Crypto 102
Beyond the testnet demo. Habits that matter before you hold anything real on mainnet.
Separate wallets for separate purposes
Use one wallet for experimenting with dApps and one for any balance you care about. If an experiment goes wrong — you sign something malicious, connect to a phishing site, approve a drainer — only the experiment wallet is exposed. The hot wallet holds only what you can afford to lose entirely.
Hardware wallets for real holdings
A hardware wallet (Ledger, Trezor, GridPlus Lattice1) keeps your private key on a dedicated device that never exposes it to the internet. Signing happens on the device — your computer only sees the result. For any balance you care about, a hardware wallet is the right answer. Until then, Rabby's built-in transaction simulation is the single best upgrade over vanilla MetaMask.
Simulate before you sign
Wallets like Rabby simulate the outcome of a transaction before you sign it, showing you exactly what will enter and leave your wallet. This catches most drainer attacks where a malicious contract claims to be one thing but transfers out all your tokens. If your wallet doesn't show simulation output, the Pocket Universe browser extension adds it on top of MetaMask.
Revoke unused approvals
When you interact with DeFi protocols you often grant token approvals — permissions for those contracts to move your tokens. Old or unlimited approvals are an attack surface: if the protocol is later exploited, the approval can still be used against you. Revoke.cash lets you audit and remove approvals across any wallet address.
Verify contract addresses
Scammers deploy contracts with the same name as legitimate ones and promote them in search results and social posts. Always verify the contract address against a project's official documentation or a trusted block explorer before signing. Bookmark the official site — searching every time is a phishing vector.
ENS names are convenience, not security
An ENS name resolves to a wallet address. The name is readable but the underlying address is what matters — MetaMask shows you the resolved address before you confirm, and that's what to verify. An ENS name can point to any address; ownership of the name is not the same as vouching for the destination.
The short rules
| rule | why |
|---|---|
| Never share your recovery phrase | Anyone with it controls the wallet instantly and permanently. |
| Read transactions before confirming | Attackers rely on approval fatigue — the confirm button is the last line of defense. |
| Keep experiments in a throwaway wallet | Contains the blast radius if you make a mistake. |
| Never trust DMs or "support" accounts | Legitimate projects don't DM you first asking you to take action. |
| Revoke old approvals regularly | Unused approvals are dormant risk with no upside. |