What an extension wallet actually is
A browser extension wallet (MetaMask, Phantom, GaurdWallet and others) keeps your keys in an encrypted vault inside the browser profile and signs transactions locally. Sites never see your keys; they send requests ("connect", "sign this"), and the extension shows you a confirmation window. Modern extensions run on Manifest V3, where the extension's own pages are isolated from websites by the browser's process model.
So the architecture is sound. Nearly every real-world loss happens through one of five doors — none of which is "the extension got hacked".
The five ways people actually lose funds
1. Seed-phrase phishing (the big one)
A site, ad, DM or "support agent" convinces you to type your 12 words — into a fake wallet "validation" page, a fake airdrop claim, a fake support form. That's game over: the phrase is the wallet, and no software can protect a phrase you give away.
Defense: a seed phrase is typed exactly twice in its life — once onto paper when created, once into wallet software you installed deliberately when restoring. Anyone else asking for it is a thief, with zero exceptions. No wallet team, GaurdWallet included, will ever ask.
2. Malicious approvals and wallet drainers
You connect to a site that looks legitimate and sign what it puts in front of you. The signature turns out to be an ERC-20 approve for an attacker's contract, a marketplace listing that sells your NFTs for zero, or a permit message doing the same gaslessly. "Drainer kits" industrialized this — they are rented out like SaaS.
Defense: read the confirmation window, every time. A good wallet decodes what you sign into human-readable form — origin, method, spender, amount — instead of a bare hex blob (this is exactly why GaurdWallet's approval windows show the decoded transaction and full message). Treat unlimited approvals as loans to a stranger; sign them only on contracts you'd trust with the whole balance, and revoke old approvals periodically.
3. Fake extensions and fake download sites
Cloned extensions in the store, typosquatted domains, sponsored search results above the real project, "updated versions" from Telegram. They look identical and steal either the seed you type in or the transactions you sign.
Defense: install from the link on the project's real domain (bookmark it), check the publisher and review count in the store, and never install a wallet from an ad. This cuts both ways for us: GaurdWallet's only official domain is gaurdwallet.com — anything else claiming the name is not us.
4. Malware on the device
Clipboard hijackers that swap the address you copied for the attacker's; infostealers that grab browser profiles and try to crack vault passwords offline; keyloggers. An extension cannot protect keys on a machine the attacker controls.
Defense: keep the OS and browser updated, don't run cracked software on the money machine, use a strong vault password (it is what stands between a stolen profile file and your keys — scrypt makes guessing expensive, but "123456" defeats any KDF), and verify the first and last characters of every pasted address before sending.
5. Physical / social access
An unlocked laptop, a phrase photographed "just in case", a partner or colleague who watched you type the password. Boring, common, effective.
Defense: auto-lock with a short timeout (GaurdWallet locks itself after inactivity and wipes decrypted keys from memory), phrase on paper in a place you control, never in photos or cloud notes.
Extension vs web wallet vs hardware: honest trade-offs
| Form factor | Strengths | Weak points |
|---|---|---|
| Browser extension | dApp connectivity, always at hand, keys isolated from sites | Shares the device with your browsing; phishing-exposed |
| Web wallet (in-browser app) | Nothing to install, works anywhere incl. phones | Same device exposure; must bookmark the real URL |
| Hardware wallet | Keys never touch the computer; physical confirmation | Costs money; can still sign a malicious approval if you don't read the screen |
Note the pattern: even hardware doesn't save you from threats #1 and #2 — those attack the human, not the key storage. That's the core insight of this whole article.
A checklist that covers 95% of it
- Seed phrase on paper only; typed only into deliberately installed wallet software; given to no one, ever.
- Wallet installed from the official domain or verified store listing — not from ads or DMs.
- Read every confirmation window; be slow around
approve,permit,setApprovalForAll. - Strong unique vault password + short auto-lock.
- Verify pasted addresses (first/last 4 characters) before sending; test new routes with small amounts.
- Keep serious savings on keys that never touch a browser (hardware or an offline-generated seed), and everyday amounts in the extension. Size each to what you can afford to lose to a bad click.
- Keep the OS updated; no pirated software on the machine that holds money.
How GaurdWallet approaches this, concretely
- Seed generated and encrypted locally: scrypt (N=2¹⁷) password stretching + AES-256-GCM authenticated encryption; keys exist decrypted only in memory and are wiped on lock.
- The seed phrase is never rendered until you explicitly press "Reveal" — it doesn't even enter the page markup hidden, so a screenshot or shoulder-surf during setup shows dots, not words.
- Approval windows show the origin, the decoded transaction and the full message for every dApp request (EIP-1193/EIP-6963), never a raw blob.
- No accounts, no analytics SDKs, no third-party scripts inside the wallet — fewer moving parts to compromise.
- And the honest part: our application code has not yet had an external audit (the underlying noble/scure crypto libraries have). We say this everywhere, because a security page that omits it is marketing, not a threat model.