when importing a wallet?
A: The biggest risk is entering your Recovery Phrase or Private Key into a fake website or fake app.
Common scams include:
· fake official websites or fake download pages that ask you to “verify your account,” “upgrade your version,” or “unlock an airdrop” by entering the Recovery Phrase;
· fake wallet apps with names and icons that look similar to the real app, but are designed to steal your credentials.
Safety tips:
· download the wallet only from the official website or official app store;
· verify the domain, app name, and developer information carefully;
· never import a Recovery Phrase or Private Key through ad links, private-message links, or unfamiliar webpages.
When importing a Recovery Phrase, always make sure the wallet app is the genuine official one.
Q37: Do I need an internet connection when importing a wallet?
A: In most practical scenarios, yes.
The import itself happens locally: the wallet is generated from your Recovery Phrase or Private Key on the device. The internet connection is mainly used to:
· sync balances and transaction history from the blockchain;
· confirm that the address and assets display correctly.
Use a trusted network, such as your home Wi‑Fi or mobile data, not public Wi‑Fi. Also make sure you are operating on a safe device without suspicious software installed.
Q38: If my assets do not appear after import, or the balance looks wrong, what could be causing it?
A: Common causes include:
1. The Recovery Phrase or Private Key was entered incorrectly. A spelling error or word-order mistake may generate a different wallet address.
2. The wrong network is selected. For example, if the assets are on BNB Chain but the wallet is currently set to Ethereum, the balance may appear as zero.
3. The token has not been added to the display list. Some wallets do not automatically show every token, so you may need to add it manually using the correct contract address.
4. You imported the wrong wallet. You may have more than one Recovery Phrase or address. Compare with the original wallet address you recorded earlier.
If you still cannot confirm the issue, do not blindly retry or import into a suspicious app. Seek help through a trusted channel first.
Q39: I received a text message or email from a stranger telling me to import my wallet. Is that safe?
A: No. This is extremely unsafe and is a classic phishing attack.
Scammers often pretend to be “official customer support,” a “security notification,” or an “upgrade notice” and try to get you to:
· click a link;
· enter your Recovery Phrase, Private Key, or Keystore on a fake page.
Remember these three hard rules:
1. Official teams will never ask for your Recovery Phrase or Private Key by text or email, and they will never ask you to “import the wallet for verification” through a link.
2. If you receive any link, go back to the official website or official app and verify it yourself. Do not operate inside message links.
3. If you suspect phishing, take a screenshot and report it to the wallet team to help block further risk.
Once you type a Recovery Phrase into a suspicious page, the chance of theft is close to 100%.
Q40: Can I use the same wallet on multiple devices?
A: Technically yes, but it increases security risk.
Advantages: You can access the same wallet on multiple devices, such as a phone and a computer, which is more convenient.
Risks: If any one of those devices is infected, lost, or unlocked by someone else, your Private Key may be exposed or the wallet may be abused.
Safety recommendations:
· limit the number of devices into which you import the wallet;
· use it only on trusted devices;
· keep large balances on a single secure device or in a hardware wallet;
· separate a small daily-use wallet from a long-term large-balance wallet.
Chapter 3 | Everyday Wallet Security: Small Details, Big Protection
3.1 Receiving and Sending Assets: Security Blind Spots Behind Simple Actions
Q41: Why must I verify the address before sending assets?
A: Because if you send to the wrong address, the funds usually cannot be recovered. Address verification is therefore essential. Common risks include clipboard hijacking, where malware silently replaces the address you copied with the attacker’s address, and manual typing mistakes, where even one wrong character can change the destination completely. After pasting, check at least the first few characters, some middle characters, and the last few characters. Better yet, save verified addresses in your wallet’s address book and use those instead of copying them repeatedly.
Q42: What is a clipboard hijacking attack, and how can I defend against it?
A: Clipboard hijacking is when malicious software tampers with your clipboard and replaces the wallet address you copied with the attacker’s address, causing you to send funds to the wrong place without noticing. To defend against it:
· manually verify the address after pasting;
· do a small test transfer before sending a large amount;
· keep your device clean and install apps only from official sources;
· enable system security protections or reputable security software;
· if you use a hardware wallet such as imKey, verify the recipient address on the device screen before confirming.
Q43: Why is a small test transfer important, and how should I do it?
A: A small test transfer is the simplest way to verify that the address, network, and token type are all correct before sending a larger amount. A practical flow is:
1. send a small amount first, such as the equivalent of USD 1–5;
2. wait for confirmation, then check the result in a block explorer or the recipient’s wallet;
3. only after that send the larger transfer using the exact same details.
For large transfers or first-time recipients, this should become a habit.
Q44: Is it enough to check only the first and last few characters of an address before sending?
A: No. Attackers can generate addresses that share the same first and last few characters as the real address. This technique is often called address poisoning or address spoofing. Check more than just the beginning and end, and whenever possible use the address book feature so you can select a verified address directly instead of copying it from history.
Q45: Why do I sometimes receive tiny tokens I never bought?
A: These are often part of a dusting attack or a phishing airdrop. The goals may include tracking your on-chain behavior or luring you to visit a malicious website or interact with a malicious contract. The correct response is:
· do not interact with the token at all;
· hide it in your wallet if the wallet supports that feature;
· If you think it may be a legitimate airdrop, verify it through the project’s official website or official community channels, not through links in direct messages (DMs).
Q46: The address I copied has the same beginning and ending as the transfer target, but the middle is different. Is that normal?
A: No. This is a typical sign of address poisoning. Attackers send a tiny transfer from a fake address that looks similar to a frequently used one so it appears in your history. If you later copy from the history list carelessly, you may send funds to the attacker by mistake. Always inspect the full address, save verified addresses in your address book, and still do a small test transfer before large transfers.
Q47: Why is my transaction taking a long time to confirm?
A: Common reasons include:
· the gas fee is too low, so validators or miners prioritize higher-fee transactions;
· the network is congested;
· the wallet node did not broadcast or sync the transaction correctly.
Use a block explorer such as Etherscan to check whether the transaction is on-chain and whether it is still pending. If your wallet supports speeding up or replacing a transaction, you may raise the gas fee and resend. If the transaction does not appear on the block explorer at all, it may never have been broadcast successfully.
Never enter your Recovery Phrase or Private Key into an unknown site that claims it can “speed up” the transaction.
Q48: If I send tokens to the wrong address, can I recover them?
A: On most public blockchains, once a transaction is confirmed on-chain, it cannot be reversed or recovered. The main exception is when the destination is a custodial platform deposit address, such as an exchange address. In that case, you may contact the platform and ask for manual assistance, although success is not guaranteed. The best protection is prevention: verify the address and network carefully, use a small test transfer for large amounts or new recipients, and never rush under pressure.
Q49: My wallet shows multiple network options when I send a token. Which one should I choose, and what happens if I choose the wrong one?
A: The same token may exist on multiple networks. USDT, for example, exists on Ethereum, BNB Chain, Polygon, and others. If you choose the wrong network, the assets may be sent to the recipient’s address on a different chain, and the recipient may not see them unless they add that network and know how to recover them. Ask the recipient to clearly specify the required network, such as ERC-20, and select that exact network in your wallet. If you are unsure, stop and verify first.
Even when EVM-compatible addresses look the same across networks, balances do not automatically move across chains.
Q50: My wallet says I need to approve a token. What does that mean, and is it safe?
A: Approval means you allow a smart contract to move a certain amount of a token from your wallet. This is common in DEXs, DeFi protocols, and NFT marketplaces.
There are two main types:
· Limited approval: the contract can move only a specified amount, which is relatively safer.
· Unlimited approval: the contract can move any amount of that token, which creates major risk if the contract is malicious or later compromised.
Best practices:
· approve only trusted official contracts;
· when possible, choose a limited amount instead of unlimited approval;
· review and revoke approvals you no longer need using an approval management tool such as Revoke.cash;
· be especially cautious when a strange website actively prompts you to approve something.
Approval is not the same as an immediate transfer, but approving the wrong contract can be just as dangerous.
3.2 DApp Interactions and Approvals: Blind Actions Can Cost You
Q51: What are approval and signature in a DApp, and what is the difference?
A: In DApps, you commonly see two kinds of actions:
· Approval: You allow a smart contract to move a certain amount of one of your tokens. Once the approval is active, the contract can transfer the token within the approved amount without prompting you every single time.
· Signature: You use your Private Key to sign a message. This is often used for logging in, confirming an order, or voting. Most signatures do not directly move assets on their own.
The core difference is this: approval gives a contract permission to spend your tokens later, while a signature confirms that you agree to a certain message or action. But malicious contracts or complex signing content can still be used to gain indirect control over your assets. If you do not understand what you are signing, do not sign it.
Q52: Why should I be cautious about DApp approvals? What is the risk of unlimited approval?
A: Every approval gives a smart contract the ability to spend your tokens. If the contract is malicious or later exploited, it may directly drain tokens up to the approved amount.
Unlimited approval is the most dangerous because it allows the contract to move any amount of a specific token from your wallet. If the contract is compromised, all tokens of that type in your wallet may be stolen without another confirmation.
How to reduce the risk:
· read the approval details carefully, including the token, purpose, and amount;
· choose limited approvals whenever possible;
· stay alert to unfamiliar DApps and promises of unusually high returns.
Q53: How can I tell whether a DApp website or approval request is safe?
A: Check the following:
1. URL: Make sure the domain exactly matches the official website. Phishing sites often use very similar domains.
2. Contract address: In the approval window, verify that the smart contract address matches the project’s official contract.
3. Approval or signing content: Read what the popup actually says. If the content is vague, unreasonable, or does not match what you expected to do, stop immediately.
4. Project reputation: Look up security history and community feedback through trusted crypto communities or reputable media.
If you do not understand it or cannot verify it, do not continue.
Q54: What should I do if I accidentally approved a high-risk DApp or granted unlimited approval?
A: Revoke the approval immediately. That is the key step for reducing risk.
Typical steps:
1. use an approval management tool or your wallet’s built-in approval manager, such as Revoke.cash;
2. connect your wallet and review the current approval list for your address;
3. find the suspicious or unnecessary approval and click Revoke.
Revoke is an on-chain transaction, so it requires a small network fee.
Q55: Why does my wallet keep asking me to sign messages during DApp use? How should I handle that?
A: Many DApps use signatures for login verification, order confirmation, or message proof. Frequent signature requests are not necessarily abnormal. The right way to handle them is:
· read each request carefully;
· check whether it matches what you are actually doing;
· treat any request you do not understand, did not trigger, or that contains suspicious addresses or links as dangerous.
Principle: it is better to reject a few extra times than to casually sign an unfamiliar request.
3.3 Security Settings for Devices and Wallet Apps
Q56: Do my phone or computer system settings affect wallet security?
A: Yes—very significantly. Your operating system is the base environment in which the wallet runs. If the system has vulnerabilities, or if malware or trojans are installed, attackers may steal your Recovery Phrase or Private Key or remotely control your wallet. Device security is one of the first and most important layers of wallet security.
Q57: How should I configure my phone or computer to better protect my wallet?
A: Enable these baseline protections:
· set a strong device password or PIN;
· enable fingerprint or facial recognition when appropriate;
· turn on the system firewall on computers;
· disable automatic connection to Wi‑Fi and Bluetooth networks;
· keep the operating system and apps updated with official security patches;
· do not jailbreak or root the device casually, because doing so weakens the system’s security model.
Q58: I am already careful. Do I still need antivirus or security software?
A: It is recommended, especially on computers. Security software can help detect and block:
· trojans and backdoors;
· clipboard hijacking malware;
· keyloggers that record passwords or Recovery Phrases;
· malicious files or links from suspicious websites or downloads.
It is not a perfect shield, but for ordinary users it is a cost-effective layer of added protection, especially when using browser extension wallets or desktop wallets.
Q59: If I lose my phone, can the wallet app password protect my assets?
A: The wallet app password can stop someone from opening the app directly, but it does not solve all risks. Problems may still arise if:
· the device was jailbroken or rooted and system protections were weakened;
· you stored digital backups of the Recovery Phrase or Private Key on the phone, such as screenshots, photos, notes, or synced cloud files;
· an attacker uses advanced methods or physical access to extract app data.
If your phone is lost, the safest response is:
1. import the wallet on another trusted device using the backed-up Recovery Phrase or Private Key;
2. move all assets to a newly created wallet;
3. treat the old wallet and its Recovery Phrase as potentially exposed and stop using them.
This only works if you already have a secure backup.
Q60: Is it safe to operate a wallet app on public Wi‑Fi?
A: No. Public Wi‑Fi carries high risk. Free networks in malls, airports, cafés, and hotels often lack strong protection and can expose you to:
· data eavesdropping,
· man-in-the-middle attacks,
· malicious code distribution.
For any sensitive action—creating a wallet, importing a Recovery Phrase, making a large transfer, or approving a DApp—use a secure and trusted network, such as your home Wi‑Fi or mobile data. If you must work while traveling, consider using your own hotspot and reduce the sensitivity of the actions you perform.
Chapter 4 | Anti-Scam Practice: Not Getting Tricked Is the Best Security
4.1 20 Common Wallet Scams Explained
Q61: What is a vanity wallet address scam?
A: In this scam, someone sells a wallet address with “lucky” or personalized patterns, such as repeated 8s or 6s. The danger is that the scammer usually generated the address and kept the corresponding Private Key. Once you send assets to that address, they can steal them. Never buy wallet addresses from unknown sources. Always generate wallet addresses yourself through a legitimate wallet so the keys remain fully under your control.
Q62: How does a fake wallet app scam work?
A: Scammers imitate well-known wallet apps or websites and trick users into downloading the fake app or importing a Recovery Phrase into it. Common signs include similar names, icons, domains, fake official download pages, and fake ads. To avoid this, download the wallet only from its official website or official app store listing, verify the developer information carefully, and remember that official teams will not contact you by private message, text, or phone asking you to download software or provide sensitive information.
Q63: Why are “Recovery Phrase collision tools” a scam?
A: These tools claim they can brute-force someone else’s Recovery Phrase and steal their assets. In reality, mainstream wallets follow standards such as BIP39, and the phrase space is so large that brute-force guessing is not practical. The usual trick is that the software shows fake “successful” results, tries to sell you a paid version, or even contains malware designed to steal your own credentials. Never believe claims about “cracking” Recovery Phrases.
Q64: How do phishing links trick you into revealing your Recovery Phrase?
A: Phishing pages often pretend to be an airdrop claim, a red packet giveaway, a system upgrade, or an account-security verification page. They imitate official branding and ask you to enter your Recovery Phrase or Private Key “for security” or “to unlock a feature.” Once you do, the information is sent directly to the scammer and the wallet may be emptied quickly. Official pages will never ask for your Recovery Phrase or Private Key just to claim an airdrop or verify an account.
Q65: How do crypto scams succeed on second-hand trading platforms?
A: Some second-hand marketplaces do not have real protections for crypto transactions. Scammers exploit that gap with fake trades and refund abuse. A typical pattern is that the scammer builds trust, places an order, pays, and gets the seller to send the crypto. Then the scammer claims they “did not receive the item” and requests a refund from the platform. Because the platform often does not understand on-chain settlement, the refund may be granted, and the seller loses both the crypto and the payment. Use professional, compliant trading platforms instead of informal peer-to-peer channels.
Q66: What is a fake official loan scam?
A: In this scam, criminals create a fake investment platform and claim to offer “officially authorized loans” or high returns. The victim is then told to pay a fee first—such as 2% of the loan amount—in order to unlock the loan, raise the limit, or release the funds. Real institutions do not casually recruit borrowers through Telegram or private messages, and any process that asks you to pay money first to receive a loan is a scam.
Q67: What is a romance investment scam?
A: This is a “pig butchering” scam in which the criminal builds trust through an online romantic relationship and then introduces the victim to a fake high-return investment platform. The victim sees fake profits and is encouraged to invest more. Eventually the platform locks the funds, blocks withdrawals, or disappears. Stay highly cautious about investment advice from people you met online, verify both the person and the project independently, and never let emotion override judgment.
Q68: What is a multisig scam, and why might I see a SIGERROR when sending from a TRX wallet?
A: This scam uses blockchain multisig permissions to take control of the victim’s wallet. If your TRX wallet shows a signature error (SIGERROR) during transfer and you never intentionally set account permissions yourself, your wallet permissions may have been modified. The scammer first steals your Recovery Phrase or Private Key, then changes the account into a multisig account that requires the scammer’s signature for transfers. You can still deposit funds, but you cannot move them out independently. Download wallets only from official sources, do not click suspicious links, and regularly check TRX account permissions.
Q69: What is the transfer trap in energy-rental services?
A: On Tron, transfers consume energy and bandwidth. Some people offer to “rent energy” or “pay gas for you” at a low price. After building trust through several successful small transactions, they wait for you to become careless and then lure or trick you into sending valuable tokens such as USDT to the wrong address. If you need such services, use wallet-integrated features or trusted official platforms, not unknown individuals.
Q70: What is a second-round scam targeting victims of previous investment schemes?
A: Scammers buy or obtain information about users who were previously cheated by Ponzi-like investment schemes. They then pretend to be official customer support and claim they can help recover the stolen assets. The real goal is to trick the victim into sending more money or downloading a fake app. Official institutions will never proactively contact you by email, text, or phone to ask you to pay first in order to recover or unlock assets.
Q71: What is an address phishing scam, also called the “same ending” scam?
A: This scam exploits the habit of checking only the first and last few characters of an address. The attacker creates an address that looks similar to one you use often, sends you a zero-value or tiny transfer so it appears in your history, and waits for you to copy it by mistake later. Use the wallet’s address book, verify the full address character by character, and be wary of unexplained tiny transfers.
Q72: What are common OTC USDT scam patterns?
A: Large OTC USDT trades carry serious risk both online and offline.
Online scams may begin with low-price offers and small successful trades to build trust. When the amount gets larger, the scammer may claim they need your Private Key or Recovery Phrase to “verify wallet security” or “check multisig status,” then take over the wallet.
Offline scams may involve hidden cameras, direct access to your phone, fake settlement, contract breaches, or even physical intimidation and robbery. The safest approach is to avoid informal OTC channels and use regulated exchanges instead. Never share your Recovery Phrase, Private Key, or wallet password under any pretext.
Q73: What is the EIP-7702 authorization trap?
A: EIP-7702 is meant to simplify DApp interaction by allowing delegated wallet operations, such as batch transfers or gas sponsorship. But that convenience can also be abused. If a user signs a malicious authorization, they may effectively hand over control to malicious code or another address. Attackers may then deploy a sweeper bot that monitors the compromised wallet and immediately transfers out any newly received funds. Treat any unfamiliar authorization or delegation request with extreme caution, regularly review and revoke permissions, and avoid blindly signing hashes or prompts you do not understand.
Q74: What is a social engineering attack against a hardware wallet?
A: This refers to scams that manipulate people rather than directly breaking the device. Examples include fake giveaway campaigns, tampered devices sold through unofficial channels, preconfigured wallets with preset Recovery Phrases or PINs, or altered instructions that tell you to restore a wallet from a phrase supplied by the seller. Always buy hardware wallets only through official authorized channels, verify that the device is unactivated, generate the Recovery Phrase yourself during setup, and never use a device that comes with a preset phrase or PIN.
Q75: Why can even a cold wallet still be stolen?
A: A cold wallet is only truly “cold” if the Private Key or Recovery Phrase never touches an internet-connected environment. Once you type the Recovery Phrase into a phone, computer, email, cloud storage service, or any other online environment, that safety premise is broken. The wallet is no longer effectively cold, and malware can steal the phrase. Download software only from official channels, never click ad links, and if you suspect a device was infected after you entered a Recovery Phrase on it, treat the phrase as exposed and move your assets to a new wallet immediately.
4.2 What Can You Still Do After Being Scammed or Losing Funds?
Q76: Besides network attacks, what other risks can affect a wallet?
A: Physical theft is also a real risk. Someone might access your unlocked device when you step away, secretly photograph your Recovery Phrase, or handle your device or backup during cleaning, repairs, or hotel stays. Protect your devices physically, lock them even when stepping away briefly, spread assets across multiple wallets, use hardware wallets for important funds, and never reveal your Recovery Phrase or Private Key to anyone—not even friends, family members, or partners.
Q77: What is a fake staking or mining investment scheme?
A: In this scam, criminals impersonate wallet support or official teams and guide users to a fake staking or mining website that promises very high returns. The real goal is to get the user to approve a large or unlimited token allowance. Once the approval is signed, the scammer can transfer out the corresponding tokens. Be highly suspicious of “guaranteed returns” and any site that asks for unusually large approvals.
Q78: What new information traps and security threats have become more common with the rise of AI?
A: AI tools can make bad information look authoritative. AI search may surface phishing websites, outdated information, or incorrect official links because the model depends on its source data and cannot always verify what is current or real. Social media is also heavily polluted with fake “official” accounts, recycled announcements, and false tutorials. Any important information—such as an official website, a contract address, or a claimed airdrop—should be verified through known official channels, not through AI answers or social posts alone.
Q79: What is AI voice-cloning fraud?
A: Criminals can synthesize a familiar person’s voice and use messaging apps or calls to pretend that a friend or colleague urgently needs funds. Because the cloned voice sounds convincing, victims may transfer money before verifying the request. Any transfer request involving urgency should be verified through another channel, such as a direct phone call, video call, or in-person confirmation.
Q80: Why can malicious browser extensions lead to asset theft?
A: Browser extensions often request powerful permissions, such as reading website data, modifying cookies, accessing the clipboard, or reading sensitive browser information. A malicious extension can steal session cookies, track your activity, tamper with transactions, or help attackers log in as you. Install extensions only from official sources, keep your trading browser clean, log out when you are done, and keep large balances in a self-custodial wallet or hardware wallet rather than in exchange accounts.
Q81: What should I do first if I discover that wallet assets have been stolen?
A: Stay calm and act in order:
1. Protect remaining assets. If the Recovery Phrase may have been exposed, all addresses derived from it may be at risk. Move any remaining funds immediately.
2. Create a brand-new secure wallet. Preferably use a hardware wallet and back up its Recovery Phrase properly.
3. Preserve evidence and think through the cause. Save transaction hashes, wallet addresses, chats, phishing links, and any related evidence. Review whether you recently clicked suspicious links, approved risky DApps, entered a Recovery Phrase on an unfamiliar site, or used public Wi‑Fi.
Q82: How can I query on-chain records to track where stolen assets went?
A: Use the correct block explorer for the relevant chain, such as Etherscan for Ethereum, Tronscan for Tron, or mempool.space for Bitcoin. Search using your wallet address or the suspicious transaction hash. Then review the sender, recipient, amount, time, and most importantly the movement path of the funds—whether they were moved through multiple addresses, swapped, bridged, or sent to a known platform.
Q83: Besides self-help and on-chain tracking, what outside help can I seek after funds are stolen?
A: You can try several external paths:
· File a police report and provide full evidence, including transaction hashes, scammer addresses, screenshots, and phishing links.
· Contact centralized exchanges if you can see that the stolen funds reached one of them. Most exchanges will require a formal law-enforcement process before taking action.
· Flag addresses through block explorers or security communities that support scam reporting.
· Seek help from professional blockchain security firms for tracing services, while remaining cautious about second-round scams and high fees.
Be extremely skeptical of anyone who promises a 100% recovery rate.
Q84: Why are stolen assets so difficult to recover in most cases?
A: Recovery is hard for several reasons:
· if the Recovery Phrase or Private Key was exposed directly, the theft is immediate and on-chain transactions are irreversible;
· stolen assets may be swapped on a DEX, mixed, fragmented, or bridged across chains;
· the funds may end up in private wallets without KYC;
· even if they reach a centralized exchange, the exchange may not assist without law-enforcement involvement.
Q85: Besides emergency loss control and reporting to the police, what other checks should I perform after a theft?
A: Complete a full post-incident security review:
1. scan all wallet-related devices for malware, keyloggers, and trojans;
2. change all important passwords, including email, social media, cloud services, exchanges, and any related accounts;
3. switch to stronger two-factor authentication, preferably app-based methods such as Google Authenticator or Authy rather than SMS;
4. inspect and remove suspicious or unused browser extensions;
5. warn friends and family in case scammers impersonate you;
6. after securely backing up any needed information, consider resetting affected devices and rebuilding a clean environment.
Chapter 5 | Advanced Protection: Build Your Security Fortress
5.1 Advanced Hardware Wallet Guide
Q86: How does a hardware wallet protect the security of a Private Key?
A: The biggest advantage of a hardware wallet is that the Private Key stays offline throughout its lifecycle. The key is generated and stored inside a secure chip, and all signing happens inside the chip as well, so it never touches the network environment. This fundamentally reduces the risk of trojans, viruses, and remote attacks. Compared with hot wallets, which store keys on internet-connected phones or computers, hardware wallets significantly improve key security through a secure chip and offline signing. For high-value assets, a hardware wallet is strongly recommended. Protect both the PIN and the Recovery Phrase carefully—they are essential to the safety of the assets.
Q87: After receiving a hardware wallet, how can I tell whether it is safe and untampered?
A: Focus on three checks:
· Check the packaging: Make sure the outer packaging and seals are intact and all accessories are present.
· Check authenticity: Verify the SN on the official website and confirm that the device shows as unactivated.
· Check the setup flow: On first use, you should set the PIN yourself and generate the Recovery Phrase yourself. There should never be a preset PIN or preset Recovery Phrase.
Buy only from the official website or authorized channels. If you discover any suspicious preset information, stop using the device immediately and contact official support.
Q88: If I lose the device, can I still restore the wallet?
A: Yes—if you kept the Recovery Phrase completely and correctly. You can restore the assets in any wallet that supports the same standard, such as BIP39. But the recovery process must be done carefully:
· restore only in a trusted wallet or trusted app;
· never enter the Recovery Phrase on an unknown website, app, extension, or mini-program;
· note that different wallets may use different derivation paths, so the first address you see may not match.
Prefer restoring with the original wallet or a compatible wallet, verify that the restored address matches the old one, and if possible enter the Recovery Phrase on an offline device rather than in an online environment.
Q89: What is a derivation path, and why can the same Recovery Phrase generate different addresses in different wallets?
A: A derivation path is the rule set used to derive addresses for different chains, accounts, and indexes from the same Recovery Phrase. Standards such as BIP44, BIP49, and BIP84 define common path formats, but different wallets may use different defaults. That is why the same Recovery Phrase may display different addresses in different wallets. When restoring, use the original wallet first or a wallet that lets you customize the derivation path. If the address does not match, check whether the wallet supports switching paths.
5.2 Coordinated Management with Multisig Wallets and Cold Wallets
Q90: What is a multisig wallet?
A: A multisig wallet requires multiple Private Keys to sign a transaction before it can take effect. It improves both security and fault tolerance by spreading authority across multiple signers.
Common setups include:
· 2 of 3: three keys exist, and any two are required to complete a transfer;
· 3 of 5: five keys exist, and any three are required.
This design means the loss or compromise of a single key does not immediately endanger the funds, making multisig suitable for family asset management, team treasury management, and similar scenarios. Good multisig practice includes setting sensible rules, distributing keys across different devices, and using mainstream compatible products such as Gnosis Safe, Keystone, and imKey.
For more information, please refer to the tutorial: imKey Hardware Wallet × Gnosis Safe: Guide to Creating and Using Multi-signature Wallets: https://support.imkey.im/hc/en-us/articles/47827714802457
Q91: What are common misconceptions about multisig wallets?
A: Common misunderstandings include:
· Thinking multisig is the same as a cold wallet. It is not. Multisig is about requiring multiple signatures; a cold wallet is about keeping keys offline.
· Keeping all signer keys on one device. This defeats the entire purpose of multisig because a single compromise can expose all keys.
· Ignoring backup and role handover. If signers lose devices or keys and there is no fallback plan, the assets can become permanently inaccessible.
Spread keys across devices, keep backup signers or mechanisms for adjusting permissions, and periodically review the health of signer devices and settings.
Q92: What problems do multisig and cold wallets solve respectively?
A: They address different dimensions of security:
· Multisig reduces the risk of single-person control by requiring multiple parties to approve a transfer.
· Cold wallets reduce technical exposure by keeping Private Keys offline and away from malware, phishing, and remote attacks.
Combining them creates governance security plus technical security.
Q93: In what situations is it appropriate to operate through a cold wallet?
A: Cold wallets are particularly suitable for:
· long-term storage of large balances;
· enterprise treasury management;
· NFT custody;
· multisig setups requiring high-assurance signers.
Although signing with a cold wallet is less convenient than using a hot wallet, modern hardware wallets support smoother flows such as QR signing and Bluetooth signing. Keep small daily-use funds in a hot wallet, but place larger balances in a cold wallet and verify transaction details carefully on the device screen every time.
Q94: How can I combine a cold wallet with multisig to build a stronger security system?
A: You can set one or more signers in the multisig scheme to be cold wallets. For example, in a 2-of-3 setup:
· one signer could be an offline software wallet,
· one signer could be a hardware wallet such as imKey,
· and the final signer could be a backup signer for emergencies.
Keep each signing device physically separated and avoid sharing the same network or computer. Verify each transaction multiple times before signing, and back up the multisig rules and permission documents securely.
Q95: If I use multisig, do I still need a hardware wallet?
A: Yes. A hardware wallet remains a core device in a multisig security model. It isolates the Private Key inside an offline chip and requires physical confirmation at signing time, greatly reducing the chance of key theft. In a multisig setup, it serves as a highly reliable signer and helps resist external attacks and single points of failure. Choose a hardware wallet that supports secure communication methods such as Bluetooth or QR codes, use it with a trusted app, and keep the firmware updated.
5.3 Recommended Tools and Trusted Resources
Q96: Why should I manage contract approvals, and what tools can I use to revoke them?
A: When you use DeFi protocols, NFT platforms, or wallet extensions, you may have approved contracts to spend your assets. If those approvals remain open indefinitely, a compromised or malicious contract may move your assets without you noticing. Regular approval cleanup is therefore an important security habit.
Recommended tool:
· Revoke.cash: lets you view and revoke contract approvals on Ethereum, BNB Smart Chain, Polygon, and other major networks.
Check your approvals at least once a month, revoke permissions for unfamiliar or unused DApps promptly, and choose limited approvals rather than unlimited ones whenever possible.
Q97: How can I identify phishing websites or malicious projects? Are there practical tools that can help?
A: Many scammers imitate airdrops or whitelist campaigns with websites that look almost identical to official ones. Visual appearance alone is often not enough for users to judge authenticity. Useful tools include:
· ScamSniffer: an anti-phishing extension that detects risky code and suspicious addresses and provides real-time warnings while you browse;
· Tenderly, Blocksec, MetaSuites, and similar security plugins that provide risk prompts for smart contract interactions.
Use security plugins as a first browser firewall, get links only through official project channels, and avoid finding wallet or airdrop websites through search engines whenever possible because SEO phishing is common.
Q98: How can I know whether the wallet app I downloaded is the official version? Is there a reliable way to verify it?
A: Downloading a fake wallet app is one of the most common causes of asset theft. To reduce this risk:
· always start from the wallet’s official website;
· in the App Store or Google Play, verify that the developer name matches the official developer, such as `IMTOKEN PTE. LTD.` for imToken;
· when available, verify the APK hash, such as a SHA256 checksum, against the value published by the official team.
Do not download wallets through strange links or third-party ad pages. On first use, watch for suspicious behavior such as forced web redirects or requests for unnecessary permissions like contacts or location.
Q99: If I need official customer support or technical support, what are the correct channels?
A: Fake support scams are common. Criminals often impersonate project support on Telegram, X, TikTok, or in private messages and try to guide users into “verification” steps that end with stolen Recovery Phrases or stolen funds. The correct method is to use support entry points only through the official website or the app’s Help Center. Official teams will not proactively message you to request information or tell you how to operate your wallet. Any request involving a Recovery Phrase or Private Key is a scam.
Q100: What other security tools or navigation sites are worth bookmarking for advanced users?
A: Useful security tools and resources include:
Security tools
· Revoke.cash: approval management and revocation;
· ScamSniffer: phishing detection and suspicious-link monitoring;
· Pocket Universe: transaction simulation and anti-phishing prompts;
· Chainlist.org: verified chain information for major EVM networks.
On-chain data and analytics
· Arkham: address labels and entity analysis;
· DeBank: multi-chain asset aggregation;
· Zerion: portfolio and transaction tracking;
· Dune: on-chain data analysis and dashboards;
· DefiLlama: TVL rankings and multi-chain statistics;
· CryptoFees: protocol fee rankings;
· Blocknative: Ethereum gas monitoring;
· Token Terminal: project financial metrics.
Security reminder:
· do not blindly trust third-party airdrop or navigation sites, especially pages that ask for approval at first contact;
· for any page that asks you to connect a wallet, sign, or approve, verify its legitimacy through multiple trusted channels such as the official website, official X account, or GitHub;
· bookmark the official websites of the tools you use often instead of finding them again through search engines.
Part II: 100 Security Self-Test Questions
Chapter 6 | Security Self-Test
Q01–Q25: Creation and Backup
True or False
Q01: A digital wallet is essentially a vault used to store cryptocurrency. ( )
Q02: Whoever holds a wallet’s Private Key has full control over the on-chain assets. ( )
Q03: A Recovery Phrase is a seed that can derive all Private Keys, so backing up the Recovery Phrase alone is enough. ( )
Q04: If you forget the wallet PIN or password, you can still recover the assets as long as the Recovery Phrase is intact. ( )
Q05: After creating a new wallet, you should first test with a small amount before making a large transfer. ( )
Q06: A wallet address is generated directly from a Private Key. ( )
Q07: If you photograph the Recovery Phrase and save it in your phone album, a phone password makes it absolutely safe. ( )
Q08: You can use the same Recovery Phrase to restore assets in different wallet apps. ( )
Q09: A Recovery Phrase and a Private Key are the same concept and can be used interchangeably. ( )
Q10: Writing a Recovery Phrase on paper is a common backup method, but it still needs extra protection against fire, water, and loss. ( )
Q11: If a hardware wallet is connected to a virus-infected computer, the Private Key is at risk of being stolen. ( )
Q12: If you switch from one wallet app to another, importing the Recovery Phrase directly into the new app is the correct way to restore the wallet. ( )
Multiple Choice
Q13: What is the most recommended way to back up a Recovery Phrase? ( )
A. Save a screenshot or photo in the phone album
B. Write it down on paper and store it in a safe place
C. Upload it to cloud storage
D. Send it to your own email or chat app
Q14: Which of the following is second verification of a Recovery Phrase? ( )
A. Import the newly created phrase into another device right away and confirm that it restores correctly
B. Ask a friend to help verify that you copied it correctly
C. Rewrite the phrase three times
D. Upload a photo of it to the cloud for future checking
Q15: If a stranger accidentally sees your Recovery Phrase before you make a transaction, what should you do? ( )
A. Do not worry—as long as the Private Key is not exposed, it is fine
B. Immediately transfer all assets from that wallet to a brand-new secure wallet
C. Immediately change the wallet password
D. Uninstall and reinstall the wallet
Q16: When downloading a wallet app from an app store, what should you check to avoid fake wallets? ( )
A. Download count and reviews
B. Whether the icon looks clear
C. The developer name
D. All of the above
Q17: What is the safest environment for generating a Recovery Phrase? ( )
A. A computer connected to public Wi‑Fi
B. A trusted offline device in a private environment without cameras
C. A friend’s phone
D. An open network in a café
Q18: Why should you never photograph, screenshot, or upload a Recovery Phrase to the cloud? (Multiple choice)
A. The phone or computer may be infected and the image can be stolen
B. Cloud storage may be hacked or leak
C. Screenshots or photos may remain in cache or albums even after deletion
D. Digital backup is always safer than paper backup
Q19: When importing a wallet, where does the biggest security risk come from? ( )
A. Entering the words in the wrong order
B. Importing on an unfamiliar device
C. Using a fake wallet app or phishing website
D. Network instability during import
Q20: If someone offers to help you import a wallet, what are the biggest risks? (Multiple choice)
A. They steal your Recovery Phrase or Private Key and then all of your assets
B. They install malware on your device for long-term monitoring and theft
C. They move your assets to an address they control without you noticing
D. They may leak personal information such as your phone number or home address
Q21: Before importing a Recovery Phrase, why should you ask yourself whether the device is safe? (Multiple choice)
A. The device may contain malware or trojans that steal the phrase
B. A jailbroken or rooted system is more exposed to malicious programs
C. As long as the device has enough storage, import is safe
D. A stable network connection guarantees import security
Q22: Besides paper backup, which method can store a Recovery Phrase more safely for the long term? ( )
A. Save it on a USB drive
B. Use a professional stainless-steel Recovery Phrase backup device and store it safely
C. Save it in an email draft
D. Save it in a phone notes app
Q23: What is the main purpose of setting a strong PIN? (Multiple choice)
A. To make the wallet run faster
B. To prevent direct access when someone physically touches the device
C. To increase the difficulty of cracking the device if it is lost
D. To reduce online attack risk
Q24: Why is it not recommended to import a Recovery Phrase on a public or unfamiliar device? (Multiple choice)
A. The device may have malware preinstalled that records the phrase
B. Browser extensions or cache may be abused to steal wallet data
C. Public devices may contain keyloggers
D. Changing the PIN right after import eliminates the risk
Q25: Why is a professional stainless-steel backup box recommended for Recovery Phrase backup? (Multiple choice)
A. It resists fire and water better than paper
B. It is better for long-term preservation and less likely to blur or break
C. It will not easily fade or grow mold over time
D. It is physically isolated from electronic leakage risks
Q26–Q50: Transfers and Approvals
True or False
Q26: It is safe to verify only the first and last few characters of a wallet address before a transfer. ( )
Q27: Disconnecting a wallet from a DApp inside the wallet is the same as revoking all on-chain approvals. ( )
Q28: If you use a DApp frequently, it is fine to keep it connected all the time for convenience. ( )
Q29: Using a browser extension wallet for DApp interaction is more secure than using a mobile wallet. ( )
Q30: If you use a smaller approval amount, your assets are completely safe. ( )
Q31: When you receive a tiny airdrop, it is best not to interact with it at all—not even to transfer it away. ( )
Q32: To reduce transfer mistakes, the safest method is to use the wallet’s address book. ( )
Multiple Choice
Q33: Before connecting to a DApp, what should you check carefully? (Multiple choice)
A. Whether the DApp is official and trustworthy
B. Whether the website link is correct and secure, including HTTPS and no spoofed domain
C. Whether the wallet requests unnecessary high permissions after connection
D. Whether the entry point came from an official channel
E. No need to check—just connect directly
Q34: What is a phishing website? ( )
A. A fake website that imitates an official site and tricks you into entering a Recovery Phrase or Private Key
B. A website used only for trading niche tokens
C. A website that only provides information and does not support transactions
D. A website that offers free airdrops
Q35: During approval, the wallet shows a token name that does not match the token displayed in your wallet. What should you do? (Multiple choice)
A. Ignore the warning and approve directly
B. Cancel the approval immediately and disconnect from the site
C. Try to edit the token name manually
D. Reconnect the wallet
E. Verify the contract address in a block explorer and confirm whether it is the official token contract
Q36: What is a token approval lookup tool? ( )
A. A tool for checking historical token prices
B. A tool for checking all token approvals in a wallet
C. A tool for checking token issuer information
D. A tool for checking transaction status on-chain
Q37: Why is the transaction confirmation step the core security protection of a hardware wallet? ( )
A. Because confirmation happens online
B. Because the hardware wallet screen displays complete transaction details so you can physically confirm while the Private Key stays offline
C. Because a hardware wallet can block every transaction
D. Because the confirmation button is harder to press
Q38: What is a clipboard hijacking attack? ( )
A. Malware modifies the destination address in your clipboard
B. An attacker tricks you into clicking a fake approval link
C. A phishing email tricks you into entering the Recovery Phrase
D. A stranger sends tiny tokens to your wallet to track your activity
Q39: If the wallet prompts you to approve a contract during transfer, what does that mean? ( )
A. You are directly sending assets to that contract
B. You are allowing that contract to transfer a specified amount of tokens from your wallet in the future
C. You are confirming an off-chain instruction
D. You are sharing your Private Key with the contract
Q40: When you grant unlimited approval to a DApp, what risk are you taking? ( )
A. Your wallet may be remotely controlled by a hacker
B. The contract can move all tokens of that type in your wallet without another confirmation
C. The contract can steal your Private Key
D. There is no risk because you can revoke it at any time
Q41: When you receive an unknown token in a very small amount, what is the correct response? ( )
A. Transfer it away immediately to avoid being tracked
B. Sell it for another token
C. Ignore it and do not interact with it
D. Contact the sender and ask what it is
Q42: If your last approval or transfer has been pending for a long time, how should you handle it safely? ( )
A. Use the speed-up function in the same wallet to raise the gas fee for that transaction
B. Repeatedly resubmit the same transaction until one succeeds
C. Switch to another wallet or unknown DApp and resubmit there
D. Import the Recovery Phrase into a third-party site that claims instant confirmation
Q43: Before making a large transfer, what is the safest practice? ( )
A. Ask the recipient for their Private Key to verify identity
B. First make a small test transfer and confirm receipt before sending the large amount
C. Turn off all network connections during the transaction
D. Take a screenshot of the transfer record
Q44: If a stranger sends you an airdropped token and asks you to approve it to claim rewards, what should you do? ( )
A. Approve it immediately so you do not miss out
B. Ignore the airdrop and do not approve or trade it
C. Move the token to another wallet first
D. Contact the project to verify it first
Q45: In a Web3 wallet, what is the main purpose of the signature function? ( )
A. To confirm the uniqueness of a transaction
B. To verify identity and prove that you control the wallet
C. To directly move assets
D. To encrypt the Recovery Phrase
Q46: Why must you be especially cautious about unlimited approvals during DApp interaction? ( )
A. Because unlimited approvals consume more gas
B. Because unlimited approvals may lead to remote wallet control
C. Because a malicious contract that gets unlimited approval can move your assets at any time
D. Because unlimited approvals expose your Private Key
Q47: If a DApp website looks suspicious even though the page runs smoothly, what should you do? (Multiple choice)
A. Connect the wallet immediately and try it
B. Close the webpage at once and check or disconnect wallet connections
C. Contact the site’s customer service
D. Verify authenticity through the project’s official channels or community
Q48: What is the essence of approval risk? ( )
A. Giving away your Private Key
B. Allowing a malicious contract or wallet address to move your assets
C. Giving away your personal information
D. Giving away your transaction history
Q49: If the wallet prompts you to pay a very high gas fee, what should you do? (Multiple choice)
A. Cancel the transaction immediately
B. Check network congestion or wait for gas to come down
C. Contact customer support to ask why
D. Pay it immediately to ensure fast confirmation
Q50: Which practice is most effective for reducing approval risk? ( )
A. Always give unlimited approval to frequently used DApps to reduce repeated prompts
B. Regularly review and revoke unnecessary approvals with approval-management tools
C. Save the Recovery Phrase in a password manager to make approvals easier
D. Ignore the contract address and only check whether the token name looks right
Q51–Q75: Anti-Scam and Risk Response
True or False
Q51: If you forget the wallet’s local password or fingerprint, the assets are permanently lost. ( )
Q52: Anyone who asks for your Recovery Phrase by any means is a scammer. ( )
Q53: If someone has seen your Recovery Phrase but no assets have been stolen yet, the wallet is still safe. ( )
Q54: If you clicked a phishing site but did not enter any information, there is definitely no risk. ( )
Q55: A wallet address can be made public because it cannot transfer assets by itself. ( )
Q56: It is unnecessary to make a small test transfer before a large one. ( )
Q57: Only computers can be infected; phones do not affect wallet security. ( )
Q58: If you choose the wrong network for a token transfer, the recipient will still receive it as long as the address is correct. ( )
Q59: Clipboard hijacking only affects text messages and does not affect wallet addresses in the clipboard. ( )
Q60: Keeping your phone or computer system and apps updated helps defend against known vulnerabilities. ( )
Q61: Because blockchain transactions are irreversible, there is no need to take any action after a wallet is stolen. ( )
Multiple Choice
Q62: After joining a project’s Discord or Telegram, you receive a private message from an “admin” asking you to click a link to verify your wallet or sync assets. What should you do? ( )
A. Click the link and connect the wallet immediately
B. Ask them to show ID before proceeding
C. Ignore and block them, then check the project’s official pinned announcements and report them if needed
D. Try a small signature or approval first
Q63: A stranger claims they can remotely solve your wallet problem and asks you to download remote-control software. What is the correct response? (Multiple choice)
A. Accept the remote assistance
B. Stop the conversation immediately and report it to the platform
C. Negotiate with them
D. Download it but allow view-only access
E. Seek help only through official support or a verifiable ticket system
Q64: When you see a project that claims capital protection, high yield, and zero risk, how should you judge and handle it? (Multiple choice)
A. It is highly likely to be a Ponzi-style scam, so stay alert
B. Test with a small amount and add more after recovering your principal
C. Trust only official channels and do not connect, approve, or transfer on unfamiliar pages
D. Audit reports and profit screenshots are enough to join
Q65: What are the core risks of vanity address scams? (Multiple choice)
A. The seller may retain or record the Private Key or Recovery Phrase and move the funds at any time
B. The addresses may be generated in bulk by scripts and archived for later theft
C. If the address can be found on-chain, it must be safe
D. Changing the Private Key and resetting the Recovery Phrase after purchase makes it safe
Q66: What are common OTC scam patterns? (Multiple choice)
A. Sudden cancellation of the trade
B. Receiving the crypto but refusing or reversing payment
C. Installing malware on your device
D. Forging or altering payment receipts or on-chain proof screenshots
Q67: Which situations suggest that you are facing a fake official loan scam? (Multiple choice)
A. Someone claiming to be official support promises low interest and instant approval but asks for a deposit or unfreeze fee first
B. You are told to download unofficial software or visit an unfamiliar site to apply
C. You are told to transfer funds into a “supervisory account” with a promise of immediate return
D. You are told to enter a Recovery Phrase because of a system upgrade or frozen limit
E. They only ask for bank-card and personal information
Q68: What is a hardware-wallet supply-chain attack? (Multiple choice)
A. Malicious firmware or chips are implanted before the wallet is sold
B. The price of the hardware wallet is raised by a dishonest seller
C. Attackers pretend to be the official team and offer free tampered devices
D. Genuine devices are repackaged after being tampered with and sold cheaply through unauthorized channels
Q69: What are good habits when using a browser extension wallet to interact with DApps? (Multiple choice)
A. Grant unlimited approvals immediately
B. Verify the domain, HTTPS, and official entry point
C. Enter the Recovery Phrase on the webpage for verification
D. Close the browser and restart the computer
E. Use only the minimum necessary approval and revoke it afterward
Q70: What is a multisig scam? (Multiple choice)
A. Scammers steal your Recovery Phrase or Private Key through a fake wallet or phishing site and then change the account into a multisig wallet that requires their signature
B. A SIGERROR in a TRX wallet often indicates that permissions were modified and the account was set to multisig, so you can no longer transfer out alone
C. This scam only happens on Bitcoin and has nothing to do with TRX
D. The scammer lures you to keep depositing assets and then steals them later using the permission control
Q71: Besides checking the address carefully, what is a safer way to defend against address poisoning? ( )
A. Type the address manually every time
B. Add frequently used verified addresses to an address book or whitelist and select only from there
C. Send only to acquaintances
D. Use only centralized exchanges
Q72: While browsing a webpage, the wallet suddenly asks you to sign something even though you were not performing an operation. What should you do? ( )
A. Sign it immediately
B. Close the page, disconnect the wallet, and check or clear approvals
C. Refresh the page
D. Contact the website’s customer service
Q73: If the recipient address shown during a transfer does not match the address you copied, what is the most likely reason? ( )
A. The trading platform has a system error
B. The device clipboard has been hijacked or infected with malware
C. The network is unstable
D. The wallet itself has been hacked
Q74: Why is it not recommended to back up wallet data or a Recovery Phrase in the cloud? ( )
A. It takes up space
B. It may be hacked or leaked and may sync automatically across multiple devices
C. It slows the device down
D. It costs money
Q75: If you receive a text message from an unknown number claiming that your wallet service will stop and telling you to click a link to update the account, what should you do? (Multiple choice)
A. Click the link immediately and follow the instructions
B. Immediately call the official support number to verify the message
C. Ignore and delete the message, because a decentralized wallet team would not know your phone number
D. Use your usual browser to visit the official website directly and check the account yourself
Q76–Q100: Advanced Usage and Correcting Misconceptions
True or False
Q76: Even if a hardware wallet is connected to a virus-infected computer, the assets remain safe. ( )
Q77: A Recovery Phrase is the same thing as the wallet. As long as it is not leaked, the assets are safe. ( )
Q78: If a DApp website found through a search engine or AI search looks official, you can connect your wallet and sign or approve directly. ( )
Q79: If I gave a DApp unlimited approval, my assets are safe as long as I do not trade. ( )
Q80: If the popup says “Sign” rather than “Transfer,” it is always safe because signing does not create asset risk. ( )
Q81: Any decentralized wallet can fully restore all of my assets as long as the Recovery Phrase is correct. ( )
Q82: A multisig wallet is mainly intended for personal daily spending. ( )
Q83: Writing the Recovery Phrase on paper and locking it in a safe is an absolutely secure backup method. ( )
Q84: Official customer support will never proactively contact you by private message, phone call, or SMS. ( )
Q85: In an OTC trade, even if the counterparty provides proof of payment, you should wait for on-chain confirmation before releasing the assets. ( )
Q86: Even if I forget the wallet’s local password, I can still restore the assets by re-importing the wallet as long as my Recovery Phrase backup is intact. ( )
Q87: A block explorer such as Etherscan can be used to track transaction status and review the tokens and historical transactions under an address. ( )
Q88: If a phone is infected, uninstalling and reinstalling the wallet app can remove all security risk. ( )
Q89: When using a hardware wallet, the transaction signature is completed inside the device’s secure chip. ( )
Q90: As long as a downloaded wallet app is official, you can ignore all other security reminders. ( )
Multiple Choice
Q91: What is a derivation path? ( )
A. The random algorithm used by a wallet to generate the Recovery Phrase
B. A tool for tracking the path of a transaction on-chain
C. A path rule that determines how addresses are derived and arranged in a wallet
D. The algorithm that turns a Recovery Phrase into a Private Key
Q92: When confirming a transaction on a hardware wallet, the transaction details on the device screen do not match the computer screen. What should you do? ( )
A. Ignore the hardware wallet screen and trust the computer screen
B. Stop immediately and disconnect the hardware wallet
C. Refresh the computer page and see whether it syncs
D. Continue the transaction and ask official support afterward
Q93: What is a multisig wallet? ( )
A. A wallet that manages assets on multiple blockchains at once
B. A wallet that requires multiple Private Keys to sign before a transaction can be executed
C. A wallet that can be used simultaneously on multiple devices
D. A wallet that supports trading multiple currencies at the same time
Q94: What is the role of a security-tool navigation site? ( )
A. To check approvals, monitor risk, and improve security
B. To generate tokens
C. To claim free airdrops
D. To increase internet speed
Q95: What should you do first after discovering that wallet assets have been stolen? ( )
A. Immediately move the remaining assets to a safe address
B. Call the police and contact wallet support right away
C. Delete the wallet app and disconnect from the internet
D. Stay calm and analyze the reason for the theft
Q96: Why is it not recommended to keep all large balances in one hot wallet? ( )
A. Because hot wallets are slower than cold wallets
B. Because hot wallets are more exposed to online threats such as network attacks
C. Because hot wallets do not support multiple tokens
D. Because hot wallets always have higher transaction fees
Q97: If you use a browser extension wallet that has not been officially verified, what is the biggest risk? ( )
A. It may be a phishing tool designed to steal your Recovery Phrase or Private Key
B. Your browser will run more slowly
C. You will not be able to interact with DApps
D. It cannot save your transaction records
Q98: What is an on-chain label or on-chain flag? ( )
A. Marking a suspicious address on-chain or in an explorer to warn other users
B. Creating a permanent token label on-chain
C. Recording the names of all tokens in your wallet
D. Recording the timestamp of a transaction being packed into a block
Q99: In DApp interaction, what is the main difference between signature and approval? ( )
A. Signature confirms intent, while approval grants asset-spending permission
B. Signature can be revoked but approval cannot
C. Signature requires gas but approval does not
D. Signature is only for login and approval is only for trades
Q100: Which of the following is not an advantage of a cold wallet? ( )
A. Assets remain stored offline for long periods, giving a higher security level
B. It is less likely to be hacked
C. The transaction process is relatively complicated and not suitable for high-frequency use
D. It is suitable for long-term storage of large balances
Part III: Appendix
Common Terms
Consensus
The mechanism by which blockchain nodes agree on the validity and order of transactions. Common models include Proof of Work (PoW) and Proof of Stake (PoS).
Node
A device or server connected to a blockchain network that stores, verifies, and relays data. Light nodes sync only block headers and verify transactions in a simplified way.
Mainnet / Testnet
Mainnet is the live production blockchain where real assets circulate. Testnet is a testing environment used for development and experimentation.
On-chain / Off-chain
On-chain refers to data or actions recorded directly on the blockchain. Off-chain refers to data or actions handled outside the blockchain.
Smart Contract
A self-executing program deployed on a blockchain. When predefined conditions are met, it executes automatically according to code.
Trustless
Not “trust-free,” but a model that shifts trust from people or institutions to publicly verifiable code and consensus rules.
Private Key
A high-entropy secret used to generate signatures and prove control over assets. Whoever holds it controls the assets at the corresponding address.
Public Key
Derived one-way from the Private Key. It is used to verify signatures and as the basis for generating addresses.
Address
A public identifier on the blockchain used to receive assets. It is derived from the Public Key and does not itself grant spending rights.
Recovery Phrase / Mnemonic
A sequence of 12, 18, or 24 words generated according to standards such as BIP39. It can derive the full set of wallet keys and addresses.
Keystore
An encrypted JSON file that stores a Private Key protected by a password.
Signature
A cryptographic proof created with a Private Key to prove authenticity and integrity without revealing the key.
Derivation Path
The rule set used by an HD wallet to derive Private Keys, Public Keys, and addresses from the same Recovery Phrase.
Cold Wallet
A wallet whose Private Key remains offline throughout use.
Hot Wallet
A wallet whose Private Key is stored on an internet-connected device.
Hardware Wallet
A typical form of cold wallet that uses a secure element to generate, store, and sign with the Private Key inside the device.
Multisig
A mechanism that requires multiple Private Keys to sign a transaction before it can be executed.
Binding Code
A unique identifier generated during first-time pairing of a hardware wallet to confirm the device identity and establish a secure connection.
PIN Code
A local password set on a hardware wallet or device to unlock it and confirm operations.
Transaction (TX)
Any on-chain action that changes blockchain state, including transfers, contract calls, approvals, and contract deployment.
Gas Fee
The network fee paid to execute a transaction or smart contract operation.
Nonce
A sequential counter attached to each transaction from an address to enforce order and prevent replay.
Confirmations
The number of blocks built on top of the block that contains a transaction. More confirmations usually mean stronger finality.
Slippage
The difference between the expected trading price and the actual executed price.
Ethereum
A decentralized blockchain platform that supports smart contracts and DApps. Its native token is ETH.
EVM
The Ethereum Virtual Machine, the execution environment for Ethereum smart contracts and many EVM-compatible chains.
Layer 1 (L1)
The base blockchain layer with its own consensus and security model.
Layer 2 (L2)
A scaling layer built on top of an L1 to improve throughput, speed, and cost while inheriting part of the L1’s security.
RPC
Remote Procedure Call. In blockchain usage, an RPC endpoint lets clients communicate with a node to query data and send transactions.
Bridge
A mechanism used to transfer assets or messages between different blockchains or layers.
Token
A blockchain-based digital asset created through smart contracts. It may represent value, rights, tickets, or real-world assets.
Native Token
The original coin of a blockchain network, such as ETH on Ethereum.
ERC-20
The standard for fungible tokens on Ethereum.
ERC-721
The standard for non-fungible tokens (NFTs) on Ethereum.
ERC-1155
A multi-asset token standard that can represent both fungible and non-fungible assets.
Approval / Allowance
A permission that allows a contract to transfer a specified amount of your tokens.
DEX
A decentralized exchange that lets users trade without depositing funds into a centralized platform.
AMM
Automated Market Maker. A trading mechanism based on liquidity pools rather than traditional order books.
Liquidity
The availability of assets in a market or pool that allows trades to be executed efficiently.
NFT
A non-fungible token representing a unique digital asset or ownership record.
MEV
Maximal Extractable Value, the value that can be captured by controlling the order, inclusion, or exclusion of transactions.
WYSIWYS
“What You See Is What You Sign.” A core hardware-wallet principle: the details shown on the device screen are exactly what you are authorizing.
Official Links
Wallets
· imToken — https://token.im
· imKey — https://imkey.im
· MetaMask — https://metamask.io
· Rabby — https://rabby.io
· OneKey — https://onekey.so
Security / Operations
· SlowMist — https://www.slowmist.com
· Revoke.cash — https://revoke.cash
· Gnosis Safe — https://safe.global
· ScamSniffer — https://scamsniffer.io
· ChainList — https://chainlist.org
Data / Analytics
· DeBank — https://debank.com
· Zerion — https://zerion.io
· CoinMarketCap — https://coinmarketcap.com
· CoinGecko — https://www.coingecko.com
· Dune — https://dune.com
· DeFiLlama — https://defillama.com
· Arkham — https://arkm.com
· CryptoFees — https://cryptofees.info
· Token Terminal — https://tokenterminal.com
· Blocknative Gas Estimator — https://www.blocknative.com/gas-estimator
Exchanges and DeFi / NFT Platforms
· Binance — https://www.binance.com
· OKX — https://www.okx.com
· Coinbase — https://www.coinbase.com
· Bybit — https://www.bybit.com
· Kraken — https://www.kraken.com
· Gate.io — https://www.gate.io
· Uniswap — https://app.uniswap.org
· SushiSwap — https://www.sushi.com
· PancakeSwap — https://pancakeswap.finance
· Curve — https://www.curve.finance
· Aave — https://aave.com
· Lido — https://lido.fi
· Tokenlon — https://tokenlon.im
· OpenSea — https://opensea.io
Common Blockchain Explorers
Mainstream Layer 1 explorers
-
Bitcoin (BTC):
- mempool.space — https://mempool.space
- Blockchair — https://blockchair.com/bitcoin
-
Ethereum (ETH):
- Etherscan — https://etherscan.io
-
Tron (TRX):
- Tronscan — https://tronscan.org/#
- OKLink — https://www.oklink.com/zh-hans/tron
- Solana (SOL):
-
Litecoin (LTC):
- Litecoin Space — https://litecoinspace.org
- Blockchair — https://blockchair.com/litecoin
-
Dogecoin (DOGE):
- Dogechain Info — https://dogechain.info
-
Bitcoin Cash (BCH):
- Blockchair — https://blockchair.com/bitcoin-cash
-
Toncoin (TON):
- Tonscan — https://tonscan.org
- Polkadot (DOT):
-
Kusama (KSM):
- Subscan — https://assethub-kusama.subscan.io
-
Cosmos (ATOM):
- Mintscan — https://www.mintscan.io
-
Filecoin (FIL):
- Filfox — https://filfox.info/zh
- Filscan — https://filscan.io
-
Nervos (CKB):
- Explorer — https://explorer.nervos.org
-
Tezos (XTZ):
- Tezblock — https://tezblock.io
-
Vaulta (原 EOS):
- EOS Explorer — https://eosflare.io
- EOS Authority — https://eosauthority.com
- Vaulta Explorer — https://unicove.com/zh/vaulta
-
Osmosis (OSMO):
- Mintscan — https://www.mintscan.io/osmosis
Layer 2 and EVM-compatible network explorers
- BNB Chain: https://bscscan.com
- Polygon (PoS): https://polygonscan.com
- Base: https://basescan.org
- Arbitrum One: https://arbiscan.io
- Optimism: https://optimistic.etherscan.io
- Scroll: https://scrollscan.com
- Linea: https://lineascan.build
- zkSync Era: https://explorer.zksync.io
- Taiko: https://taikoscan.io
- Blast: https://blastscan.io
- opBNB: https://opbnb.bscscan.com
- Avalanche (AVAX C-Chain): https://snowtrace.io
- Mantle: https://mantlescan.xyz
- Conflux eSpace: https://evm.confluxscan.net
- Metis Andromeda: https://andromeda-explorer.metis.io
- Fantom: https://explorer.fantom.network
- X Layer: https://www.oklink.com/x-layer
- Merlin Mainnet: https://scan.merlinchain.io
- Gnosis Chain: https://gnosisscan.io
- Celo: https://celoscan.io
- Harmony: https://explorer.harmony.one
- Kaia: https://kaiascan.io
- Arbitrum Nova: https://nova.arbiscan.io
- Manta Pacific: https://manta.socialscan.io
- HyperEVM: https://www.hyperscan.com
- Sonic: https://sonicscan.org
- Plasma: https://plasmascan.to
- Monad: https://monadscan.com
Security Starts with Action
Wallet security does not depend on a single tool, but on your daily decisions. Stay skeptical, verify critical information from official channels, and build habits that make attacks harder to succeed.
0 comments
Article is closed for comments.