Essential information to help you stay safe when using dApps and web3 apps.

Need a crypto wallet that gives you full control of your assets? You can download Exodus here.

When you connect your wallet to a web3 app, you’ll often be asked to approve certain requests or permissions. This is because you're interacting with the app through smart contracts, not directly sending funds to the app yourself.
​
These smart contract permissions may allow the web3 app to make changes or take actions on your behalf, initiate transactions, or even spend your funds, depending on the conditions you approve.
​
The exact actions and conditions are typically outlined in the web3 app's documentation, which is available for public review. The design and behavior of these smart contracts are critical to how a web3 app functions.
​
It's important to note that approving these web3 permissions can introduce risks. When granting a web3 app access to your wallet and its funds, you trust its smart contracts to work as intended and not act maliciously. Always review and approve permissions only from web3 apps you trust.

In this article, we'll go over some of the risks of using web3 apps and DeFi platforms and what you can do to help yourself stay safe.

With the web3 browser and WalletConnect in Exodus Mobile or with Exodus Web3 Wallet, you might see a warning if you try to connect to a suspicious web3 app or approve a risky web3 request.

Exodus can also simulate certain web3 requests to estimate what might happen if you approve them. If Exodus detects it's unsafe, you may see a warning.

When using the web3 browser in Exodus Mobile, you might also see a warning when visiting websites that Exodus has detected as unsafe.

These warnings appear because approving unsafe web3 requests puts your crypto at risk. For instance, they could change the permissions or ownership of your account, or grant the web3 app full access to your funds.
​

To protect the funds in your wallet, only visit, connect to, and approve transactions from web3 apps you fully trust.

If Exodus detects an unsafe connection or transaction, you'll see a warning like the ones shown in the examples below:

Mobile
If Exodus Mobile detects an unsafe connection, or if you visit an unsafe website with the web3 browser, you'll see a warning and won't be able to connect to the web3 app or visit the website.
​

If an unsafe transaction is detected, tap Reject to cancel the request.
​

Web3 Wallet
If Exodus Web3 Wallet detects an unsafe connection, you can click Cancel to avoid connecting to the web3 app.
​

If an unsafe transaction is detected, click Reject to cancel the request.
​

Determined hackers may try to exploit vulnerabilities in a web3 app or DeFi platform. These weaknesses can include bugs in the code or the way the web3 app uses oracles. If a web3 app is hacked, attackers may be able to interfere with its normal operation.

Even though web3 or DeFi platforms don't hold your funds directly, using them typically requires you to interact with smart contracts. When you approve these smart contracts, you often give the web3 apps permission to take certain actions or use funds under certain conditions. A hacker might try to exploit this by artificially meeting the conditions in an attempt to steal your funds.

In some cases, malicious actors or scammers might create web3 apps or DeFi platforms to deceive users or steal funds. These malicious platforms might look legitimate, but they can contain hidden vulnerabilities or backdoor functions that could put your funds at risk if you connect your wallet and approve their permissions.

To stay safe, always do your own research before using a web3 app or DeFi platform, and never connect to any platform you don't fully trust. To learn more, see the section below: Do your own research.

As with any platform or software, a web3 app may contain bugs, vulnerabilities, or potential exploits if it has flaws in its design or development.

If such issues exist, they could compromise the security of the users, put their funds at risk, or cause the platform to behave unexpectedly.

​

Only use web3 apps and DeFi platforms you fully trust to stay safe.

Impermanent loss refers to the loss you can experience if you provide assets to a liquidity pool, such as through yield farming, if the price of one or both assets changes after you deposit them. Let's look at an example.
​
Liquidity pools often require you to provide an equal value of two assets. Let's say 1 SOL is $100, and you supply 1 SOL and 100 USDC.

Imagine the SOL price increases to $400. Traders will buy the cheaper SOL from your pool by depositing USDC. As they continue to buy, the ratio of the tokens in the pool changes, and the price of SOL will gradually increase within the pool until it matches the new SOL market price.

The pool rebalances from 1 SOL and 100 USDC (worth $200 at the time of deposit) to 0.5 SOL and 200 USDC ($400 total), reflecting the new price of SOL at $400. While it might seem like a $200 gain, if you had held your original 1 SOL and 100 USDC, they would now be worth $500.

This $100 difference is what’s known as impermanent loss, and it can occur when you provide assets to a liquidity pool and the price of the assets increases or decreases.
​

The loss will only occur if you withdraw your assets from the liquidity pool. For example, should the SOL price drop back to $100, you could withdraw 1 SOL and 100 USDC again.

Users who provide liquidity are often rewarded with a share of the exchange fees collected by the decentralized exchange (DEX). Some users feel the potential rewards are worth it, even with the risk of impermanent loss.

Providing stablecoin pairs (like USDC/USDT) is also common. Since stablecoins aim to maintain a stable price, the possibility of impermanent loss may be lower compared to more volatile assets.

Intrinsic protocol risk means that even when a platform works exactly as intended, its design and underlying mechanics can still expose users to risk. This could lead to unfavorable outcomes, such as loss of funds, because of how the platform is structured, even without any bugs or malicious activity.

When you engage with a DeFi smart contract, you're giving it permission to transact your assets when certain conditions are met. You can learn more about how this works here: How is DeFi non-custodial?

For example, you took out an overcollateralized loan through a lending protocol. You deposit 1 ETH valued at $2,000. Since you can borrow up to 50% of your collateral, you borrow $1,000 worth of Dai.

Now, say the price of ETH fell by just a dollar, and you could not provide more ETH as collateral. The protocol could liquidate your ETH because your collateral was no longer sufficient for the amount you borrowed.

Your collateral could also be liquidated if you fail to pay back what you borrowed at the specified time.

This is an inherent protocol risk. While these DeFi protocols function as expected and can be great financial tools, they also carry risks if used without proper caution or understanding.

Always do your own research to understand the protocols you use and what conditions may result in an unfavorable outcome.

Before using any web3 app or DeFi platform, always do your own research.
​
Taking some extra time to research and familiarize yourself with how a platform works, including its features and potential risks, can go a long way toward helping you stay safe.

Only connect to web3 apps and DeFi platforms you fully trust, and always double-check that you have accessed them with the correct URL to avoid scams or fake platforms.

Never connect to any web3 app that you don't fully trust.

For more information on researching a web3 app you're interested in, see the sections below.

A web3 app's code and documentation should be transparent and open to the public.

A good place to start researching a web3 app is its documentation. Reading the documents will help you understand how it works and what features it offers. As a web3 app requires your trust, it's crucial that it has good documentation.

After reading a web3 app's documentation, you should be able to answer these questions for yourself:

If you cannot answer these questions after reading a web3 app's documentation, you should do more research before choosing to use that web3 app.

Several tools and websites audit different web3 apps to check for security flaws, trustworthy developers, or issues a web3 app may have.
​
Here is a list of different auditing tools you may find helpful when researching a web3 app:

When conducting your own research, it’s a good idea to check whether the team’s identity is publicly known and whether the members are real people.
​
It is often a good sign if the developers are publicly known, as it means they can be held responsible if something intentionally malicious occurs with the web3 app.

Another place to check when researching a web3 app is its community pages.

Check if a web3 app has an X (formerly Twitter) account or Discord page where you can ask community members about their experience.

However, if a web3 app's social media pages are full of spam posts or activity unrelated to crypto, it could be a sign that the community is inactive or unmoderated, both of which could indicate that the web3 app may not be trustworthy.

Once you've researched a web3 app to which you want to connect your wallet, you should still exercise caution.

It's a good idea only to invest funds you are willing and prepared to lose. While a web3 app could appear solid and trustworthy, an update to the code or a newly discovered exploit could compromise your funds.

It also helps to be skeptical of DeFi protocols that promise larger-than-normal returns. If a high APY sounds too good to be true, it probably is. Big numbers alone don't guarantee a good investment, especially if you can't tell where the money comes from.

Disconnecting your wallet after using a dApp or web3 app is a good security practice. You can always reconnect if you want to use the web3 app again.

Disconnecting ensures the web3 app can't view your wallet's details, such as token balances and public addresses.

For help with disconnecting your Exodus wallet from web3 apps, you can check out our guides below:

However, remember that disconnecting from a web3 app will not revoke any smart contract permissions or token allowances.

When connecting your Exodus wallet with a dApp or web3 app, you shouldn't be asked to enter your 12-word secret key or any of your private keys to connect to the web3 app.

If you are asked to share this information, it is a scam trying to steal your funds.

Never enter your 12-word secret key or private keys into a web3 app!

Smart contracts and token allowances allow web3 apps to perform actions on your behalf, such as moving tokens or NFTs.

Always remove permissions you don't trust. It's also a good security practice to remove permissions you no longer use.

If a web3 app is compromised or exploited, and you haven't revoked its smart contract and token permissions, your funds might be at risk.

There are several ways you can revoke permissions. In most cases, the easiest way is from a specialized website that focuses on allowing you to revoke permissions for web3 apps.

Here are some tools (by network) that you can connect to to view and revoke web3 app permissions:

In the example below, we'll go over how to revoke web3 permissions by connecting to Revoke.cash with Exodus Mobile and Web3 Wallet.

Revoke.cash supports Ethereum and multiple EVM networks. In this example, we’ll show how to revoke permissions on Ethereum, but the steps are similar for other EVM networks.