Harvest.art

NFT Custody, Simple, Safe, Sane

Farmer Harvey

Security is mostly about not doing something regrettable on a random Tuesday afternoon. You don’t need a bunker, a Faraday cage, and three multisigs to buy a JPEG. You need roles, routines, and a system that fails gently when you inevitably click the shiny thing.

Threat model first

  • Most losses are approvals, phishing, and sloppy signing, not cinematic hacks.
  • Your goal is blast-radius management: isolate risk, label wallets, and practice before size.
  • The internet will always hand you a button that says Sign; your system decides whether that matters.

What actually hurts you is not clever cryptography attacks. It is granting a marketplace approval for everything forever because the UI said please. It is signing a message that says you agree to something, without knowing what something is. Start by assuming future-you will be rushed, undercaffeinated, and on mobile. Build for that person.

The three-wallet stack that actually holds up

  • Cold: a vault for long-term NFTs. Rarely connects. Use hardware. Treat connections as planned events, not vibes.
  • Warm: your working wallet. Bidding, minting, interacting. Holds small balances. Rotate regularly.
  • Hot: daily browsing and experiments. No assets. If compromised, you lose time, not treasures.

Think of this like checking, savings, and a burner cash wallet. Cold is savings. Warm is checking. Hot is the $20 in your pocket that mysteriously becomes $0 after tacos. The trick is moving assets through the stack with intention, not convenience.

Labels and limits

  • Name wallets by role, not by hope: cold_vault, warm_ops_Q3, hot_browser.
  • Keep balances where they belong. Cold holds assets. Warm holds gas plus a little inventory. Hot holds dust.
  • Calendar your rotations. If a warm wallet survives a quarter, retire it ceremonially and start fresh.

Approvals: the quiet, powerful lever

Approvals are the power of attorney of NFTs. There are two flavors: collection-wide approvals that say this marketplace can move anything from this collection, and token-specific approvals that say this marketplace can move this one token. The first is convenient. The second is safer. Your job is to prefer the second when possible and to end both when you are done.

  • Prefer marketplace-specific approvals. Avoid blanket set-it-and-forget-it.
  • Use per-collection or per-token approvals when the platform allows it.
  • Keep a simple approvals log. A notes app is fine. The best security tool is the one you actually use.
  • Monthly, revoke broad approvals you are not actively using. Consider this flossing but with less moral judgment.

If you cannot remember why an approval exists, that is a revocation invitation. Most people discover approvals the way they discover auto-renewing subscriptions: during a bad day. Choose a different day.

Signing discipline: read the thing

Not all signatures are created equal. Some simply prove you control a wallet. Others authorize movement of assets or set permissions. The interface will rarely tell you which is which with the urgency you deserve.

  • Read domain, chain, and action. If unreadable, don’t sign.
  • Verify the site is the site. Small differences in domains create large differences in outcomes.
  • Treat blind messages as radioactive. If you cannot explain what it does, do not sign it.
  • Slow is safe. The button will still be there after you breathe.

The right default is that every signature matters until proven otherwise. If a workflow needs an urgent signature you cannot parse, move the workflow to a wallet where the worst-case outcome is a nuisance.

Backup plan: practice, then trust

Backups are more than a fireproof box and good intentions. They are a rehearsal.

  • Store seed phrases offline. Never in cloud notes. Never as a screenshot.
  • Test recovery before you need it. Restore to a new device, confirm balances, then retire that device from daily use.
  • Keep a small emergency wallet funded. If approvals go sideways, you can extract assets without waiting for a friend to wake up in a different time zone.

If you have not practiced a recovery, you have an idea, not a plan. Make the first restore calm and boring so the second one can be too.

Example: a sane approval flow

  • You want to list an NFT. Move it from cold → warm.
  • Grant the marketplace approval for that collection only, or for the specific token if supported.
  • List the item. After sale or cancelation, revoke the approval.
  • Move proceeds back to cold. Rotate warm quarterly so approvals cannot quietly accumulate into 2026.

This is slower than living entirely in hot. It is also cheaper than learning what that signature did by reading a block explorer after the fact.

Phishing drill: make the mistake on purpose, safely

Once a quarter, simulate a phishing prompt with a friend. Have them send you a fake-but-convincing message. If you feel rushed, stop. If it is unreadable, stop. The muscle memory you build here is the same muscle that saves you on the real day.

Add a tiny debrief: what made it convincing, what would have reduced the temptation, and what mitigation you want in place before next time. Then put one of those mitigations in place immediately, not in theory.

Error budgets and blast radius

Assume error. Design containment. The hot wallet exists so you can click the wrong thing and lose nothing important. The warm wallet exists so you can do real work with small, bounded consequences. The cold wallet exists so you can sleep.

Quick checklists

Daily

  • Browse with hot. Keep balances near zero.
  • If asked to sign and it is unreadable, do nothing. The world keeps spinning.

Weekly

  • Review approvals in your log. Revoke anything you do not plan to use.
  • Move proceeds from warm back to cold. Top up warm for next week’s tasks.

Quarterly

  • Rotate the warm wallet. Migrate only the approvals you can explain.
  • Run the phishing drill. Update one habit based on what you learned.

The point

Simple beats clever. Clear roles, small balances in hot paths, and a routine bias for revoking approvals will prevent more grief than any gadget. You are not trying to be unhackable. You are trying to be unsurprising: the same safe behavior on Tuesday afternoon as on launch day.