Dfns provides multiple layers of security to protect your organization. This guide covers best practices for:
Roles : Control who can do whatPolicies : Enforce rules on transactions and sensitive operationsAddress book : Protect against address poisoning attacksVerified assets : Filter out spam tokens and suspicious transactions
Getting started safely Before creating wallets or processing transactions, set up these foundational security controls.
Initial policies The following three policies are the minimum recommended setup for any organization. They reduce the risk of errors and make sure a compromised admin cannot lock you out or escalate privileges unnoticed.
Policy Purpose Permission Assignment Require approval before granting permissions to any user. Prevents a compromised admin from creating fake users with elevated access. Permission Modification Require approval before changing permission sets. Prevents escalation of existing roles. Policy Modification Require approval before changing policies. Ensures your security rules stay in place.
To create these policies, go to Org > Policies and click New Policy . Select the appropriate activity type and configure approval groups to require at least a 1-out-of-2 quorum.
Initial role setup Follow the principle of least privilege : give users only the roles they need for their responsibilities.
Don’t assign ManagedFullAdminAccess to everyone. Create custom roles instead.
See role templates below for recommended configurations.
Policy templates by use case Treasury management For internal teams managing company wallets with multi-signature approvals:
Policy Configuration Large transaction approval TransactionAmountLimit at $100,000 USD with 2-of-3 approver quorumRecipient whitelisting TransactionRecipientWhitelist with known treasury, exchange, and vendor addressesDaily spending cap TransactionAmountVelocity at $500,000 USD per 24 hoursTransaction frequency limit TransactionCountVelocity at 50 transactions per 24 hours
Use wallet tags to scope policies to specific wallets. Tag treasury wallets with treasury and filter policies accordingly. Exchange/trading operations For high-volume operations with exchange integrations:
Policy Configuration Withdrawal velocity TransactionAmountVelocity tuned to expected daily volumeExchange whitelisting TransactionRecipientWhitelist with your exchange deposit addressesHigh-value approval TransactionAmountLimit for withdrawals above operational threshold
B2B payments For business payments and vendor disbursements:
Policy Configuration Vendor whitelisting TransactionRecipientWhitelist with approved vendor addressesTiered approvals Multiple TransactionAmountLimit policies: 10 K ( 1 a p p r o v e r ) , 10K (1 approver), 10 K ( 1 a pp ro v er ) , AML screening ChainalysisTransactionPrescreening to screen outbound payments
Role templates Create these roles in Settings > Permissions and assign them to users based on their responsibilities.
Admin Full organizational control. Assign sparingly. You can use ManagedFullAdminAccess for this role. The list of whitelisted actions is maintained by Dfns and contains all permissions.
Approver Reviews and approves transactions. Cannot initiate them.
Permission Purpose Policies:Approvals:ApproveApprove or reject pending transactions Policies:Approvals:ReadView pending approvals Wallets:ReadView wallet details and balances Wallets:Transfers:Read, Wallets:Transactions:ReadView transaction details
Operator Day-to-day transaction operations.
Permission Purpose Wallets:ReadView wallets Wallets:Transfers:Create, Wallets:Transfers:ReadCreate and view transfers Wallets:Transactions:Create, Wallets:Transactions:ReadCreate and view transactions
Read-only auditor View-only access for compliance and audit purposes.
Permission Purpose Wallets:ReadView all wallets Wallets:Transfers:Read, Wallets:Transactions:ReadView all transactions Policies:Read, Policies:Approvals:ReadView policies and approval history Auth:Logs:ReadView audit logs
Service account (automation) For server-to-server API integrations. See service accounts guide .
Permission Purpose Wallets:ReadQuery wallet balances Wallets:Transfers:CreateInitiate automated transfers Wallets:Transactions:CreateExecute smart contract calls
Create separate service accounts for different automation tasks, each with minimal required permissions. Service accounts can be configured as policy approvers if needed, but keep automation and approval authority separate by default. Using the address book The address book helps you manage blockchain addresses with human-readable aliases. Beyond convenience, it provides critical protection against address poisoning attacks.
Address poisoning protection In transaction history, the dashboard shows warnings for addresses not in your address book. This protects against “address poisoning” attacks where scammers:
Send tiny transactions from addresses that look nearly identical to legitimate ones (e.g., 0x1234...5678 vs 0x1234...5679)
Hope you copy the wrong address when making your next transfer
Always verify addresses carefully. Scammers exploit the fact that users often copy addresses from transaction history without checking every character.
Best practice: Add all addresses you regularly interact with to the address book immediately after your first transaction.Address book management
Use clear naming conventions : Include vendor/partner name, purpose, and network (e.g., “acmecorp-payroll”)Add descriptions : Note the business relationship or account purposeReview regularly : Remove aliases for addresses no longer in useUpdate promptly : Add new addresses as soon as you establish new business relationships
Address book vs policy whitelisting These are complementary features:
Address Book : Visual convenience and warnings. Helps you recognize addresses in the UI. Does not block transactions.TransactionRecipientWhitelist policy : Enforcement. Blocks transactions to non-whitelisted addresses (or requires approval).
Use both together: Address Book for awareness and easy identification, policies for enforcement.
Handling spam and scam tokens Blockchain addresses can receive unsolicited tokens (airdrops, spam, scam tokens). Dfns provides tools to filter these out.
Verified assets and transactions On each wallet page, use the filtering toggles to focus on legitimate assets:
Assets section:
Toggle: “Only show verified assets”
The “Verified” column indicates which tokens are verified by Dfns
History section:
Toggle: “Only show verified transactions”
The “Verified” column shows transaction verification status
What “verified” means
Dfns maintains a list of verified tokens and contracts across supported networks
Verified : Token is a known legitimate assetNot verified : Token is not in Dfns’s verified list (doesn’t necessarily mean malicious, but warrants caution)
Testnet tokens are typically not verified. This is expected behavior.
Incoming transaction screening with Chainalysis For additional protection, integrate Chainalysis KYT to automatically screen transactions:
ChainalysisTransactionPrescreeningChainalysisTransactionScreening
Day-to-day security operations Reviewing pending approvals When policies trigger approval requests:
Go to Activity in the dashboard to see pending approvals
Review the transaction details, including recipient address and amount
Verify the recipient is in your address book or is otherwise expected
Approve or reject the request
The person who initiated a transaction cannot approve it themselves (unless initiatorCanApprove is enabled on the policy).
Monitoring transactions
Check the “Verified” column in transaction history
Enable webhooks for real-time notifications
Export transaction history for compliance records (Wallet > Export)
Regular security hygiene Task Frequency Review user roles Quarterly Audit address book entries Monthly Review policy configurations Quarterly Test new policies on testnets Before production deployment Review audit logs As needed
Before deploying new policies in production, test them on a testnet to ensure they work as expected. Next steps
Creating policies Step-by-step policy creation in the dashboard
Managing users and roles Invite users and assign roles
Using the address book Create and manage address aliases
Chainalysis integration Set up AML/KYT transaction screening
