Almost every crypto session starts the same way. You land on a site, click "Connect Wallet," pick your wallet from a list, and a moment later your address shows up in the corner of the screen. It is such a familiar ritual that most people stop thinking about what it actually does.
That is worth pausing on, because "connecting" is a real technical step with real boundaries, and knowing where those boundaries sit is one of the simplest ways to stay safe in self custody.
What a connection request actually is
When a site wants to talk to your wallet, it sends a request, most commonly one called eth_requestAccounts, either directly through a browser extension or through a bridge like WalletConnect. Your wallet receives that request and shows you a prompt: this site wants to see your address and network, do you approve?
If you approve, the site can now see which address you are using and which network you are on. That is the entire grant. The site gets read access to your public address, the same information anyone could see if you shared it yourself, plus the ability to ask you for further actions later, like signing a message or sending a transaction.
Connecting does not move funds, does not approve any token spending, and does not let the site act on your behalf. Every further step, a swap, a signature, a token approval, still has to be proposed to your wallet and approved by you individually. A connection is closer to introducing yourself than handing over a key.
Why the distinction matters
The reason this is worth understanding is that scam sites lean on the opposite assumption. If people believe that connecting itself is risky and every other step is routine, they get anxious about the wrong moment and click through the ones that actually matter. Fake airdrop pages and cloned exchange fronts are built around exactly this confusion, encouraging you to connect and then rushing you through a signature request that quietly grants token approval or transfers assets. For more on how those follow up requests can be worded, see our guides on signature requests and token approvals.
The practical takeaway is that connecting a wallet to a legitimate, well known site carries very little risk on its own. What deserves your full attention is everything that happens after, especially any prompt that mentions signing, approving, or permitting.
What to check before you connect
A little friction before the first click goes a long way. A few habits:
- Confirm the URL, not the logo. Phishing pages copy branding perfectly but rely on a domain that is one character off, a different top level domain, or a link shared in a chat rather than typed directly. Check the address bar, not how familiar the page looks.
- Reach the site through your own bookmark or a search you trust, not a link from a DM, comment, or an ad. Scam links are frequently distributed exactly where people are least likely to double check a domain.
- Look at what the connection prompt itself says. Your wallet typically shows the requesting domain in the approval screen. If that domain does not match what you expect, stop there.
- Use a wallet that shows readable request details, including domain name and, where supported, a warning for known malicious sites. Wallet software increasingly screens requests against blocklists before you ever see the prompt.
- Disconnect sessions you are not using. Most wallets have a connected sites or active sessions list. A stale connection to a site you no longer use does not grant new powers on its own, but trimming it removes one more thing to keep track of, and lets you notice quickly if a site you do not recognize shows up there.
Reading the connection prompt itself
Modern wallet connections, including the WalletConnect protocol used across most Base apps, work as a session. The dapp sends a proposal describing itself, its domain, and what it is asking to be able to do, and your wallet displays that proposal for you to approve or reject before any session opens. Reading that screen once, rather than tapping through it by habit, is usually enough to catch a mismatch between the site you meant to visit and the site actually making the request.
Once a session is open, it can be reused without you scanning a new code or reconnecting every time, which is convenient, but it is also why periodically reviewing your active sessions is worth the thirty seconds it takes.
What connecting does not protect you from
Being careful about the connection step is good hygiene, but it is not a complete security model. The moments that actually move funds or grant spending power are the signature and transaction prompts that come afterward. Those deserve the same scrutiny, arguably more, because that is where a scam site does its real work. A connection you did not scrutinize but never acted on beyond viewing your address is low risk. A signature you approved without reading, on the other hand, can hand over far more than your wallet address.
The short version
Connecting a wallet tells a site your address and network, nothing more. It is a low stakes step, but it is also the first checkpoint where a fake site has to get past you, so it is worth a quick glance at the domain and the request details every time. The steps that follow, signing and approving, are where your attention should really sharpen. Treat connection as the doorbell, not the door.