Security Practices

Self-custody model

Scroll Wallet treats wallets as user-controlled accounts. A connected wallet proves access through wallet software and signatures, but the user keeps control of the private keys and recovery phrase through their chosen wallet provider or hardware device.

The site may display wallet state, connection status, educational material, and supported network information. It should not store the user's recovery phrase, private key, or hardware wallet PIN.

Transaction and approval review

Before signing, users should confirm the active network, destination address, token amount, spender permission, and whether the request is a one-time transfer or an ongoing approval. High allowance approvals and unfamiliar contracts deserve extra review.

A rejected transaction is often safer than a rushed approval. When a wallet prompt is unclear, users should pause, close the request, and verify the application URL through a known source.

• Check the domain before connecting a wallet.
• Use hardware wallets for high-value accounts when possible.
• Revoke stale allowances after trying unfamiliar dApps.
• Separate daily-use wallets from long-term storage wallets.

Security reports

Send suspected vulnerabilities, impersonation domains, malicious wallet prompts, or sensitive data exposure reports to security@scroll.network. Include the affected URL, steps to reproduce, browser and wallet version, screenshots if safe, and whether user assets may be at risk.

Do not include seed phrases, raw private keys, or live signing credentials in any report. If a report involves a compromised wallet, move remaining assets to a new wallet before sharing public details.