What a wallet actually is
A wallet is a key manager, not a bank account. Your seed phrase (12 or 24 words) deterministically generates every private key and address you will ever use from that wallet. The wallet app signs transactions locally; funds live on the blockchain at your address.
- Private key → public key → address. Never share the private key or seed.
- One seed can control many accounts (derivation paths like m/44'/60'/0'/0/0).
- Losing the seed means permanent loss of access — no password reset exists.
Hot, warm, and cold storage
Hot wallets (browser extensions, mobile apps) are convenient for daily use but exposed to malware and phishing. Hardware wallets keep the seed on a dedicated device that never exposes it to your computer. For meaningful holdings, sign with hardware and treat hot wallets as checking accounts.
- Browser extensions are convenient but vulnerable to malicious sites requesting signatures.
- Hardware wallets show transaction details on a trusted screen — verify address and amount there.
- Multisig (e.g. Gnosis Safe) spreads control across multiple keys for treasuries.
Storing your seed
Write the seed on paper or stamped metal. Store copies in separate physical locations. Never photograph it, email it, save it in iCloud, or paste it into any website — including sites that claim to be 'wallet sync' or 'airdrop verification' tools.
- Split storage: two halves in two places beats one perfect hiding spot.
- Metal backups survive fire and flood better than paper.
- Passphrases (BIP39 25th word) add a hidden wallet layer — memorize it, do not write it beside the seed.
Transaction hygiene
Every signature is a potential approval. Before confirming, check the chain, the recipient address, and what permissions you grant. Revoke stale token approvals periodically. Bookmark official sites — search-engine ads often point to phishing clones.
- Read the full simulation in your wallet — 'SetApprovalForAll' on NFTs is especially dangerous.
- Verify contract addresses against official docs, not pinned Discord messages.
- Use address checksums (EIP-55) to catch copy-paste errors.
Smart contract wallets (preview)
EOAs are simple key pairs. Smart contract wallets (account abstraction, ERC-4337) add programmability: social recovery, spending limits, and session keys. They are not magic — the contract code defines the rules — but they reduce single-seed catastrophic failure for mainstream users.
- Recovery guardians can rotate keys without a seed phrase on a new phone.
- Spending limits cap daily outflows even if one session key leaks.
- You will meet AA in depth later — it does not replace seed hygiene for EOAs today.
Incident response
If you suspect compromise, move remaining assets immediately to a fresh wallet generated offline with a new seed. Do not reuse the old seed. Revoke approvals from the compromised address using a tool like revoke.cash. Document addresses for law enforcement if amounts are large — recovery is rare but not impossible.
- Speed matters: attackers often drain within minutes of seed exposure.
- A new seed means new addresses — update bookmarks and whitelists.
- Never 'verify' a compromised wallet on a scam site — that is how the drain started.
