🖥️Crypto Wallet Safety

The Frog Team recommends that you follow these for your safety.

How MetaMask Works

MetaMask is code installed into the browser. It stores an encrypted copy of your private key on disk (this is why you have to enter a password to unlock it). MetaMask also tells websites how to interact with it. When you go to a website and "connect" to it, that is just the website saying "hey MetaMask, ask the user if it's ok if i know their public address". If you connect, it knows your public address. Nothing is compromised and nothing moves.

A connected site cannot steal your stuff unless you sign something.

It is possible for a scam site to compromise your wallet in other ways though, even if you didn't sign a transaction. See Different Kinds of Attacks for more.

How to set up MetaMask video for beginners.

Best Practices

Get a hardware wallet. It's more expensive and not as quick and easy to use, but it is the safest thing you can possibly do to protect your assets.

Write down your hardware wallet seed phrase with pen and paper (not in your notes app, not in an email, don't take a picture of it, not in your LastPass). Store the note in a firesafe box (or several copies in several boxes) in a secure location, like you would with your will or other precious documents. NEVER EVER EVER EVER EVER EVER EVER EVER EVER EVER EVER EVER enter your seed phrase into a computer anywhere.

Don't click links. Always go to the site directly. (e.g. if Coinbase emails you asking you to login, go to their site in your browser URL - don't use the email link.)

Keeping a HOT and COLD wallet can help. The hot wallet can be MetaMask and be on your phone for a degen on the go. The cold wallet should be a hardware wallet (like a Ledger or Trezor). You can treat the cold wallet like a vault: one way in, no way out. (Check out the image below.)

Hot vs cold wallet graphic.

Always check what you are signing. This can be challenging sometimes especially on a hardware wallet. One strategy is nickname common contracts & addresses in MetaMask. For instance, if you nickname the FROGS contract FROGS and then you go to another site, and it asks you to sign a transaction going to the FROGS contract, you know something is up.

Token revocation can help, but this can also be a source for scams. Revoke.cash is a well known and great site, but those sites go down fast under heavy load. Vaulting is a better approach, but requires planning.

Disconnecting from sites you are no longer using is good practice but it's not that useful. The attack here is that if you are connected to a site with more than one account, and the site proposes to sign a transaction for Account 2 instead of Account 1. If you have nicknamed your accounts and are checking what you are signing this is avoidable.

This is a good article on all the ins and outs of how to keep your MetaMask safe https://coinguides.org/metamask-security/