Skip to content

For Frontend and Wallet Engineers

Protect users where transactions are composed, displayed, simulated, approved, and submitted. Browser-shipped code is part of the trust boundary.

30 / 60 / 90-day path

Window What to do Evidence to keep
30 days Inventory scripts, wallet connectors, RPC keys, signing flows, public env vars, and privileged routes. Runtime script list, key inventory, signing-flow diagram.
60 days Create signing-path, frontend, supply-chain, and account-abstraction evidence gates. Route baseline, transaction previews, dependency approvals.
90 days Add recurring drift monitoring and rehearse wallet-drainer response. Drift alerts, rollback drill, takedown packet, user comms draft.

Must-read pages

Checklists to use first

First 10 resources

  1. ERC-4337 resources
  2. ERC-4337 simulation requirements
  3. OpenZeppelin EIP-4337 audit
  4. Tenderly docs
  5. BlockSec Phalcon simulator
  6. MetaMask eth-phishing-detect
  7. Safe Help Center
  8. GoPlus Security
  9. Blockaid
  10. VANTAGE by DigiBastion

Common failure

Teams review source code but not the browser-observed runtime. Wallet-facing pages need evidence for domains, scripts, modals, RPCs, transaction previews, dependencies, and rollback paths.

Educational resource only. Links and listings are not endorsements by Raiders0786, DigiBastion, maintainers, contributors, or this project. Verify third-party resources before relying on them. Not legal, financial, investment, compliance, or professional security advice. Read the full disclaimer.