Why should I care?

Your wallet is your responsibility. Unlike banks or credit cards, crypto wallets don’t offer recovery methods for your funds or NFTs. This is the reality of decentralized finance. Your wallet is your digital identity. If compromised, you'll lose your money and the ability to securely use that wallet in the future. This will also fragment onchain ties between you and any Catalog records you pressed using that wallet.

Best practices

Your secret recovery phrase (or seed phrase) is the permanent password to all the addresses in your wallet. It's crucial you take careful measures to ensure it doesn't end up in the wrong hands.

1) Safely store your secret recovery phrase

✅ Do

• Write it down on paper
• Make multiple copies
• Store it in a secure place

🛑 Don't

• Store it where others could find it
• Send it via text or another chat app
• Save it in plaintext or as a screenshot

2) Never share your recovery phrase or private keys

Even with managers, labels, or friends

Scammers often trick people into sharing their recovery phrase or private keys in Discord messages, Telegram chats, or Twitter DMs, commonly posing as staff or support for a project built on Ethereum. Catalog (or any trustworthy web3 application) will never ask you for this.

We strongly encourage all artists to have full control of their wallets. They represent your onchain identity, and empower you to control the creation and distribution of your art. If you insist on letting a trusted person manage your wallet for you, it’s important you know the risks.

Here’s what someone can do with wallet access:

• Mint, burn, sell and steal your NFTs
• Buy, sell, and steal your cryptocurrency
• Create or alter your profile on any Ethereum app
• Accidentally lose your tokens in a phishing attack or by transacting with a malicious site
• Continue to use your wallet, even if you stop working together (you can’t remove them)

<aside> <img src="/icons/warning_gray.svg" alt="/icons/warning_gray.svg" width="40px" /> If you must pass off wallet admin duties, enter your private key into your the device of your wallet caretaker. If not, temporarily share your private key with them via an encrypted messaging app like Signal, then delete the message. Ask them to confirm in writing that they will never make a copy of your private key and remove their access if you stop working together. This is not legal advice. Your wallet is your responsibility.

</aside>

3) Verify URLs and email addresses

Phishing attacks will often send emails from an official-looking email address, Discord or Twitter account, encouraging you to visit a fake site that looks identical to the real thing. Double check that emails are coming from the right sender, and that you're visiting the correct URL. If it seems suspicious, ask someone you trust