Security Best Practices

🔐 Overview

Security is paramount in Web3. This guide covers essential security practices for protecting our wallet, assets, and privacy when using Ethereal Offering.

🔑 Wallet Security

Seed Phrase Protection

Our seed phrase (12-24 words) is the master key to our wallet.

✅ DO:

• Write it down on paper (never digital)
• Store in a secure location (safe, safety deposit box)
• Make multiple copies (different locations)
• Use a metal backup (fireproof, waterproof)
• Memorize it (if possible)
• Test recovery (on a separate device)

❌ DON'T:

• Take a photo of it
• Store in cloud (Google Drive, iCloud, etc.)
• Email or text it
• Share with anyone (even "support")
• Store in password manager
• Write it on our computer

If someone gets our seed phrase, they own our wallet. Forever.

Hardware Wallets

Recommended for large amounts:

Ledger Nano X/S:

• Stores keys offline
• Requires physical confirmation
• Supports Ethereum, Bitcoin, etc.
• ~$79-$149

Trezor Model T/One:

• Open-source firmware
• Touchscreen (Model T)
• Multi-currency support
• ~$69-$219

How to use:

1. Buy from official website only
2. Set up with new seed phrase
3. Connect to MetaMask
4. Confirm transactions on device
5. Keys never leave device

Software Wallet Security

If using MetaMask, Rainbow, etc.:

✅ Best Practices:

• Use strong password (20+ characters)
• Enable biometric lock (Face ID, Touch ID)
• Lock wallet when not in use
• Use separate wallet for large amounts
• Keep browser updated
• Use antivirus software
• Don't install sketchy extensions

❌ Avoid:

• Weak passwords ("password123")
• Leaving wallet unlocked
• Using same wallet for everything
• Outdated browser
• Pirated software
• Too many browser extensions

🎣 Scam Prevention

Common Scams

1. Phishing Websites

How it works:

• Fake website looks like real one
• You connect wallet
• Malicious contract drains our funds

How to avoid:

• Bookmark official site
• Check URL carefully (etherealoffering.org)
• Look for HTTPS and lock icon
• Verify contract addresses
• Use hardware wallet for large transactions

2. Fake Support

How it works:

• Scammer DMs you pretending to be support
• Asks for seed phrase or private key
• Steals our funds

How to avoid:

• We will NEVER DM you first
• We will NEVER ask for seed phrase
• We will NEVER ask for private keys
• Block and report suspicious DMs
• Only ask for help in public channels

3. Airdrop Scams

How it works:

• "Free tokens" sent to our wallet
• You try to sell them
• Malicious contract drains our wallet

How to avoid:

• Don't interact with unknown tokens
• Don't approve unknown contracts
• Use token allowance checker
• Revoke suspicious approvals

4. Impersonation

How it works:

• Scammer creates fake Twitter/Discord
• Announces fake giveaway
• Asks you to "verify" wallet
• Drains our funds

How to avoid:

• Verify official accounts (checkmark)
• Check follower count
• Look for typos in username
• Never "verify" our wallet
• No legitimate giveaway asks for seed phrase

Red Flags

🚩 Warning signs:

• Unsolicited DMs
• Urgency ("Act now!")
• Too good to be true
• Asking for seed phrase
• Asking for private key
• Asking to "verify" wallet
• Misspelled URLs
• No HTTPS
• Unverified contracts

If it feels wrong, it probably is. Trust our gut.

🔍 Transaction Verification

Before Signing

Always review:

1. Contract Address - Is it the official contract?
2. Function - What is the transaction doing?
3. Value - How much ETH are you sending?
4. Gas Fee - Is it reasonable?
5. Token Approvals - What are you approving?

Example MetaMask Review:

Contract: 0x1234...abcd (Sacred Altar)
Function: makeOffering
Value: 0.01 ETH (donation)
Gas: 0.002 ETH (~$4)
Approving: 100 ETHO

Questions to ask:

• Is this the right contract? ✅
• Do I want to make an offering? ✅
• Is 0.01 ETH donation correct? ✅
• Is gas fee reasonable? ✅
• Am I okay approving 100 ETHO? ✅

If anything looks wrong, REJECT the transaction.

After Signing

Verify on Etherscan:

1. Go to etherscan.io
2. Paste transaction hash
3. Check status (Success ✅ or Failed ❌)
4. Review events (OfferingMade, Transfer, etc.)
5. Verify amounts

Example:

Status: Success ✅
From: 0xYourAddress
To: 0xSacredAltar
Value: 0.01 ETH
Tokens Transferred:
  - 100 ETHO (burned)
  - 1 POB NFT (minted)
  - 50 MDAO (received)

🛡️ Privacy Protection

Wallet Privacy

Pseudonymity vs Anonymity:

Pseudonymous (default):

• Wallet address is public
• Transactions are visible
• But not linked to real identity

Anonymous (advanced):

• Use Aleo privacy layer (future)
• Zero-knowledge proofs
• Transactions hidden

Tips for privacy:

• Use separate wallet for recovery activities
• Don't doxx yourself (link wallet to real name)
• Be careful what you share publicly
• Use VPN when connecting
• Consider Tor for extra privacy

Data Privacy

What we collect:

• Wallet address (public)
• Transaction history (on-chain)
• IP address (server logs)

What we DON'T collect:

• Real name
• Email (unless you provide)
• Location (unless you share)
• Seed phrase (never!)
• Private keys (never!)

Our data rights:

• Request data deletion
• Opt out of analytics
• Use privacy tools
• Control what you share

🔒 Smart Contract Security

Audits

Our contracts are audited by:

• [Audit Firm 1] - Report: [Link]
• [Audit Firm 2] - Report: [Link]

What audits check:

• Code vulnerabilities
• Logic errors
• Gas optimization
• Best practices
• Known attack vectors

Audits are not guarantees - bugs can still exist.

Bug Bounty Program

Report bugs, earn rewards:

Severity	Reward	Example
Critical	$10,000	Drain treasury
High	$5,000	Steal user funds
Medium	$1,000	Bypass access control
Low	$100	Gas optimization

How to report:

1. Email: security@psanctuary.org
2. Include: Description, steps to reproduce, impact
3. Wait for response (24-48 hours)
4. Receive reward (if valid)

Rules:

• Don't exploit the bug
• Don't share publicly before fix
• Give us time to patch
• Be professional

Contract Upgrades

Our upgrade policy:

Immutable Contracts:

• Token contracts (PSILO, MDAO, ETHO, etc.)
• Cannot be changed
• Permanent code

Upgradeable Contracts:

• Governance
• Treasury
• AMM Router
• Can be upgraded via DAO vote

Upgrade process:

1. Proposal submitted
2. Community review (7 days)
3. DAO vote (3 days)
4. If approved, upgrade executed
5. Announcement to community

🚨 Emergency Procedures

If Our Wallet is Compromised

Immediate actions:

1. Transfer assets to new wallet (if possible)
2. Revoke approvals on compromised wallet
3. Change passwords on all accounts
4. Scan for malware on our device
5. Report to community (warn others)

Prevention:

• Keep seed phrase secure
• Use hardware wallet
• Don't click suspicious links
• Keep software updated

If You Lose Our Seed Phrase

Unfortunately:

• Our funds are permanently lost
• No one can recover them
• Not even us
• This is the nature of decentralization

Prevention:

• Multiple backups
• Different locations
• Metal backup
• Test recovery

If You Suspect a Bug

Report immediately:

1. Don't exploit it
2. Email security@psanctuary.org
3. Include details (description, steps, impact)
4. Wait for response
5. Receive bug bounty (if valid)

We appreciate responsible disclosure.

✅ Security Checklist

Daily

• Lock wallet when not in use
• Check for suspicious transactions
• Review token approvals
• Update software if needed

Weekly

• Review wallet activity
• Check for phishing emails
• Scan for malware
• Backup important data

Monthly

• Review all token approvals
• Check seed phrase backup
• Update passwords
• Review security settings

Quarterly

• Full security audit
• Test seed phrase recovery
• Review all accounts
• Update emergency contacts

🔗 Security Tools

Approval Checkers

Revoke token approvals:

• Revoke.cash - Check and revoke approvals
• Etherscan Token Approvals - Official checker

How to use:

1. Connect wallet
2. View all approvals
3. Revoke suspicious ones
4. Confirm transaction

Transaction Simulators

Preview transactions before signing:

• Tenderly - Simulate transactions
• Phalcon - Security analysis

How to use:

1. Paste transaction data
2. Run simulation
3. Review results
4. Decide to sign or reject

Wallet Trackers

Monitor our wallet:

• Zapper - Portfolio tracker
• DeBank - Multi-chain tracker
• Zerion - Wallet dashboard

Features:

• View all assets
• Track transactions
• Monitor approvals
• Get alerts

📚 Additional Resources

Education

• MetaMask Security Guide - Official guide
• Ledger Academy - Hardware wallet education
• Ethereum.org Security - Official Ethereum guide

Support

• Discord #security - Ask questions
• Forum Security Category - Discuss security
• Email: security@psanctuary.org

🙏 Final Thoughts

Security is a practice, not a product.

• Stay vigilant
• Trust but verify
• Question everything
• Protect our keys
• Help others stay safe

We're all in this together. Let's keep our community safe. 🍄✨

"Not our keys, not our coins. Not our seed phrase, not our wallet. Security is sovereignty."