Saltar al contenido
DeFi & Security

Security Checklist Before You Sign: What to Check Before You Sign a Crypto Transaction

septiembre 28, 2025

It should never be automatic to click «Sign» or «Confirm.» One bad signature can empty your wallet, give you unlimited access to tokens, or tie you to an off-chain agreement you didn’t mean to. This easy-to-use checklist will help you check the sanity of every on-chain (and many off-chain) signatures, whether you’re trading on a DEX, minting an NFT, putting money into a yield vault, or just connecting a new app.

1) Environment and Identity

  • URL hygiene: Type the site by hand or use bookmarks you trust. Look out for typos, extra letters, and subdomains like «app-project.io.login.xyz.»
  • TLS and impersonation: The lock icon is there, the certificate looks normal, and the social links go to official channels.
  • Extension sanity: Turn off any wallet extensions you don’t use. Make sure you’re using the right wallet (no duplicate or shadow icons).
  • Device posture: The OS and browser are up to date, there are no unknown extensions, the password manager autofill looks normal, and the VPN is off when you’re not on public Wi-Fi. Did you get here through an ad, an unsolicited DM, or a QR code in a tweet? If so, move the official link to the project’s verified website or GitHub.

2) Session for Wallet

  • Right account: Make sure the From address is correct, especially if you have more than one account or hardware path.
  • Correct network/chain ID: The app’s chain (like Ethereum, Arbitrum, BSC, Polygon, or Solana) should match your wallet selector. Be careful of silent chain switches.
  • Hardware wallet display: Confirm on the screen of a hardware wallet for actions that move value. If the details look cut off or generic, stop.
  • WalletConnect safety: Make sure the session domain that the wallet shows you is the same as the one you are on; don’t accept old sessions.

3) Transaction Metadata (the basics)

  • To / Contract address: Check the official documents, the explorer, or the pinned announcements to see if they match. Choose explorers with «verified contracts.»
  • What function do you want to use: Swap, approve, deposit, mint, bridge, claim, or setApprovalForAll? Know what the person means before you sign.
  • Amount & asset: Check the ticker and contract address (don’t use tokens that look like them).
  • Slippage and deadline: A small amount of slippage (like less than 1% for majors) and a short deadline (minutes, not days).
  • Gas and priority fees: Fees seem normal for network congestion, but gas fees that are too high or too low could be a sign of trouble.
  • Nonce and replacement: If you manage nonces, make sure you don’t accidentally replace another transaction.

4) Approvals (the number one drain vector)

  • Unlimited approvals? Try to avoid giving out blanket «infinite» approvals. Set a «spend limit» (allowance) that is the amount you want to spend plus a little extra.
  • Address of the spender: The «spender» should be the intended router or vault, not an unknown EOA. Check again on the block explorer.
  • setApprovalForAll (NFTs): You can fully control the collection by only approving trustworthy marketplaces or escrow contracts and then taking them away.
  • Allow signatures (EIP-2612 / Permit2): Once these off-chain approvals are sent on-chain, they move tokens. Check that the typed data has the right domain, «spender,» token, value, and expiration date.

After the task, revoke. Use a permission manager (like «Token Approvals» on major explorers) to revoke stale allowances every once in a while.

5) Checking and simulating contracts

  • Verified source: The contract on the explorer shows Verified code with bytecode that matches; see proxy pattern (EIP-1967 or something like that).
  • Implementation contract: If it’s a proxy, open the implementation address; that’s where the logic is. * Deployer & admin keys: Who can upgrade or pause? Is there a time lock? Single EOA or multisig? Centralized power means a higher risk.
  • Audits and bounties: Look for audits that are well-known (multiple, recent) and bug bounties that are still going on. Audits don’t guarantee anything, but they do help.
  • Dry-run simulation: Use your wallet’s simulator or a third-party tool (if you have one) to see what will happen to your balances, allowances, and transfers before you do it.

6) Bridges, vaults, and basic DeFi concepts

  • Bridges: Choose canonical or light-client/ZK designs over multisigs that are hard to see. Make sure you’re getting «native» assets (like «USDC (native)») instead of strange wrapped ones.
  • Lending/Leverage: Check the collateral factor (LTV), the oracle source, the liquidation penalty, and the rate mode (stable or variable).
  • Yield vaults: Know the strategy (at least at a high level), the fee stack (for performance and management), and the rules for withdrawing (cooldowns and queues).
  • Restaking/LSTs: Approvals often go from one protocol to another (LST → lending → leverage). Start small, keep an eye on the health factor, and set alerts.

7) NFTs and Mints

  • Collection contract: Make sure you’re minting from the real collection contract, not a fake one that looks like it.
  • Mint function: Read the call data fields, which include the quantity and price per mint. Do the caps and total supply look good?
  • Royalties/Operator filter: Be careful with universal operator approvals and understand what they mean for resale in the marketplace.

8) Off-Chain Signatures (SIWE, Orders, Listings)

  • Sign In With Ethereum (SIWE): Your typed message should have your address, domain, statement, nonce, chain ID, and short expiry. Are there any token approvals in SIWE? (There shouldn’t be.)
  • Order/listing signatures: You might have to sign orders at marketplaces that can be sent later. Check the collection, token ID, price, currency, and expiration.
  • **Messages that are blank: Don’t ever sign hex codes or messages that you don’t understand. Stop if your wallet can’t make typed information clear.

9) Numbers That Should Make You Stop

  • «Too-good-to-be-true yields» or «urgent claim» pop-ups. * «Max slippage ≥10%» without a reason.
  • Unlimited approvals for contracts that aren’t known.
  • Bridge routes with more than one hop or hard-to-find wrapped tickers. * Gas fee = 0 or way above normal. * Unverified contracts or new contracts with no history.

10) Last 30 seconds before takeoff

  • ✅ Checked the URL and domain (using a bookmark).
  • ✅ The «from» address and «network» are both correct.
  • To contract checked; proxy implementation looked over.
  • Function & params match what you want (amount, token, slippage, deadline).
  • Spender for approvals is right; limit set (not infinite).
  • ✅ The fees seem fair; you can afford gas and the value.
  • Simulation shows how the balance and allowance will change.
  • Hardware confirmation shows you what you expect to see on the screen.
  • Screenshots/tx hash saved in case you need them for support.

After You Sign

  • Keep an eye on the tx on an explorer (status, logs, token transfers). * Revoke temporary approvals when you’re done.
  • **Keeping records: Keep track of tx hashes, contract addresses, and notes (this helps with audits, taxes, and support).
  • Set up alerts: For big transfers or approvals that involve your address, use wallet or explorer notifications.

Emergency Plan

  • Wrong approval or suspicious tx: Immediately revoke the allowance (use a different wallet if the one you have now is compromised).
  • Phished seed or signed malicious permit: Move any remaining assets to a fresh wallet (new seed) right away and only approve from the new wallet. * Drained hot wallet: Treat the device as compromised; restore from seed to a hardware wallet and rotate all allowances. * Support evidence: Save hashes, signed messages, domains, and timestamps. If necessary, report to marketplaces or bridges.

Bottom line: If you go slow, you’ll go fast. A quick look at URL → Network → Contract → Function → Amounts → Approvals → Fees for 60 seconds stops most exploits. If you make this checklist a habit, most «gotchas» won’t get past your Sign button.