Asset Security

Is My Wallet Actually Safe? How to Run a Thorough Self-Audit on Your Own

2026-05-30 · 链上迷雾

Most people only examine their wallet after something has gone wrong. Before that, “am I safe?” is answered with a vague feeling. Feelings are not assessments; they are bets on luck.

To actually answer the question, you need a real self-audit: an hour or two where you sit down and check the boxes one by one. This article is that checklist, in seven sections, that you can run alone.

An overhead flat-lay photo of a wooden desk with an open notebook showing a handwritten checklist, an older silver smartphone displaying a wallet balance screen, and a key beside a pair of reading glasses, lit by warm afternoon light

Step one: where is your seed phrase, really?

Answer one plain question: if your phone and computer disappeared right now, could you recover this wallet?

Do not answer “I think so.” Go to where the seed phrase lives and physically look at it. If the ink has faded, if “in the safe” turns out to be on a sticky note, if it is in some cloud drive — those are problems that can be fatal.

For backup specifics, see seed phrase backup methods. The bar is short — three requirements, each non-negotiable:

  • Offline. Paper or metal. No cloud drives, no photo rolls, no email drafts.
  • Readable. Ink clear, not faded, not at risk of moisture damage.
  • Retrievable. Someone you trust can find it if you cannot.

If you set a BIP39 passphrase, it must have its own independent backup. Twelve words without the passphrase equals no backup.

Step two: count how many wallets you actually have

Many people cannot honestly answer “how many wallets do I have?” The places you cannot account for are the attack surface in the dark.

List every wallet client you have installed. For each, walk through:

  • Does it still hold assets, and how much?
  • Hot wallet only, or paired with hardware?
  • Which networks (ETH, BTC, Solana, etc.)?
  • When was the last conscious login?

Two patterns surface: small forgotten balances scattered across clients you stopped using, and a client where your last login was months ago. Consolidate the former, retire or re-secure the latter.

Step three: look at your on-chain approvals

This is the step almost nobody runs.

Every swap on a DEX or tap of “approve” grants a contract some allowance (often unlimited) over one of your tokens. These approvals do not expire. A project you abandoned a year ago may still hold unlimited spending power over your USDT — and if that contract is exploited, your assets walk out without you noticing.

For more on how this is weaponized, see approval phishing. For the audit, two actions are enough:

  1. Open Revoke.cash or Etherscan’s Token Approvals tool, paste in each wallet address, scan which approvals are unlimited.
  2. For any project you no longer use or any approval you do not recognize, revoke it.

The gas cost is trivial compared with the alternative.

Step four: review your recent signing habits

Signatures are the most hidden entry point. Every “sign” — especially the walls of hex — may have authorized something specific.

Look at the last 30 days of signatures. Ask:

  • Any signatures whose purpose I cannot reconstruct now?
  • Any that produced no visible result (a classic phishing tell)?
  • Any with odd domains or contracts from networks I do not use?

Set a new rule: refuse every signature you cannot read in plain English, even from familiar sites. The cost is at most missing one event; the benefit is shutting down a whole class of otherwise-undefendable attacks.

Step five: device and environment isolation

Audit items: how many browser extensions are on the device you use for the wallet, and have you forgotten what most of them do? Any with “read data on all websites”? Have you screen-shared the device or installed unfamiliar remote-access tools?

The model is “reduce surface”: uninstall unnecessary extensions, disable unused remote access, do not log a real-value wallet into devices that no longer matter to you. Ideally one device is reserved for assets and nothing else. If full isolation is too much, at least do a deep cleanup.

Step six: is your asset layering still sensible?

A reasonable layering looks roughly like:

Purpose Where it lives Suggested share
Long-term holdings Hardware wallet / cold Bulk (60-80%)
Medium-term liquid Hot wallet Limited (10-20%)
Active DApp use Separate small hot wallet Minimal (<5%)
Frequent off-ramp Exchange Working balance only

Over time many pile everything into one wallet because it is convenient. The hidden cost: any single mistake becomes a total loss. For hardware picks, see the hardware wallet selection guide.

Step seven: rehearse the worst case

Almost everyone skips this: rehearse “I have lost every device”.

Find a spare device, recover one of your wallets from the seed phrase. The distance between having done this and “I think I could” is enormous. You will discover whether the ink is truly legible, whether the passphrase you remember matches, whether some network requires a custom RPC, whether your hardware wallet PIN is still in your fingertips. These details only reveal themselves on recovery day — usually a bad day.

A self-audit cadence worth pinning up

The full audit takes about two hours. A reasonable cadence is every six months, or any time exposure changes materially. Date each run.

The seven steps reduce to one sentence: can I recover everything if it all disappears, and can I trust that nothing will disappear on its own. The first half is about backups and rehearsal; the second is about approvals, signatures, and environment. Telling yourself “I have not actually done this row” is worth more than “should be fine.”

Informational only, not investment advice. Verify tool versions yourself and confirm any sensitive operation offline.

This article is for education only and is not financial advice. Crypto is volatile and risky — only ever risk what you can afford to lose.

Latest

Industry Events

BTC ETFs Bled for 10 Straight Days, $2.97B Out — What It Means for Ordinary Users

Through June 4, US spot Bitcoin ETFs posted ten consecutive sessions of net outflows totaling about $2.97B — one of the longest negative streaks since launch. This piece breaks down what the number says and, just as important, what it does not.

Mindset & FOMO

AI Is Siphoning Crypto Money — Should You Chase the Rotation?

Early June showed a clear flow: money rotating from crypto into AI. Nvidia at a new high, BTC and ETH softer. "Is crypto past its prime" surfaced again. This piece does not pick a winner. It answers how mindset should behave during sector siphon.

Mindset & FOMO

ETH Slipped Below 2,000 — How Should the Believers Recalibrate?

ETH crossed below the 2,000 psychological line in early June while on-chain activity softened. For self-described "ETH believers," this is a subtler mindset test than the 2022 bear: not one obvious red candle but a slow grind lower.

Mindset & FOMO

BTC Broke Below 67k — Should You Buy the Dip? A June Mindset Check

BTC sliced through 67k in early June and briefly tested 61k intraday. The dip-buying itch is back. This piece does not call the next candle. It asks one question: at this level, what rules should your mindset follow before you click buy.

Mindset & FOMO

US–Iran Tension Escalating — How Should a Crypto Portfolio React?

Early June saw a fresh US–Iran flare-up — oil spiked, risk assets weakened, BTC and ETH dropped together. Headlines change every half day; positions cannot. Here is how a crypto portfolio should behave under geopolitical shocks.

Asset Security

After a Drainer Empties Your Wallet, Is There Any Path to Recovery?

Once you discover a drainer has emptied your wallet, what you can do in the next hour is limited, but the order matters. This post lays out the recovery paths along a timeline: on-chain tracing, platform freeze requests, formal reporting, mixer realities, and longer-term recovery.