The Golden Rule
Never Share Your Seed Phrase
Your seed phrase — also called a recovery phrase or mnemonic — is the master key to your entire wallet. Sharing it with anyone, for any reason, gives them complete, irreversible control over every asset you hold. There is no recovery, no reversal, and no recourse. No legitimate person, protocol, or support service will ever ask for your seed phrase. If they ask, they are a scammer.Seed Phrase Security
Protecting your seed phrase is the single most important security action you can take. These practices keep it safe:Write It Down on Paper
Write your seed phrase by hand on paper. Never type it into a notes app, email, cloud document, password manager, or any digital storage. Paper cannot be hacked remotely.
Multiple Physical Copies
Store multiple handwritten copies in separate secure physical locations. Consider a fireproof safe, a safety deposit box, or a trusted family member’s home. A single copy can be lost, damaged, or stolen.
Never Photograph It
Never take a photo of your seed phrase. Photos sync to cloud storage (iCloud, Google Photos) automatically on most phones. Any cloud breach exposes your phrase.
Only Use It for Wallet Recovery
The only legitimate use for your seed phrase is importing your wallet into an official wallet app (Phantom, Solflare, Backpack) during setup or recovery. If any other context is asking for it, it is a scam.
Hardware Wallet Recommendation
For any significant holdings — anything you would be devastated to lose — a hardware wallet is the strongest protection available to retail users. Hardware wallets (such as Ledger or Trezor, both compatible with Solana) store your private keys in a physically isolated chip. When you sign a transaction, the signing happens inside the device — your private key never leaves the hardware wallet, ever. Even if your computer is completely compromised by malware, an attacker cannot extract your keys. When to use a hardware wallet:- Your crypto holdings represent a meaningful amount of money to you
- You interact regularly with DeFi protocols (higher smart contract risk exposure)
- You use a shared or work computer for any crypto activity
- You have staked SURCHI for governance participation (long-term holdings)
Recognizing Phishing
Phishing — fake websites and fake communications designed to steal your credentials or seed phrase — is one of the most common attack vectors in DeFi. SURCHI users are a target.Always Check the URL
Always Check the URL
Before connecting your wallet to any site claiming to be SURCHI, verify the URL in your browser’s address bar character by character. The official SURCHI app is at surchi.io. Bookmark it directly from the official site and use that bookmark every time — never navigate to it via a link in a tweet, DM, or email.
Know What SURCHI Will Never Ask
Know What SURCHI Will Never Ask
SURCHI will never ask you to:
- “Verify” your wallet
- “Sync” your wallet
- “Re-authenticate” by entering your seed phrase
- Connect your wallet to claim an airdrop you didn’t register for
- Approve a transaction you didn’t initiate
Fake Domain Patterns
Fake Domain Patterns
Scammers register domains designed to fool a casual glance. Watch for:
surchi-app.io— not officialsurchi.finance— not officialsurchi-protocol.io— not officialapp-surchi.io— not officialsurchi.network— not official
docs.surchi.io and app.surchi.io are official. Any other domain is unauthorized.Fake Team Members and Support Accounts
Fake Team Members and Support Accounts
Scammers create fake X (Twitter) and Telegram accounts impersonating SURCHI team members and support staff. These accounts often have similar usernames, matching profile pictures, and convincing post history. Check the Official Channels page for verified accounts. Never send tokens or share information with anyone based on a DM.
Wallet Best Practices
Beyond seed phrase protection and phishing awareness, these practices materially reduce your risk profile:Use a Dedicated DeFi Wallet
Maintain a separate wallet for DeFi activity and a separate wallet for long-term holdings. Your hardware wallet holds the bulk of your assets; your hot wallet for DeFi contains only what you intend to actively use. A smart contract exploit can only drain the wallet that interacted with it.
Regularly Review and Revoke Token Approvals
When you interact with DeFi protocols, you grant token approvals — permissions for contracts to move your tokens. Old or forgotten approvals from protocols you no longer use are unnecessary risk. Regularly audit your approvals using a tool like Revoke.cash and revoke any you don’t recognize or no longer need.
Keep Wallet Software Up to Date
Phantom, Solflare, Backpack, Ledger Live, and other wallet applications release security updates. Keep your wallet software current. Do not dismiss update prompts — they often include critical security patches. Only update from the official app store or manufacturer website.
Verify Transactions Before Signing
Read every transaction prompt before approving it in your wallet. Check the contract address, the action being authorized, and the assets involved. If something doesn’t match what you initiated, reject it immediately. Legitimate apps never need you to approve unexpected permissions.
SURCHI will only ever communicate through verified official channels. Visit Official Channels for the complete and authoritative list of genuine SURCHI communications. When in doubt about whether a contact is legitimate, verify in the official Telegram before taking any action.
