WalletConnect v2 Security Checklist: Is WalletConnect Safe?

If you’re asking is walletconnect safe, the short answer is: Yes, WalletConnect is generally safe as a connection and session protocol, but most losses happen because of phishing, malicious approvals, and fake sessions, not because WalletConnect itself was “hacked.”

WalletConnect v2 is simply a communication layer between wallets and decentralized applications (dApps). It does not custody funds, store private keys, or execute transactions on its own. The real risk emerges when users approve malicious requests or when wallets fail to validate session proposals properly.

This guide provides a practical, opinionated WalletConnect v2 security checklist for:

• Wallet builders (CTOs, engineers, product teams)
• dApp developers
• Power users concerned about wallet safety

Just real-world risk models and actionable mitigation steps.

Is WalletConnect safe? Quick Answer

If you only read one section, read this.

WalletConnect is generally safe because:

• It does not hold private keys.
• It’s designed for secure session communication
• It requires explicit user approval for sessions and signatures.
• Data between the wallet and the dApp is protected with end-to-end encryption (E2EE).

WalletConnect becomes risky when:

• Users connect to phishing websites.
• Wallets approve overly broad permissions.
• Session management is weak.
• Message signing is unclear or blind.

What users should do today:

• Verify domains before connecting
• Reject unknown session proposals
• Avoid blind message signing
• Disconnect unused sessions
• Revoke token approvals periodically

How WalletConnect v2 Works (30-Second Explanation)

Understanding risk starts with understanding flow.

1. Secure Pairing (The Handshake) The dApp generates a unique URI, shared via QR Code or Deep Link. This initiates a secure connection between the wallet and the dApp, typically routed via a Relay Server. Data between the wallet and the dApp is protected with end-to-end encryption (E2EE), so the relay does not see the message content (it only forwards encrypted payloads).

• Session Proposal (Setting the Rules) The dApp sends a “manifest” of what it needs:
• Chains: Which networks (e.g., Ethereum, Polygon)
• Methods: What it can request (e.g., personal_sign)
• Metadata: Who is asking (app name, URL, icons)

2. Permission Approval (You’re in Control) Your wallet displays a clear summary of these requests. You grant access only to the specific chains and permissions you trust. No private keys are ever shared.

3. Active Session (Secure Interaction) Once approved, the dApp sends requests to your wallet within this encrypted session. Every transaction still requires manual signing by you before it can be submitted to the blockchain.

Real-World WalletConnect Risks (What Actually Goes Wrong)

WalletConnect security issues are almost never protocol failures. They are:

1. Fake dApps & Phishing Websites

A cloned site prompts users to connect. The session is legitimate — the website is not.

2. Malicious Token Approvals

Users sign transactions approving unlimited token allowances. Funds get drained later.

3. Dangerous Message Signing

Improperly understood personal_sign or eth_signTypedData requests can authorize harmful actions.

4. Session Persistence

Users stay connected for weeks. The dApp later pushes a malicious request.

5. Misleading Metadata

Session proposals show generic or misleading names/icons.

Risk → What It Looks Like → Mitigation

Risk	What It Looks Like	Mitigation
Phishing site	Looks like real dApp, different domain	Verify domain before session approval
Unlimited token approval	“Approve spending” without limit	Warn clearly about unlimited allowances
Blind signature	Raw hex data signing	Display decoded signing data
Long-lived session	Always connected	Auto-expire sessions + visible disconnect UI
Fake QR code	QR from Discord/Telegram	Validate WalletConnect URI structure

WalletConnect Phishing & Scam Patterns (User-Facing)

Common walletconnect phishing patterns include:

• QR codes from unofficial Telegram groups
• Fake “support” agents sending connection links
• Lookalike domains (e.g., swapping letters)
• “Connect wallet to claim” airdrop scams
• Malicious popups embedded inside compromised websites

Users should:

Do this

• Type website URLs manually
• Bookmark trusted dApps
• Verify domain + SSL
• Disconnect unused sessions

Avoid this

• Connecting from unsolicited DMs
• Signing unclear messages
• Approving unlimited allowances casually

Remember: a walletconnect scam works because the user approves something harmful — not because WalletConnect was breached.

Wallet-Side Security Checklist (For Wallet Builders)

If you’re building a wallet, WalletConnect integration must be treated as a security-critical surface.

Developer note: CAIP-25 (what v2 is built around)

WalletConnect v2 session permissions are aligned with CAIP-25, a chain-agnostic standard that helps structure how wallets and apps describe accounts, chains, and requested capabilities across ecosystems. In practice, this is why v2 can support richer multi-chain sessions and more granular permissions and why your validation logic must be strict at the “session proposal” boundary.

1. Domain Verification UX (WalletConnect Verify API)

Implement walletconnect verify api integration.

Treat status as:

• VALID → Display verified badge
• INVALID → Show high-risk warning + require extra confirmation
• UNKNOWN → Neutral but cautious UI

Never silently approve unknown origins.

2. Strict Parsing of WalletConnect URIs

For walletconnect deep link security:

• Validate URI structure strictly
• Reject malformed inputs
• Prevent intent hijacking on Android
• Prevent custom scheme injection

Never trust raw QR input.

3. Session Proposal Validation

Validate:

• Metadata URL matches domain
• Icons load from expected origin
• App name not blank or generic
• No unexpected chains requested

This reduces spoofing.

4. Method & Chain Allowlist

Do not auto-approve all methods.

Use:

• Method allowlists
• Chain allowlists
• Principle of least privilege

If dApp only needs eth_sign, don’t approve eth_sendTransaction.

5. Event Subscription Minimization

Only approve required event subscriptions. Overexposure increases attack surface.

6. Session Expiry Defaults

Implement:

• Default expiry times
• Manual disconnect UI
• Auto-expire idle sessions

Clear session management is critical for walletconnect session management security.

7. Risk-Based UX Warnings

Trigger enhanced warnings for:

• Unlimited ERC-20 approvals
• Permit-style signatures
• Blind signing
• Unknown contract interactions

Explain clearly in human-readable language.

8. Logging & Monitoring

Wallet teams should log:

• Repeated invalid sessions
• Malformed URIs
• Excessive proposal spam
• Suspicious metadata reuse

Rate limit abuse patterns.

If You’re Building a Wallet…

If you’re implementing WalletConnect inside a consumer wallet, your architecture matters.

In our wallet development solutions, we treat WalletConnect not just as a feature, but as a critical security boundary with clear transaction signing prompts.

Explore:

• Trust Wallet-style wallet modules & architecture
• Wallet development cost & timelines
• Trust Wallet vs MetaMask (wallet model comparison)
• WalletConnect v2 Security Checklist

dApp-Side Security Checklist (For dApp Builders)

Security is shared responsibility.

Do This:

• Set up WalletConnect domain verification
• Request minimal methods
• Use clear signing prompts
• Provide disconnect option
• Limit session duration

Avoid This:

• Requesting all chains by default
• Ambiguous signing messages
• Hiding disconnect options

Poor dApp UX increases wallet risk.

Deep Link & QR Security Checklist (Mobile)

For walletconnect QR code phishing and deep links:

• Validate scanned URIs strictly
• Confirm app identity before approval
• Prevent Android intent hijacking
• Do not auto-open sessions silently

Users must see and approve everything.

Signing Safety: Message vs Transaction Signing

Two major request types:

Transaction Signing

• Moves funds
• Approves token allowances
• Executes smart contracts

Message Signing

• personal_sign
• eth_signTypedData

eth_signTypedData security risks arise when users sign structured data without understanding consequences (e.g., off-chain permit signatures).

personal_sign security issues arise when wallets show raw hex blobs without decoding.

Wallets must:

• Decode and display structured data
• Highlight risks clearly
• Avoid blind signing whenever possible

Users should:

• Never sign messages they don’t understand
• Reject unexpected popups

What To Do If You Suspect Compromise

If you think something went wrong:

1. Disconnect all WalletConnect sessions
2. Revoke token approvals (via blockchain explorers)
3. Move funds to a new wallet
4. Generate a new seed phrase
5. Check for unknown connected sessions

Time matters. Act quickly.

FAQ

Is WalletConnect safe?

Yes, when implemented correctly. Most losses occur due to phishing and malicious approvals.

Can WalletConnect drain my wallet?

No. It cannot move funds without your explicit signature approval.

What is WalletConnect Verify API?

A verification system that checks dApp domain authenticity before session approval.

How do I disconnect WalletConnect sessions?

Use your wallet’s session management section and manually disconnect active sessions.

Is signing a message safe?

It depends on what you are signing. Typed data and blind messages can authorize dangerous actions.

How to avoid WalletConnect phishing?

Verify domains, reject unknown sessions, avoid signing unclear messages, and disconnect unused sessions.

Final Thoughts

So, is walletconnect safe?

Yes, WalletConnect v2 is designed as a secure connection layer, including end-to-end encryption (E2EE) between wallet and dApp. The Relay Server routes messages but does not see the message content.

WalletConnect v2 provides powerful tools. Security depends on how responsibly they are used.

Dmitry Khanevich

CEO NDLabs

Planning a Wallet Build?

Book a wallet consult