Security Best Practices

A short, practical checklist for using Ava safely — and the social-engineering scams to watch for.

Security Best Practices#

Most of Ava's safety is built into the design. This page is the operator-side checklist — the handful of habits that matter.

The 5-line checklist#

  1. Verify the bot. The official Ava Guardian handle is the one linked from avaprotocol.org. Don't trust a bot found via search — search results are easy to spoof. When in doubt, start from the website.
  2. Verify the policy on first setup. When you authorize a Guardian, the setup screen lists the allowlisted contracts, function selectors, and caps. Read them. They should match what Ava said in chat.
  3. Pick caps you can live with losing. Caps are a worst-case bound. Set them to a number you'd be okay losing in the most pessimistic scenario.
  4. Confirm transactions, don't autopilot the tap. Each ✅ Confirm is a decision. Read the simulated outcome and the gas estimate before tapping.
  5. Revoke if anything feels wrong. Revoking is cheap; investigation can happen afterward.

What Ava will never ask for#

  • A seed phrase or private key.
  • Your wallet password.
  • A signature in your wallet that you didn't initiate from a known surface (Telegram chat or app.avaprotocol.org).
  • An "emergency" deposit to "secure" your funds.
  • Anything urgent that requires you to act in the next 60 seconds without verifying.

If someone in Telegram (DMing you, posing as "Ava support", impersonating a team member) asks for any of the above: it isn't us. Block, report, and don't act. Real support never operates via DM and never asks for keys.

How to verify a transaction Ava proposes#

Before tapping confirm:

  • The to: address is a contract you've authorized (Aave Pool, an allowlisted helper). The setup screen showed you the addresses; if anything else appears in a proposal, refuse.
  • The amount is inside the cap and matches what the chat said ("supplying 300 USDC").
  • The function is a safe-direction one (supply(), repay()) — not something exotic.

If the in-chat numbers and the on-chain transaction look out of sync, refuse. Ask Ava for the transaction hash and explorer link, and verify yourself.

Multi-wallet hygiene#

  • Don't use a single wallet for everything. Ava works fine with a dedicated "DeFi positions" wallet that's separate from your main holding wallet — and that's a better setup for blast radius if anything goes wrong anywhere.
  • Cold storage stays cold. Never authorize a Guardian on a hardware wallet you treat as cold storage. Authorize on a hot smart wallet funded with what you'd be okay actively managing.

Phishing patterns to watch for#

  • Fake Telegram bots with similar handles. The real one is linked from this site.
  • Fake "Ava Studio" sites with one-letter-off domains. The real one is app.avaprotocol.org. Bookmark it.
  • Fake support DMs. Ava team members do not DM you first about your wallet.
  • Fake "claim your airdrop" prompts. Ava does not airdrop tokens.

When in doubt#

Stop. Revoke if the doubt involves an active permission. Then verify slowly. Time pressure is the #1 lever scammers use; the design of Ava — and the design of on-chain spend caps — gives you the luxury of taking your time.