Is My Wallet Actually Safe? How to Run a Thorough Self-Audit on Your Own
Most people only examine their wallet after something has gone wrong. Before that, “am I safe?” is answered with a vague feeling. Feelings are not assessments; they are bets on luck.
To actually answer the question, you need a real self-audit: an hour or two where you sit down and check the boxes one by one. This article is that checklist, in seven sections, that you can run alone.
Step one: where is your seed phrase, really?
Answer one plain question: if your phone and computer disappeared right now, could you recover this wallet?
Do not answer “I think so.” Go to where the seed phrase lives and physically look at it. If the ink has faded, if “in the safe” turns out to be on a sticky note, if it is in some cloud drive — those are problems that can be fatal.
For backup specifics, see seed phrase backup methods. The bar is short — three requirements, each non-negotiable:
- Offline. Paper or metal. No cloud drives, no photo rolls, no email drafts.
- Readable. Ink clear, not faded, not at risk of moisture damage.
- Retrievable. Someone you trust can find it if you cannot.
If you set a BIP39 passphrase, it must have its own independent backup. Twelve words without the passphrase equals no backup.
Step two: count how many wallets you actually have
Many people cannot honestly answer “how many wallets do I have?” The places you cannot account for are the attack surface in the dark.
List every wallet client you have installed. For each, walk through:
- Does it still hold assets, and how much?
- Hot wallet only, or paired with hardware?
- Which networks (ETH, BTC, Solana, etc.)?
- When was the last conscious login?
Two patterns surface: small forgotten balances scattered across clients you stopped using, and a client where your last login was months ago. Consolidate the former, retire or re-secure the latter.
Step three: look at your on-chain approvals
This is the step almost nobody runs.
Every swap on a DEX or tap of “approve” grants a contract some allowance (often unlimited) over one of your tokens. These approvals do not expire. A project you abandoned a year ago may still hold unlimited spending power over your USDT — and if that contract is exploited, your assets walk out without you noticing.
For more on how this is weaponized, see approval phishing. For the audit, two actions are enough:
- Open Revoke.cash or Etherscan’s Token Approvals tool, paste in each wallet address, scan which approvals are unlimited.
- For any project you no longer use or any approval you do not recognize, revoke it.
The gas cost is trivial compared with the alternative.
Step four: review your recent signing habits
Signatures are the most hidden entry point. Every “sign” — especially the walls of hex — may have authorized something specific.
Look at the last 30 days of signatures. Ask:
- Any signatures whose purpose I cannot reconstruct now?
- Any that produced no visible result (a classic phishing tell)?
- Any with odd domains or contracts from networks I do not use?
Set a new rule: refuse every signature you cannot read in plain English, even from familiar sites. The cost is at most missing one event; the benefit is shutting down a whole class of otherwise-undefendable attacks.
Step five: device and environment isolation
Audit items: how many browser extensions are on the device you use for the wallet, and have you forgotten what most of them do? Any with “read data on all websites”? Have you screen-shared the device or installed unfamiliar remote-access tools?
The model is “reduce surface”: uninstall unnecessary extensions, disable unused remote access, do not log a real-value wallet into devices that no longer matter to you. Ideally one device is reserved for assets and nothing else. If full isolation is too much, at least do a deep cleanup.
Step six: is your asset layering still sensible?
A reasonable layering looks roughly like:
| Purpose | Where it lives | Suggested share |
|---|---|---|
| Long-term holdings | Hardware wallet / cold | Bulk (60-80%) |
| Medium-term liquid | Hot wallet | Limited (10-20%) |
| Active DApp use | Separate small hot wallet | Minimal (<5%) |
| Frequent off-ramp | Exchange | Working balance only |
Over time many pile everything into one wallet because it is convenient. The hidden cost: any single mistake becomes a total loss. For hardware picks, see the hardware wallet selection guide.
Step seven: rehearse the worst case
Almost everyone skips this: rehearse “I have lost every device”.
Find a spare device, recover one of your wallets from the seed phrase. The distance between having done this and “I think I could” is enormous. You will discover whether the ink is truly legible, whether the passphrase you remember matches, whether some network requires a custom RPC, whether your hardware wallet PIN is still in your fingertips. These details only reveal themselves on recovery day — usually a bad day.
A self-audit cadence worth pinning up
The full audit takes about two hours. A reasonable cadence is every six months, or any time exposure changes materially. Date each run.
The seven steps reduce to one sentence: can I recover everything if it all disappears, and can I trust that nothing will disappear on its own. The first half is about backups and rehearsal; the second is about approvals, signatures, and environment. Telling yourself “I have not actually done this row” is worth more than “should be fine.”
Informational only, not investment advice. Verify tool versions yourself and confirm any sensitive operation offline.
This article is for education only and is not financial advice. Crypto is volatile and risky — only ever risk what you can afford to lose.