I Connected to a Phishing Site but Didn't Sign — Am I Safe?

Short answer

If you connected your wallet to a phishing site but did not sign any transactions or sign any signatures, your funds are likely safe — connection alone does not grant the dApp the ability to move your funds. The risk is signing: any approval, any transaction, any "permit," any off-chain signature that names a spender. As long as you closed the tab without confirming anything, you're probably fine. But best practice is to revoke any approvals just in case, monitor the wallet for unexpected activity for 30 days, and consider moving funds to a fresh wallet if you're paranoid.

What "connecting" actually does

Clicking "Connect Wallet" gives the dApp two pieces of information: your wallet address, and the chain you're on. That's it. The dApp can read your address's public balance and history (already publicly available) and can ask you to sign transactions. Connecting does not authorize transactions.

For the dApp to move your funds, you have to explicitly approve a transaction (which costs gas and is visible in your wallet UI as a transaction popup) or sign an off-chain message (which is silent — just a signature request popup, no gas).

The signature risk

Modern phishing attacks rely on the signature step. The fake "claim airdrop" page connects, then prompts a signature request that looks innocuous in the wallet UI but is actually a Permit2 or setApprovalForAll authorization for an attacker address. Sign once, the attacker has indefinite ability to drain that token from your wallet.

If you saw a signature prompt and clicked it, you're at risk. If you saw the prompt and clicked "Reject" or closed the popup, you're not at risk from that signature.

The "connect only" residual risk

Three theoretical attack paths from connection alone:

Address grabbing for follow-up phishing. The scammer now knows your wallet address; they can send dust to it, target you for future phishing, or sell the address to other scammers. Low immediate risk.

Browser-extension exploitation. If the phishing site exploited a zero-day in your wallet extension (rare), it could potentially extract private keys. As of 2026, no widely-exploited zero-day exists in MetaMask or Rabby.

Frontend re-prompt later. A sophisticated phishing site might delay the signature request. You connect, leave the tab open, come back 30 minutes later and see a prompt. Less common but possible.

Recommended cleanup

Even if you didn't sign anything, do this:

1. Close the suspicious tab immediately.
2. Visit revoke.cash with the affected wallet. Review approvals; revoke any you don't recognize.
3. Monitor the wallet for 30 days for unexpected activity. Etherscan email alerts can help.
4. If the wallet holds significant value and you're worried, generate a fresh seed phrase, set up a new wallet, and migrate funds. Cost: gas. Benefit: peace of mind.

Further reading: revoke.cash, setApprovalForAll.