Web3 Impact Toolkit

Web3 Safety and Security for Nonprofits

In Web3, security isn't optional — it's foundational.

The biggest risks in Web3 aren't usually technical — they are social.

In Web3, there's no 'undo' button — but that doesn't mean it's unsafe. It just means security needs to be intentional.

•Transactions are irreversible once confirmed.

•Wallets are public-facing by default.

•You are responsible for access — not a bank.

The good news: most risks are well-understood, and simple best practices dramatically reduce exposure.

Who controls the wallet controls the funds — so governance starts with access.

•Custodial wallets — third-party platforms, easier setup, less control.

•Self-custodial wallets — full control, higher responsibility, requires internal policies.

•Multi-signature wallets (multisig) — require multiple approvals to move funds, protect against single points of failure.

If more than one person is involved, a multisig is a baseline, not an advanced feature.

Most Web3 losses don't come from sophisticated hackers — they come from rushed decisions and unclear rules.

•Essential policies: asset custody and conversion, approval thresholds, incident response plan.

•Common scams: phishing links and fake airdrops, impersonation on social platforms, malicious smart contract approvals.

•Vetting: research teams and track records, avoid pressure tactics, use test transactions.

Security isn't a one-time setup — it's a habit that requires consistent attention and updates to policies and procedures.