Security & Phishing Protection

How PWM protects your account, and what we will never ask for.

PWM will never ask for these

  • Your wallet seed phrase or private key — under any circumstance
  • Your wallet password or unlock PIN
  • For you to send tokens to "verify" your account — signatures are free and prove ownership without payment
  • Your wallet's recovery phrase to "recover your account"
  • Remote-control access to your computer or wallet extension

If anyone claiming to be from PWM asks for any of the above — it is a scam. Report at security@platformai.org.

How signing in with your wallet works

  1. You connect your wallet (MetaMask, Coinbase Wallet, etc.) to the site.
  2. The site shows you a plain-text message to sign. It includes the site domain, your address, and a single-use nonce.
  3. Your wallet asks you to confirm. Signing is free — no gas, no transaction.
  4. The site verifies the signature against your address and gives you a 7-day session cookie.
  5. Your private key never leaves your wallet. PWM never sees or stores it.

This protocol is EIP-4361 (Sign-In with Ethereum), the industry standard for Web3 login.

Verify the URL before signing

When your wallet asks for a signature, the message starts with the domain that requested it. Always check that the domain matches the site you are actually on — phishing sites can mimic our UI but cannot mimic the signed domain in your wallet.

testpwm.platformai.org wants you to sign in with your Ethereum account: 0x... Sign in to PWM to access your account and submit certificates. URI: https://testpwm.platformai.org Version: 1 Chain ID: 8453 Nonce: ... Issued At: ... Expiration Time: ...

PWM only ever asks you to sign messages with domain testpwm.platformai.org or pwm.platformai.org. Anything else is a phishing attempt.

Your funds are yours alone

PWM is non-custodial. We never hold your PWM tokens or your wallet's keys. All token balances live on Base mainnet under your wallet's control.

  • If our site goes down, your tokens are still safe in your wallet.
  • If our site is hacked, attackers cannot drain your funds — they can only access your session cookie.
  • If you lose access to your wallet (lost seed phrase), we cannot recover it for you. Back up your wallet's recovery material somewhere safe and offline.

Best practices

  • Use a hardware wallet (Ledger / Trezor) for any address holding more than $1,000 of tokens.
  • Bookmark testpwm.platformai.org and pwm.platformai.org; reach the site from the bookmark, not from search-engine ads.
  • Disconnect your wallet from the site when you are done. Most wallets show a list of connected dApps in their settings.
  • Clear cookies if you sign in on a shared computer.
  • Watch for spelling tricks in URLs (pwm vs pvvm, platformai vs platformai-org.com, etc.).
  • Sign with the smallest wallet that holds what you need; do not sign in with a vault.

Found a vulnerability? Email security@platformai.org. We follow coordinated disclosure and credit reporters in the project's SECURITY.md.