Why should I care?

Unlike banks or credit cards which have recovery methods for your funds, there is no way to recover lost cryptocurrency. Your wallet is your digital identity. If compromised, you'll lose your money and the ability to use that wallet in the future.

Best practices

Your secret recovery phrase (or seed phrase) is the permanent password to all the addresses in your wallet. It's extremely important you take careful measures to make sure it doesn't end up in the wrong hands.

1) Safely store your secret recovery phrase

✅ Do

• Write it down on paper
• Make multiple copies
• Store it in a secure place where you won't lose it

🛑 Don't

• Store it where others could find it
• Send it via text or another chat app
• Save it in plaintext or as a screenshot on your computer / in the cloud

2) Never share your recovery phrase or private keys (even with managers, labels, or best friends)

Scammers often trick people into sharing their recovery phrase or private keys in Discord messages and Twitter DMs, commonly posing as staff or support for a web3 project. Catalog (or any trustworthy web3 application) will never ask you for this.

We strongly encourage all artists to have full control of their wallets. They represent your on-chain identity, and empower you to control the creation and distribution of your art in web3. If you insist on letting a trusted person manage your wallet for you, it’s important you know the risks.

Here’s what someone can do with wallet access:

• Mint, burn, sell or steal your NFTs
• Make financial transactions (buy ETH)
• Create or alter your profile on any web3 platform
• Lose your funds/NFTs via a scam attack or by transacting with a malicious site
• Continue to access your wallet, even if you stop working together; once they’re in, you can’t remove them later

<aside> ⚠️ Still looking to pass off admin duties? If possible, directly enter your private key into your wallet manager’s phone, tablet, or computer. If not, temporarily share your private key with them via an encrypted messaging app like Signal, then delete the message. Ask them to confirm in writing that they will (1) not make a copy of your private key (2) remove their access to your wallet if you stop working together later on. This is not legal advice. Your wallet is your own responsibility.

</aside>

3) Verify URLs and email addresses

Phishing attacks will often send emails from an official-looking email address, Discord or Twitter account, etc., often telling you to visit a fake website that looks identical to the real thing. Double check that emails are coming from the right sender, and that you're visiting the correct URL. If it seems suspicious, ask someone.

4) Use a unique password

User data gets compromised all the time. If you use the same password for MetaMask as other websites, your wallet is at risk. We recommend using password managers like 1password.