Security in Web3

Hero 11

Web3 is a once-in-a-generation opportunity to shift how citizens of the world interact, transact, and entertain themselves. Like with any new journey, participating in this movement is not without risks.

There will be people who try and trick you, similar to bad actors who prey on gullible tourists. Theft and scams are not new, they’ve been around for ages and just permeate industries in different ways. What’s comforting despite that fact is how in web3, you are in control and with awareness, you can learn how to safely navigate this new world with best practices. In this lesson, we’ll discuss some of the key principles you should internalize before embarking on your web3 odyssey.

Attack vectors and how to avoid them 

Remember our lesson on self-custody? Well, there’s a reason we covered it early on. One of the most common ways users are exploited in web3 is while navigating the transition from a web2 mental model—you have a username and password, and entrust their safekeeping to a platform—to a web3, self-custody model. Self-custody, empowering as it is, is not without risk.

If you lost your password to your online banking app, your bank, as the custodian of your account and money, could reset it on your behalf, as long as you could prove your identity. With self-custody, however, you hold the only means of proving your identity: your Secret Recovery Phrase (seed phrase). No one else can reset your account for you.

Your Secret Recovery Phrase (SRP) should only ever be in your hands, and yours alone.

Never share it. We cannot stress this enough.

Tricking web3 denizens into handing over or exposing their SRP is one of the most lucrative ways scammers operate. Always be extremely wary of anyone that asks you for it. MetaMask certainly won’t.

By no accident, the other main attack vector also involves capitalizing on the risks of self-custody. It revolves around how you use your MetaMask wallet to give permissions to decentralized applications (dapps) you interact with.

As we explored in the What is a Crypto Wallet lesson, your wallet is fundamentally a tool for managing your identity and permissions. Once you’ve used your wallet to sign permissions over to a third party, they have your immutable consent to do whatever it is they requested. This is why you should be very, very careful when handing out permissions.

One of the most common permissions you’ll sign in MetaMask is a token approval. These transactions come in many forms, but generally give the requesting dapp permission to access a given number of tokens or NFTs. Infamously, long hexadecimal numbers and code are not particularly human-readable, which gives scammers a foot in the door: it’s easier to compel you to approve a malicious transaction if you don’t understand what it entails. Another common tactic is to ask for unlimited access to a token, so once approved, the dapp can remove as much as it pleases from your account since technically, it was granted permission to do so. If the dapp is malicious, your account is drained.

Approvals and permissions are a complex, developing topic. However, if there’s one thing you should remember, it’s this: never approve a transaction proposed by a suspicious dapp, and if you’re unsure, don’t give them unlimited access to a token.

To read up more on token approvals, see the resources under Dive deeper.

Micro System 10

Don’t take the bait

You can significantly boost your web3 safety if you learn the telltale signs of malicious activity. There are many ways scammers stand out — both deliberately and inadvertently. Here’s just a few:

  • Urgent demands: Using time pressure to create urgency with deadlines or cut-off dates

  • FOMO: Promising unrealistic returns, airdrops, or allowlisting

  • Impersonation: Mimicking well-known protocols, projects, and people

  • Rough around the edges: Poor grammar, web design, or unprofessional branding generally

  • Unexpected messaging: Requests for money, excessive enthusiasm, and desperation for your involvement.

Always remember: if something seems to be good to be true, it probably is.

Hardware wallets: An additional layer of security

Self-custody means you need to implement your own security. No one else can do that for you. No one can back up your account if you lose access to it or retrieve your funds for you if your tokens are stolen. Just you and whoever else has access to your Secret Recovery Phrase (SRP). It’s a big responsibility, but one you have the honor of learning about and experiencing as web3 takes root worldwide.

MetaMask prioritizes user security above all else; you can see this in the usage of the wallet itself, where warnings are provided when you’re about to do something dangerous; in the development of tools like LavaMoat, ensuring the safety of the code itself, and educational efforts like this one. There are additional options available, as well, that add another layer of security between you and the bad guys.

Enter hardware wallets—physical devices outside of your computer that secure your accounts’ private keys. They are disconnected from other online things you typically do on your phone and laptop like check your email, download apps, and browse the internet for funny cat videos.

You can connect these hardware wallets with MetaMask for flexibility while you conduct web3 activities. Browse dapps with MetaMask, and sign transactions on your hardware wallet.

Combining hardware wallets with MetaMask (a software wallet), allows you to enhance security as you wield more responsibility in your self-custody journey.

Strengthen your practical security knowledge and gauge your understanding of hardware wallets in this informative Ledger Quest.

Security in Web3


remaining to claim this limited-time offer


You win a free MetaMask Learn NFT. Paste your private key here to claim the free NFT.

Metamask avatar to orange backdrop

Let’s try staking your ETH, choose your preferred staking provider

  • Highest rewards


    Mega Staked ETH


    23.68% rewards

  • Highest rewards


    Lido Staked ETH


    6.68% rewards

  • Highest rewards


    Rocket Pool Staked ETH


    5.83% rewards

  • Secondary assets 10 - 01

    Self-custody, while empowering, has risks and requires proper security measures on my end

  • Secondary assets 10 - 02

    The two most common web3 attacks I could face are bad actors trying to get my Secret Recovery Phrase and obtaining unwanted token approvals from me

  • 03 Takeaway 01

    A hardware wallet is a good first step toward enhancing my web3 security.

Ready to take the next step?

Explore MetaMask