Security

Rabby Security Principles

Rabby is designed with the main principle in mind: your keys — your money. The wallet does not hold your funds and has no access to your private keys.

Non-Custodial

Rabby is a fully non-custodial (self-custodial) wallet:

• Private keys are generated and stored locally on your device
• Keys are never sent to servers
• Only you control your funds
• No possibility of freezing or blocking your account

Transaction Simulation

Before confirming any transaction, you see its exact result:

• Balance change of all tokens
• All outgoing and incoming transfers
• Given approvals
• Contract interactions

This protects against phishing transactions and errors — you always know what you're signing.

Risk Scanner

Rabby analyzes contracts and dApps in real time:

• Checking for malicious contracts
• Detecting honeypot contracts
• Finding known drainer addresses
• Warning about new contracts (high risk)
• Risk score — operation danger rating

If a transaction is risky — you'll see a red warning.

Approval Manager

Track and control all issued approve:

• Full list of active approvals
• Amount of allowed tokens
• One click to revoke
• Batch-revoke for mass revocation

This is critically important for security: most exploits happen through forgotten approvals with unlimited amounts.

Hardware Wallets

For maximum security, connect a hardware wallet:

• Ledger
• Trezor
• Keystone
• BitBox02
• OneKey
• GridPlus

Private keys stay on the device while Rabby provides a convenient interface. Transaction confirmation happens on the physical device.

Whitelist

Limit sending funds only to trusted addresses:

• Add addresses to whitelist
• Transactions to other addresses will be blocked
• Protection against phishing and errors

Local Key Storage

Your private keys are encrypted and stored locally:

• Strong encryption is used
• Keys are not exported
• Access only through your password/PIN

Open Source and Audit

Rabby has open source code:

• Project on GitHub: github.com/RabbyHub
• Audit by SlowMist
• Audit by Least Authority
• Community can verify the code

Security Recommendations

• Never share your seed phrase — the real Rabby team will never ask for it
• Store seed phrase offline — on paper or in a hardware wallet
• Check URLs — phishing sites disguise themselves as legitimate dApps
• Regularly check approvals — revoke unnecessary ones
• Use hardware wallet — for large amounts