Crypto's self-custody model means there's no fraud department to call and no chargebacks. When funds are gone, they're gone. Understanding how attacks work is the most effective defense.
Phishing: The Most Common Attack
Phishing in crypto usually targets your seed phrase or gets you to sign a malicious transaction.
Fake websites — Scammers buy domains like "soverignswap.xyz" or "phantomwallet.app" that look identical to real sites. When you connect your wallet, they either ask for your seed phrase (never enter this anywhere) or present a malicious transaction disguised as a normal one.
How to avoid: Bookmark the real URLs. Never click links from Discord, Telegram, or Twitter DMs. Check the URL carefully before connecting your wallet.
Fake support — In Discord or Telegram, scammers impersonate official support. They ask you to "verify" your wallet or share your screen. Real support never asks for your seed phrase or private key.
How to avoid: Official support is in official channels only. Never share your screen with a support contact. Never enter your seed phrase in any website or app.
Malicious Transaction Approvals
This is the most technically sophisticated attack and increasingly common.
When you interact with a DeFi protocol, you often sign an "approval" — giving the contract permission to move your tokens. A malicious contract can request unlimited approval over all your tokens, then drain your wallet in a follow-up transaction.
Signs of a malicious approval:
- The approval amount is very large or "unlimited" for a protocol you've never used
- The contract address is unverified on Basescan/Solscan
- You're being asked to approve tokens for a protocol unrelated to what you're doing
How to avoid:
- Use Revoke.cash to regularly audit and revoke token approvals
- Check contract addresses on explorers before signing
- Use a hardware wallet — Ledger shows decoded transaction data so you see exactly what you're signing
Rug Pulls
A rug pull is when developers launch a token or protocol, attract liquidity, then drain the funds and disappear.
Signs:
- Anonymous team with no track record
- No audit or audit by unknown firm
- Locked liquidity "only for 30 days"
- Contracts not verified on-chain
- No gradual token unlock — team holds large % unlocked immediately
- Massive yields with no clear revenue source
How to avoid: Research before depositing. Check if the contract is verified and audited. Look up the team's history. If the yield seems impossibly high and the project is a week old, it's probably a rug.
Fake Bridges and Cross-Chain Scams
Bridges are a high-value target — they hold large amounts of locked funds and involve complex cross-chain state.
Fake bridge sites mirror real bridge UIs but route your funds to an attacker's address. Scammers promote them heavily during new chain launches when users are searching for bridge options.
How to avoid: Only use bridges listed on the official documentation of the chain you're bridging to. For Base, use bridge.base.org or Across (linked from base.org). For Solana→Base, use resources from official docs.
Official Solana to Base bridge guide →
Honey Pots
A honey pot token lets anyone buy but blocks sells. The price pumps as buyers come in; no one can exit. Scammers dump their pre-mined allocation at the peak.
How to spot: Before buying any unknown token, check it on honeypot.is or rug.io. Try a small test buy + sell before committing. Check the contract for hidden transfer restrictions.
Social Engineering ("Pig Butchering")
Long-con romance or friendship scams that build trust over weeks before introducing a "investment opportunity." They show you fake gains on a fake platform, encourage larger deposits, then disappear.
Signs: Unsolicited contact on social media or dating apps. Too-good-to-be-true returns. Urgency to deposit more. Requests to use a specific platform you've never heard of.
How to avoid: Never invest based on advice from someone you haven't met in person. Never use a platform that wasn't recommended by people you already trust.
Security Checklist for DeFi
- Seed phrase: Written on paper only, stored offline, never digitally typed or photographed
- Hardware wallet: Use Ledger for holdings over $500
- Bookmark real URLs: Phantom.app, Jupiter.ag, SovereignSwap, your exchange
- Token approvals: Revoke.cash audit quarterly
- Verify contracts: Always check on Solscan/Basescan before signing
- Test first: Send a small amount before large transfers to new addresses
- Two wallets: One "hot" wallet for DeFi interactions, one "cold" wallet for storage
What to Do If You're Compromised
If you believe your wallet is compromised:
- Immediately create a new wallet with a fresh seed phrase
- Transfer all assets to the new wallet from a clean device
- Revoke all token approvals on the compromised wallet
- Report the scam on the protocol's official Discord
The faster you move, the more you save. Time is the only variable you control.