Most crypto wallets behave like a loaded gun with the safety off. The moment you open them, they're ready to sign anything. Browse your portfolio, check a price, open the wrong browser tab — and a malicious site can trigger a signing prompt before you've had a chance to think.
Read-only mode is a different approach. The wallet opens in a state where signing is impossible — not just harder, impossible — until you explicitly unlock it with your PIN. Here's why that matters more than most people realise.
The default state problem
When you open a typical browser extension wallet, it loads your account in a fully "hot" state. Your private key material is decrypted and available in memory. Any site that can trigger a wallet signing request — and most dApps can — has an opportunity to present you with a transaction prompt.
This matters because of how humans actually use crypto wallets. Research and anecdote both suggest the same thing: holders check their portfolio far more often than they transact. The ratio might be 20:1 or 50:1. You open the wallet to see your balance, the current price, how you're doing. You are rarely there to send.
But in most wallets, those 49 "just checking" opens are indistinguishable from the 1 time you actually want to send. Every open is a full exposure window.
What read-only mode actually does
In read-only mode, the wallet's signing capability is locked. Specifically:
- The private key is not available in memory — it remains encrypted in storage.
- Any attempt to sign a transaction, approve a contract, or generate a signature is blocked at the wallet level, before any external request can reach the signing logic.
- You can view balances, check prices, copy your receive address, and review transaction history — none of which require the private key at all.
To unlock signing, you enter your PIN. The wallet decrypts the key, allows the specific transaction you intended to sign, then returns to read-only. It does not stay unlocked for a session. It does not remember you just authenticated. Every send requires fresh PIN entry.
This is Heldby's default behaviour
Every time you open Heldby, it opens read-only. There is no "stay logged in" toggle. There is no session that expires after 5 minutes. Read-only is the permanent default state; signing-capable is the exception that requires deliberate action each time.
How it protects you from specific attacks
Malicious dApp signing requests. A phishing site opens a signing prompt in your wallet. In a standard wallet, the prompt appears and you might accidentally approve it, or approve it under social engineering pressure. In Heldby's read-only mode, the request is blocked entirely — there's nothing to accidentally click.
Physical access. Someone picks up your laptop while the wallet is open. In a standard wallet, they can see your portfolio and potentially initiate transactions. In read-only mode, all they can see is your balance — sending requires your PIN, which they don't have.
Clipboard/session hijacking. Certain browser-based attacks target in-memory key material. If the key is not in memory — because the wallet is in read-only mode — there is nothing to steal from memory.
Decision fatigue. You're browsing DeFi, you're excited, you're moving fast. A prompt appears. You click approve without reading carefully. Read-only mode inserts a natural circuit-breaker: you have to consciously decide to unlock signing, which breaks the momentum and creates a deliberate review moment.
The trade-off is almost nothing
The most common objection to read-only mode is friction: having to enter your PIN every time you want to send feels like extra work. It is — but it's a single PIN entry, taking perhaps three seconds, that only happens when you're actually transacting.
For the 49 times you open the wallet to check your balance, there is zero friction. You see your portfolio exactly as you would in any other wallet. The friction only appears when signing is about to happen — which is exactly the moment where a few seconds of deliberate action is most valuable.
Compare that to the alternative: a wallet that's always hot, that requires vigilance every single time it's open, where one moment of inattention can be catastrophic.
Read-only for watch wallets
Read-only mode is also the right model for monitoring wallets you don't control — hardware wallets, cold storage addresses, or wallets belonging to addresses you want to track. You can add any Ethereum address to Heldby to monitor its balance and transactions without importing any private key. The address is permanently read-only because there's no private key — you're just watching.
This is useful for:
- Monitoring a hardware wallet's balance without connecting the hardware device every time
- Tracking a DCA wallet or cold storage address alongside your active wallet
- Watching a high-value address as part of research or portfolio analysis
The bigger principle
Read-only mode is an expression of a broader security principle: the principle of least privilege. A system should only have the minimum capabilities needed for the task at hand, and those capabilities should be granted explicitly rather than assumed by default.
Applied to a wallet: if you are checking your balance, you don't need signing capability. Don't have it available. When you need to send, request the capability specifically, use it, and relinquish it immediately.
Most consumer software does the opposite. It maximises convenience by keeping all capabilities available all the time, and treats security as the user's problem. Read-only mode is a product decision that takes the security question seriously instead of delegating it.