Interactive self-audit
The 30-Point Holder Self-Audit · What's your custody score?
Check off 30 questions and see where your crypto custody actually stands. About 5 minutes, six dimensions, instant score.
Ⅰ
Keys and seed phrase
5 itemsI clearly understand the difference between a "private key" and a "seed phrase."If unsure, read Private keys and seed phrases
My seed phrase has never been typed into any "online generator" page on a connected device.Including iancoleman online — only use it offline
My seed phrase has not been photographed, stored on cloud drives, or saved to iCloud / Google Photos.
I have at least one non-paper backup of my seed phrase (steel plate, metal capsule, or multisig split).Paper is the absolute floor
My seed-phrase backups are stored in ≥ 2 different physical locations — fire and flood resistant.
Ⅱ
Wallet architecture
5 itemsI separate cold and hot storage: day-to-day trading on a hot wallet, long-term holdings in cold storage.
I have used a hardware wallet and own at least one major brand (Ledger / Trezor / OneKey / Keystone / Coldcard).
My hardware wallet was purchased from the official store, not from Amazon Marketplace, eBay, or other resellers.
On arrival I did a full factory reset and generated a fresh seed phrase — I did not use any "pre-set" seed that shipped in the box.
I have done a recovery rehearsal: imported my backup seed phrase into a fresh device successfully at least once.
Ⅲ
Exchanges and fiat
5 itemsI know whether my main exchange publishes Proof of Reserves (PoR) on a regular cadence.
I keep less than 30% of my total position on centralized exchanges over the long term.
My exchange accounts use Passkey or a hardware security key — not SMS-only 2FA.
My exchange accounts have a withdrawal allowlist enabled, with a mandatory waiting period for new addresses.
Before any large withdrawal I send a small test amount and wait for confirmation before sending the full sum.
Ⅳ
Phishing and scam defense
5 itemsI never click "support" or "airdrop" links sent by strangers via Telegram / X / Discord DMs.
For every approve / setApprovalForAll signature, I verify the spender address against an explorer.
I run revoke.cash once per quarter and revoke approvals I no longer need.
I am highly cautious with off-chain signatures (EIP-712 / Permit / Permit2) — I read every field before signing.
I understand that SMS 2FA is a tier below Passkey or hardware keys, because SIM-swap attacks bypass it.
Ⅴ
Incident response
5 itemsI have a "key-leak emergency SOP" and know the first action to take when something looks wrong.
I have a clean, never-used seed phrase + hardware wallet ready as a migration target.
I know the priority order for asset recovery after a key compromise (liquid assets > staked > NFT).
I know about private mempool tools like Flashbots Protect and can use them under MEV-attack conditions.
I never contact "fund recovery" services online after an incident — those are always secondary scams.
Ⅵ
Legacy and long-term
5 itemsAt least one trusted family member or close friend knows I hold crypto and has instructions for "how to access if something happens to me."
I have considered Shamir Backup or multisig so the seed does not depend on a single person or single location.
I review a full asset inventory at least once per year — I know exactly what I hold and where.
I understand the legal status of crypto inheritance in my jurisdiction (US federal estate tax / state probate / IRS reporting).
My wallet architecture is simple enough that I will still remember how it works five years from now — no excessive complexity.
A few items to go
Check the items you have already done — the score updates live.