girl in hoodie

Web3 wallet safety in a nutshell

Web3 wallets enable access to exciting and data-rich new environments. In these new worlds, keeping your Web3 wallet secure is thus of the utmost importance.

The wallet stands at the center of the Web3 experience. The wallet's private keys enable the management and transfer of digital assets, and also access the user's digital identity information. These keys are essential to access the wallet or restore it in another device, and the digital identity data is what allows the user to be identified in the metaverse, educational institutions, government agencies, and a myriad of other places. Web3 wallets also allow users to connect and interact with decentralized applications (DApps) on the blockchain.

Because wallets play such a pivotal role in navigating the Web3 ecosystem, it is quite essential to keep them secure. A compromised wallet can lead to severe consequences for its owner.

This article provides an overview of Web3 wallets, covering their key components, various management options, and essential security practices to ensure a safe Web3 wallet experience.

Web3 wallet: components

A wallet is software that manages keys, tracks blockchain activity that belong to the addresses derived from the keys, and knows how to construct transactions.

The wallet software manages the seed phrase, the root private key, and root public key.
The recovery phrase, also referred to as a mnemonic, backup phrase, or seed phrase, is a sequence of usually 12, 15, or 24 words generated by the wallet, or in some cases, by the user. The seed phrase (recovery phrase in Lace terminology) is used to generate a root private key, which is the foundation for spending funds and proving ownership.

The root private key is a cryptographically-secure artifact used to generate child key pairs, which in turn are used to derive addresses based on the wallet’s feature set.

The root public key is safe to expose from a security perspective, however there is a privacy consideration since it associates all blockchain activity across different accounts.

Wallet management

Lace icons wallets

There exist many different wallets, each with its own features, token compatibility, capabilities, etc. Choosing one wallet over another is a question of personal preferences and requirements.

However, when it comes to Web3 wallet management, there are only three choices:

  • Custodial wallets
  • Non-custodial wallets
  • Smart contract wallets

Custodial wallets

Third-party wallet management is usually referred to as 'custodial', which essentially means someone else controls the wallet's private keys on the user's behalf.

Custodial wallet management, while convenient and relatively straightforward, requires trust in the custodian's systems and integrity to keep digital assets secure and accessible. Exchanges regularly provide custodial wallet services.

Bottom line: users relinquish control of their wallet for the sake of convenience.

Non-custodial wallets

Sometimes referred to as self-custody wallets, a non-custodial wallet relies on a key pair (https://www.essentialcardano.io/glossary/key-pair) (private and public key) to enable the user to access and manage their wallet. The public key is used for sending and receiving digital assets, and it's akin to an email address. The private key enables wallet access. Losing the private key means losing access to the wallet and the digital assets it owns.

Non-custodial wallets generate a recovery phrase, which the user is solely responsible for safekeeping, as it is necessary to recover the wallet.


Bottom line: total control of full ownership of one's digital assets.


Smart contract wallets

A relatively new wallet management method, smart contract wallets allow the customization of token management. Under this methodology, the smart contract's logic controls the wallet.

Smart contract wallets provide additional security layers:

  • signature redundancy: the smart contract may require multiple signatures to access a wallet
  • recoverability: wallet recovery methods can be programmed into the logic
  • transaction batching: combining multiple transactions into a single batch

Bottom line: smart contract wallets are suited for organizations that require multiple wallet signatures and offers recover methods

Web3 wallet security recommendations

While technology exists to help secure Web3 wallets, the weakest link is always the human factor. Social engineering and phishing, for example, are popular techniques used by adversaries intent on gaining control of a wallet's private keys. There isn't any specific defense against social engineering or phishing attacks, other than awareness and common sense.
There are, however, several best practices that will help to keep a Web3 wallet secure:

  • Keep the recovery phrase and private key safe: the recovery phrase is the only way to recover a wallet in another device. Losing the recovery phrase means that access to the wallet (and all its contents) will be impossible. The recovery phrase and the private key should be kept in a secure location and never shared with anyone. A lost private key cannot be retrieved, nor can it be regenerated
  • Use strong and unique passwords: adversarial actors can guess a weak password in minutes. Best practice is to use a password containing special characters, upper and lowercase letters, and avoid using names, dates, and common phrases. Use a different password for every platform for best protection of digital assets.
  • Enable two-factor authentication (2FA): 2FA requires users to provide two separate forms of identification to access an account. These can be one-time codes generated by authenticator apps or sent via SMS, biometric authentication, or other methods. Using 2FA adds a vital extra layer of security.
  • Update wallet software: wallet providers regularly issue updates for their products, so upgrade as soon as the update is available. These updates, much like updates to browsers, smartphones, or operating systems, may include security updates among other improvements. It is also critical to ensure that you download the update from a reputable source.
  • Use a hardware wallet: some users may want to use hardware wallets for extra security, as these are physical devices that store private keys in a secure enclave, with access restricted to only the required operations. Hardware wallets are generally considered the most secure approach to managing keys for digital assets. Only purchase hardware wallets from reputable vendors.
  • Wallet connection: leave your wallet connected to a third party site or DApp only as long as you're using that site or DApp, respectively, and disconnect the wallet immediately afterwards.
  • Remain aware of social engineering and phishing scams: bad actors can devise complex, multi-pronged schemes in an attempt to gain control of a wallet’s private keys. Unsolicited calls, emails, text messages, or any other form of communication may be the first step of a plot that may result in financial loss.

Users active on online communities should be mindful of the information they share, and take steps to protect their real identity and sensitive information that may be used for social engineering or phishing attempts.

Key takeaways

  • A wallet is software that manages keys, tracks blockchain activity that belong to the addresses derived from the keys, and helps to construct transactions
  • Wallets enable management and transfer of digital assets
  • The wallet's software manages the seed phrase, root private key, and root public key
  • The seed phrase is used to generate a root private key, which is the foundation for spending funds and proving ownership
  • Wallets play a pivotal role in the Web3 ecosystem. Keeping them secure is a crucial consideration
  • Recovery phrases and private keys should be kept in a secure location and never shared with anyone.
  • A compromised wallet can lead to severe consequences for its owner, such as the inability to access the wallet or digital assets, or theft or loss of digital assets
  • There are three ways to manage Web3 wallets: custodial wallets, non-custodial wallets, and smart contract wallets
  • Follow and encourage best security practices to keep wallets secure

Get Lace now and join a growing community

  • Add Lace to your Chromium-based browser (Opera, Vivaldi, Edge, Brave, or Chrome).
  • Join Lace’s Discord channel to engage with the team and community.
  • Register to our email list to receive news and updates on all things Lace.

Fernando Sanchez