WalletConnect ยท DApp Security ยท Mobile Wallets

WalletConnect Security: What You're Actually Approving When You Scan That QR Code

A QR code pops up on a DeFi site, asking you to connect your mobile wallet. You scan it with Trust Wallet or Rainbow. The connection goes through, everything looks normal. Then the site asks you to sign a transaction. That QR code might have come from a phishing site โ€” and the transaction might drain your wallet.

WalletConnect is the technology that lets desktop DeFi sites communicate with mobile wallets. The QR code you scan is a connection URI โ€” an encrypted handshake that establishes a channel between the site and your wallet app. The protocol itself is legitimate and open-source.

The vulnerability is not in the protocol. It's in the fact that any site can display a WalletConnect QR code, and the familiar interface creates a sense of legitimacy. When you've scanned WalletConnect codes hundreds of times on real DApps, the UI pattern itself becomes a trust signal โ€” which scammers exploit.

What WalletConnect actually does

When you scan a WalletConnect QR code, your wallet connects to a relay server specified in the URI. The DApp and your wallet can then exchange signed messages through this relay. This is how a desktop site โ€” which can't directly access your mobile wallet โ€” can request signatures and receive them.

Legitimate DApps use this to request token approvals, trade confirmations, and other on-chain actions. Your wallet shows you the request and asks for your confirmation before signing anything. The connection itself grants no permissions โ€” only your explicit signature does.

How attackers use WalletConnect as a vector

The standard attack: a phishing site displays a real-looking WalletConnect QR code. When you scan and connect, the site immediately sends a transaction request to your wallet โ€” typically a setApprovalForAll for your entire NFT collection, or a token transfer for your full balance. The request appears in your wallet just like a legitimate one.

Because the WalletConnect flow is familiar, and because the transaction request comes from within the wallet app where you feel in control, the social engineering is more effective than a standard phishing page.

A related attack uses QR code images distributed in Discord or Telegram. Someone posts a WalletConnect QR code in a server, claiming it's for a token claim or airdrop. Scanning it connects your wallet to a drainer. No fake website required โ€” just an image.

What to verify before scanning any QR code

Check the URL before you scan. The QR code comes from the page you're on. Verify that the browser URL is exactly the DApp you expect โ€” not a similar-looking domain, not a search result, not a link from Discord. Bookmark the real URLs and always navigate via bookmarks.

Never scan a WalletConnect QR from an image. Legitimate DApps generate QR codes on their sites in real time. A QR code posted as a screenshot in a chat is always suspicious. No real airdrop or token claim requires scanning a static image.

Close existing sessions before starting a new one. WalletConnect sessions can stack. If you already have an open session from a previous visit, a new connection from a phishing site can coexist with it โ€” and both can request signatures.

Revoking WalletConnect sessions you no longer need

Most wallets list active WalletConnect sessions in their settings. Trust Wallet: Settings โ†’ WalletConnect. Rainbow: Connected apps section. MetaMask Mobile: Settings โ†’ Experimental โ†’ Connected Sites. Disconnect any session you don't recognize or no longer use.

Sessions don't automatically expire. A connection you made six months ago to a DApp you no longer use may still be active. While the connection itself can't drain your wallet, it's good hygiene to keep your active sessions minimal.

For managing token approvals granted through DApp connections, see our guide on revoking token approvals. For a broader overview of DeFi phishing techniques, read our DeFi phishing attacks guide.

Frequently asked questions

Is WalletConnect safe to use?

The protocol is legitimate and used by real DApps everywhere. The risk is connecting to a fake site using it. Verify the URL before scanning any WalletConnect code.

Can a website drain my wallet just from a WalletConnect connection?

No โ€” connecting alone grants no permissions. The drain happens when you sign a transaction after connecting. Always read what you're being asked to sign before confirming.

How do I disconnect from all WalletConnect sessions?

Find the WalletConnect or Connected Apps section in your wallet app's settings and disconnect each session. Locations vary โ€” Trust Wallet: Settings โ†’ WalletConnect. Rainbow: connected apps list.

Plain English on every transaction โ€” including WalletConnect requests

GuardianAI reads every transaction request in plain English before you confirm it โ€” whether it comes through a desktop DApp or a WalletConnect session from your phone. Free Chrome extension.

Get GuardianAI โ€” It's Free