Academy topicintermediate

Risk and Security

Risk and Security is where Academy protects user judgment. It separates heuristics from guarantees, explains failure modes, and teaches how to avoid irreversible operational mistakes.

What this topic helps you spot

approvals

token risk

phishing

How to use this topic

Use this page as a concept map across glossary terms, tracks, and product surfaces.

If the concept feels abstract, start with the practical lessons before you go deeper.

Use the highlights below as fast anchors for what should jump out at you in product UI.

Topic framing

What this topic should make easier to catch

Risk is not a mood. It is the ability to spot where a normal-looking flow is quietly asking for more trust than the current action deserves.

Signals change behavior

Warnings matter when they change approval scope, pace, size, or willingness to continue.

Ambiguity is the warning

If the signer, spender, or route trust is not clear, that uncertainty is already part of the risk decision.

Procedure beats panic

The safest users are not the ones who feel no fear. They are the ones who know exactly what to verify next.

Topic decision

How to turn a warning into a better action

The goal is not total certainty. It is reducing how much damage one unclear step can still create.

Reduce blast radius

Best when the route is still usable but trust is incomplete, so you want less permission and more verification.

Use narrower approvals when trust is not earned yet.

Pause on unclear signer prompts instead of narrating them as routine.

Split verification across chain, contract, spender, and recipient.

Do not improvise

Best when stress is rising and the temptation is to stack new actions on top of unclear state or unclear authority.

Do not panic-click because a route feels delayed.

Do not let familiar branding override fuzzy payload details.

Do not treat repeated success as proof the same shortcut is safe forever.

Start with these signals

Use these as first-pass anchors. If these signals become easier to spot on live screens, the topic is doing real work.

Signal 1

approvals

Signal 2

token risk

Signal 3

phishing

Signal 4

bridge risk

Quick risk discipline check

I know what contract and chain this action depends on.

The permission scope matches the job in front of me.

If something looks strange, I will pause before adding more actions.

Spot first

approvals

Watch for

Warnings that tempt you to panic-click instead of inspect.

Use live

Translate every risk signal into a concrete behavior change.

Core lesson

Start with the practical lessons

Work through the main concept first, then move into applied judgment and next actions.

How to read a risk signal without overreacting

Good risk interpretation sits between two bad habits: blind trust and blind panic. A signal is a reason to change behavior, not a substitute for judgment.

A warning can justify more caution without proving the route is malicious.

No warning does not mean the route is automatically safe.

Risk signals are strongest when they change what you are willing to approve, size, or trust.

Users usually get hurt when they turn signals into emotion instead of procedure.

Treat risk signals as behavior modifiers, not as absolute truth.

Where safety habits actually pay off

The highest-value risk habits are boring on purpose. They reduce blast radius before the stressful moment, not after.

Verify contract, chain, and recipient separately before signing.

Keep permissions smaller when trust is limited or reuse is low.

Slow down when routes stall, warnings appear, or prompts look unfamiliar.

Cleanup habits like reviewing stale approvals matter because old permissions are stored risk.

The goal is not perfect certainty. It is smaller downside when uncertainty is unavoidable.

Why clear signing matters more when the wallet looks sophisticated

A strong setup can still fail if the human signer cannot see what is actually being approved. Advanced tooling does not remove the need for readable authority.

Multi-sig and treasury workflows still depend on a human correctly interpreting what is in front of them.

A polished confirmation flow can create false confidence when payload details stay opaque.

Risk grows fast when operators assume another layer already verified the dangerous part.

If a signer cannot explain the approval in plain English, the workflow is not ready for production pressure.

Sophisticated wallet setup is not the same thing as clear signing discipline.

Real cases

What actually happened

These are public cases and repeated real-world patterns turned into teachable stories. Use them to see how small shortcuts become expensive outcomes in real product flows.

Public source-backed

Read the story first, then notice the exact decision that made the damage possible.

Case study

The attacker did not need a second chance because the first approval was enough

Loss: ~$1.0B total (2021-2023)

Situation

Chainalysis estimated suspected approval-phishing losses at roughly $1.0 billion from May 2021 through November 2023. The pattern keeps working because victims do not experience the prompt as theft when they sign it.

Why this case matters

One real-world failure usually teaches faster than ten abstract warnings.

What they assumed

A normal-looking approval prompt is lower risk than an obvious transfer, so it does not deserve the same suspicion.

Red flag you would have seen in the UI

A wallet approval or signature request whose scope, spender, or purpose is not completely clean in context. In product terms, ambiguity at the prompt is the warning.

You would have seen this on

These are the exact product moments where this kind of mistake usually first looks harmless.

Wallet promptApprovals

What went wrong

The approval looked normal enough to pass as routine wallet activity.

Nothing obvious left the wallet at the moment of signing, which lowered alarm.

The granted authority was later used to drain funds.

The loss was created by misreading the prompt as harmless rather than by one visible immediate transfer.

Core lesson

Risk interpretation has to happen before the wallet signs, not after the funds are already gone.

What they should have done instead

Treat normal-looking approval prompts as future-authority decisions. If the context is unclear, stop before the signature instead of waiting for visible damage.

Source

Chainalysis approval phishing analysis

Case study

A sophisticated treasury stack still lost almost $1.5B

Loss: Almost $1.5B

Situation

In February 2025, the Bybit incident showed that even a sophisticated Safe-based signing environment can fail catastrophically when the signer experience does not make the real payload obvious enough. Public reporting put the loss at almost $1.5 billion.

Why this case matters

One real-world failure usually teaches faster than ten abstract warnings.

What they assumed

If the wallet setup is advanced, institutional, or multi-sig, the final signing surface is probably safe enough by default.

Red flag you would have seen in the UI

A signing flow where operators are approving a complex transaction without clear, human-readable certainty about the destination and authority being granted. In product terms, sophistication without clarity is not safety.

You would have seen this on

These are the exact product moments where this kind of mistake usually first looks harmless.

Wallet promptStatus

What went wrong

Trust shifted from direct understanding of the transaction to the surrounding workflow and setup.

The human step remained critical even though the environment looked mature and well-controlled.

Once the malicious action was signed, the technical sophistication around the wallet did not undo the approval.

The result was an unprecedented loss of nearly $1.5 billion.

Core lesson

Risk discipline does not stop at better tooling. It stops at clearer human verification.

What they should have done instead

Treat every signing surface as a real authority checkpoint, even in advanced treasury setups. If the payload is not legible to the signer, the process is weaker than it looks.

Source

Safe Ecosystem Foundation statement on the Bybit incident

How this topic breaks down

Roadmap

Section 1

Risk signals versus certainty

Users need a better model than green equals safe and red equals scam. Academy should teach what a signal can justify and what it cannot prove.

heuristicstoken warningsapproval blast radiusbridge trust assumptionswhy confidence can be dangerous

Section 2

Operational habits that reduce losses

The strongest safety layer is procedural discipline before, during, and after execution.

address verificationwallet prompt reviewpost-trade hygienerevoking stale approvals

Use after the lesson

Before you sign or confirm

This section should help in the moment of risk. Keep one question in mind: what should I check right now before giving authority or sending the route forward?

Check now

Do not think in abstract principles here. Think in checks you can do on this screen before moving forward.

Do now

Translate every risk signal into a concrete behavior change.

Reduce scope when trust is unclear instead of hoping the route is fine.

Use warnings as a cue to slow down, not to improvise faster.

Do not continue if

Do not treat warnings as proof of disaster.

Do not treat a clean UI as proof of safety.

Do not keep stacking actions while route state is unclear.

Red flag if this feels routine

If this step feels like harmless friction, that is already the red flag.