Is it always safe to connect your (metamask) wallet?

[Galahad]

There are so many websites these days that require you to connect. I've been connecting other wallets with low balances to test things out, but there doesn't seem to be much information around on what is good practice here.

My big balances are secured by Ledger so I suppose I don't need to worry about the coins simply being stolen without my approval, but what if I connect the Ledger to approve some coins and it steals other coins or uses the approval for something else. Is any of this possible?

When should I not connect to a website?

[bonyaserg]

From my own experience, I can say that for 3 years now I have always connected my metamask wallet. And I never noticed that my data was being stolen. So I came to the conclusion that it is absolutely safe to connect your wallet to many sites. But only if these sites also do not pose a threat to my wallet. Thus, you can confidently connect your wallet for transactions.

[amishmanish]

--snip--
When should I not connect to a website?

Anything that doesn't have a public contract. The ones where you cannot see the "Read/ Write" contract part on etherscan.

Most scams happen not from the "Sign metamask" transaction with which you connect but from some links on the website itself that can install malware.

With the number of times people just blindly connect for airdrops, its a big flood of scams waiting to happen when someone will attack the whole ethereum community at the same time.

You have a ledger so no problems of exposing the private key so that is definitely a win.

[vv181]

There are so many websites these days that require you to connect. I've been connecting other wallets with low balances to test things out, but there doesn't seem to be much information around on what is good practice here.

A few things for sure is to carefully choose which dApps you are going to use and also bookmark them.

My big balances are secured by Ledger so I suppose I don't need to worry about the coins simply being stolen without my approval, but what if I connect the Ledger to approve some coins and it steals other coins or uses the approval for something else. Is any of this possible?

Yes, it's possible and it is already being used by scammers. It's can be called as blind signing, Ledger site has some decent explanation about it (https://www.ledger.com/academy/cryptos-greatest-weakness-blind-signing-explained)

When should I not connect to a website?

Literally, you should have scepticism on everything you interact with any smart contract whether it is known or not. The thing that there is a phishing site and deceitful smart contract really made newcomers have a hard time grasping what it is all about inside their heads. The simple thing you could do is to play it safe by using and interacting with established tokens and dAaps that have been running around sometime. Don't just randomly accept help and follow unknown person guidance. And also be careful not to use the link that a random person gave you(e.g., https://app.uniswap.org/#/swap), you better find the site you really want to interact by yourself, and verify it is authentic and bookmark it.

Also, there is a collection of threads about security in general, I believe you should take a look at it:    
Beginners & Help Encyclopedia: Security

[Kyraishi]

There are so many websites these days that require you to connect. I've been connecting other wallets with low balances to test things out, but there doesn't seem to be much information around on what is good practice here.

My big balances are secured by Ledger so I suppose I don't need to worry about the coins simply being stolen without my approval, but what if I connect the Ledger to approve some coins and it steals other coins or uses the approval for something else. Is any of this possible?

When should I not connect to a website?

Whenever you find yourself in a scammy site, you should probably reconsider.

There have been instances where people have gotten their NFTs stolen from them because of the fact that they connected to phishing sites with their metamask wallet. So this is definitely no joke here.

But so long as you don't go out of your way to connect to scammy/phishing sites, you should be okay. Stay as viligant as you would be on Web2.

[Ultegra134]

I'm not exactly sure whether someone can actually compromise your wallet that way, I also the same question. On the other hand, it's best to be on the safe side and avoid connecting your wallet on any sketchy looking website.

Moreover, never, I repeat, never trust a website claiming that automatic wallet synchronisation/connection failed, and your private key or seed phrase are required to put manually. I almost fell for that once.

[crwth]

The step you had where you have a hardware wallet is already the right one. You can never have enough safety and security when it comes to your coins. When connecting apps with your wallet, you won't have to worry about your private key being exported because that won't happen unless you do it.

I think it's pretty typical for a pretty new user to have that kind of fear of losing money with hacks. That's why I said you already made a nice move on getting a hardware wallet. Most of the people I know that were hacked didn't use it and installed different types of malware onto their phones etc.

[Beparanf]

There are so many websites these days that require you to connect. I've been connecting other wallets with low balances to test things out, but there doesn't seem to be much information around on what is good practice here.

My big balances are secured by Ledger so I suppose I don't need to worry about the coins simply being stolen without my approval, but what if I connect the Ledger to approve some coins and it steals other coins or uses the approval for something else. Is any of this possible?

When should I not connect to a website?

Audit company is the answer to your question mate or read the open source code of the project to verify the code. There's a lot of danger on DeFi and the only way to minimize it is connect only on website that has a certificate of audit from a reputable company like Certik. For normal user without knowledge about the code, we don't have a choice than just trusting this audit company to do there job properly.

[WalkerIVIV]

There are so many websites these days that require you to connect. I've been connecting other wallets with low balances to test things out, but there doesn't seem to be much information around on what is good practice here.

This is a big mistake that was always doing by anyone. They were connecting their wallet to the many websites that they didn't know about what was the reputation of such website.

My big balances are secured by Ledger so I suppose I don't need to worry about the coins simply being stolen without my approval, but what if I connect the Ledger to approve some coins and it steals other coins or uses the approval for something else. Is any of this possible?

Yes it is possible to happen as you are approving the scammers to access your wallet. You didn't even know whether there was a backdoor or not on such platform. That's why connecting to our wallet to the unreputable site is a very big mistake.

When should I not connect to a website?

When you're connecting your wallet to the reputable website and you can do that anytime because it has proven its reputation but you should never connect your wallet to the unreliable website.

[Daodex]

The biggest mistake you can make is leaving your wallet connected to a website when you are done with transaction on the platform, always make sure you disconnect after you are through with any transactions, leaving it connected is giving them access to your wallet.

[DapanasFruit]

I am always careful to what I let my Metamask connect with...most especially that we know hackers and scammers are always ahead in this game. I am one of the victims last year when someone was able to withdraw my BAKE tokens from my TrustWallet all because I did not provide a transaction password in my wallet at that time and it was then connected with many airdrops. Lesson learned: stop doing airdrops where you have to connect with the wallet and always be watchful not toe expose your wallet to possible hacks. These days, there are people who are already professionals on intruding others' wallet so they can take whatever you got inside.

[avikz]

There are so many websites these days that require you to connect. I've been connecting other wallets with low balances to test things out, but there doesn't seem to be much information around on what is good practice here.

My big balances are secured by Ledger so I suppose I don't need to worry about the coins simply being stolen without my approval, but what if I connect the Ledger to approve some coins and it steals other coins or uses the approval for something else. Is any of this possible?

When should I not connect to a website?

Metamask is quite safe I would say! No coin will be transferred unless you approve and sign the transaction. It can't be possible for a website to simply transct any amount or any token without your approval and sign. So you can be assured.

I am long time user of Metamask and a frequent user. I must admit that I haven't yet seen any such issues.

[asriloni]

what if I connect the Ledger to approve some coins and it steals other coins or uses the approval for something else. Is any of this possible?

You know that answer and when you have been approving it and scammer will able to steal your money from your ledger as you have been giving permission for scammer to hijack your wallet. This is possible and there are so many hacked cases with this method that happened with so many people. I thought that when you can try to spend a few minutes and you can find that in another thread in this forum as well.

When should I not connect to a website?

The problem it not about when you should or should not connect but that's about whether you are giving the scammers or hijackers approval to access your wallet and steal your coins. I think that it's clear that if you never connect your wallet and that's fine.

[cryptoaddictchie]

When should I not connect to a website?

If you see such website without security or not safe. Actually there are lot of new projects that require connecting metamask so to say to buy off something. Sometime you need to check whether those site connected to a very fishy contract. I once admit Ive fall to a scammer scheme. I've sent my tokens to their dapp approval and noticed in etherscan that there is no contract but the dapp design to put your contributions to a wallet. Of course that's somehow scared you since it's already a wallet and filling up scammers bags.

[HashingTower]

Even websites with Https and other security are controlled by humans, my advice is always disconnect your wallet after every successful transactions just in case, humans can't be trusted when it comes to money, they can move your funds and deny they ever did. So always disconnect your wallet

[blue Snow]

The biggest mistake you can make is leaving your wallet connected to a website when you are done with transaction on the platform, always make sure you disconnect after you are through with any transactions, leaving it connected is giving them access to your wallet.

Metamask always asks for the password before you open the website even connected or not. this is for securing from any phishing or scam site. but, with too many websites they use Metamask to connect wallets, So what's wrong with users being more careful. I ever come to the website with I can't find where the unconnected button, I don't know what the purpose, maybe they want to explore your wallet while you sleep.

[Ceyflix-Rez]

Make sure that the website you want to connect your wallet to is listed on coinmarketcap or coingecko

After a transaction is done on any Dex or platform always disconnect your wallet from there

If you are a airdrop lover like many on this forum be expecting phishing links sent to your email address do not connect your wallet to any links in your email address

[dansus021]

for your own safety its better to not connect since there is dozen of phising website, i mean Correct Me if i am wrong if only connect they can only ready your data but cannot send coin inside unless you approve their contract.

almost all chain currently attack by scam token when you approved their contract all your money send to scammer address

[chakhigh]

Connect to your Metamask wallet only when you know "for sure" the website is legit.

Make sure there is a Disconnect from your wallet button to log out.

Don't ever download suspicious files from your email box, because they may contain tracking/hacking viruses.

Last but not least, don't ever connect to your Metamask wallet 24 hours, 7 days a week.

[Galahad]

So basically just connect to known popular sites like Uniswap (but don't because it's fee robbery lol). Of course this might not work if the project is new and you're investing in a low-cap token, and any project could have a crooked developer or two.

Useful video, "3 Tips to Improve Your MetaMask Security": https://www.youtube.com/watch?v=2OSCIeHHV5Q