Funding a wallet and swapping tokens both happen inside one app, so it is easy to forget that the most basic action in crypto, moving tokens from one place to another, is also the one with the fewest safety nets. There is no support line that can reverse a send. Once a transaction confirms on Base, it is final.
That sounds alarming, but it is manageable once you understand the one thing every transfer depends on: the address. This guide explains what a wallet address actually is, how to send and receive tokens cleanly, and the specific scam that targets people at exactly the moment they paste an address.
What a wallet address is
Your wallet address is a public string that looks like this in shape: it starts with 0x and is followed by 40 characters made of numbers and the letters a to f. The full thing is 42 characters long. Base uses the same address format as Ethereum, because Base is an Ethereum layer 2, so an address that works on one looks identical on the other.
A useful way to think about it: the address is like an account number you can share freely. Anyone who has it can send tokens to you, but nobody can take anything out with it. Pulling funds out requires your recovery phrase, which lives only on your device and which you never share. If you want the background on that split, see Self-custody, explained simply.
One address holds everything. The same string receives ETH, USDC, and any other token on Base. You do not need a separate address per token.
Receiving tokens
Receiving is the safe direction, because the risk sits with the sender, not you. To receive, you share your address. In Simple Base Swap you tap to copy it, or show the QR code for the other person to scan.
Two things are worth checking when someone sends you tokens:
- The network has to match. Your Base address is the same string as your Ethereum mainnet address, but they are different networks. If someone sends a token to your address on the wrong network, it does not arrive on Base. Always agree on the network first. For the full picture of moving assets between networks, see How to bridge assets to Base.
- A token you never expected may not be a gift. If a token you did not buy appears in your balance, treat it with suspicion rather than excitement. We cover why this happens in Why strange tokens appear in your wallet.
Sending tokens
Sending is the direction that needs care. The steps are simple:
- Choose the token and the amount.
- Paste the recipient's address.
- Confirm the network fee, called gas, which on Base is usually a fraction of a cent. If you want to understand that fee, see Understanding gas fees on Base.
- Review everything, then confirm.
The risk lives entirely in step two. Almost every serious loss in self-custody comes down to tokens going to the wrong address, and almost always because the address was not the one the user thought it was.
A few habits make this reliable:
- Verify the whole address, not just the ends. Most apps shorten addresses to the first few and last few characters. That is fine for display, but before you send, confirm more than the ends. The middle matters too.
- Send a small test amount first when the destination is new or the sum is large. A tiny transfer that arrives correctly confirms the address and the network before you commit the rest.
- Double check the network. Sending to a correct address on the wrong network can mean the tokens are not where you expect, and recovering them ranges from awkward to impossible.
The scam that targets the paste
There is one attack built specifically around how people reuse addresses, and it is worth understanding because it does not rely on stealing anything from you. It is called address poisoning.
Here is how it works. People rarely type addresses by hand. They copy a recent one from their transaction history. Scammers know this, so they generate a fake address that begins and ends with the same characters as an address you have used before. They then send a worthless or zero value transaction from that lookalike address into your history. Now your history shows an entry that, at a glance, matches someone you transact with.
The trap springs later. The next time you go to send funds, you scroll your history, recognize the familiar first and last characters, copy that address, and send. The money goes to the scammer. The exploit is not technical magic, it is pattern recognition turned against you, because the fake address was crafted to match the part of the address your eye actually checks.
These attacks are real and the losses can be large. There are documented cases of people sending hundreds of thousands, and in one widely reported case millions, after copying a poisoned address from their own history.
Protecting yourself is straightforward once you know the trick:
- Never copy an address from your transaction history to send. Get the address from the recipient directly, through a saved contact, a QR code, or a message you trust.
- Ignore tiny or zero value transactions you did not initiate. An unexpected dust transfer is often bait, not money.
- Check the full address every time, especially the middle, since the ends are the part the scam imitates.
- Use a test transaction for anything significant.
A block explorer is useful here too. If you want to confirm what an address has actually done before you trust it, see How to use a block explorer.
The mindset that keeps you safe
Sending crypto rewards a small amount of deliberate slowness. The network is fast and the fees on Base are tiny, so there is no cost to pausing for ten seconds to read an address in full, confirm the network, and send a test amount when the stakes are high.
Receiving is forgiving. Sending is final. Treat the paste as the one moment that deserves your full attention, and the rest of the process takes care of itself.
Sources used while writing this article: MetaMask on address poisoning, Ledger on zero value transfer scams.