What is WalletConnect?
WalletConnect is an open-source protocol that connects cryptocurrency wallets to decentralized applications (dApps) through a secure encrypted channel. Instead of entering a private key or seed phrase into a website, WalletConnect creates a temporary link between your wallet app and the dApp by scanning a QR code or clicking a deep link.
Over 500 wallets and thousands of dApps support WalletConnect, making it the most widely used connection standard in Web3 alongside browser-extension wallets like MetaMask.
How WalletConnect Works
- The dApp generates a pairing URI (displayed as a QR code or clickable link)
- You scan or click the URI in your wallet app
- WalletConnect establishes an encrypted relay session between wallet and dApp
- The dApp sends transaction requests through the relay
- You approve or reject each transaction in your wallet — your private keys never leave your wallet
The relay server only passes encrypted messages. It cannot read your transactions or keys.
How Scammers Exploit WalletConnect
WalletConnect is secure by design, but scammers abuse the trust users place in the connection flow:
Fake dApp Phishing
A scammer creates a fake website (e.g., a fake Uniswap or Aave) → generates a WalletConnect URI → you connect → they send a malicious transaction → you sign it → funds drained
The key vulnerability is not WalletConnect itself — it is the signing step. Once connected, the dApp can request unlimited transactions until you disconnect.
Persistent Sessions
WalletConnect sessions can persist for hours or days. Many users connect and forget, leaving an open channel for a scammer to send transactions later.
Signature Phishing
The most dangerous attack: the dApp asks you to sign a message (not a transaction) that looks harmless but is actually a permit or setApprovalForAll signature, granting the scammer spending control over your tokens.
How to Stay Safe
| Rule | Why |
|---|---|
| Only connect to verified dApps | Scammer sites look identical to real ones — verify the URL |
| Disconnect after use | Kills persistent sessions that scammers exploit |
| Read every transaction before signing | If you don’t understand it, don’t sign it |
| Never share your pairing URI | Anyone with the URI can send you transaction requests |
| Use a hardware wallet for large amounts | Hardware confirmation prevents blind signing |
WalletConnect v2 vs v1
WalletConnect v2 (launched 2023) added multi-chain support, persistent pairings, and improved session management. v1 was officially deprecated in 2024.
Frequently Asked Questions
Q: Can WalletConnect steal my funds? A: No. WalletConnect is a messaging protocol — it cannot access your keys. But a scammer using WalletConnect can send you malicious transactions to sign. The danger is what you approve, not the connection itself.
Q: Is it safe to stay connected to a dApp? A: It depends on the dApp. For trusted protocols like Uniswap, staying connected is fine. For unknown dApps, disconnect immediately after use.