Your EOS Account In Safe Mode

Published by eosnewyorkio 17 Jul 2019

Your EOS Account In Safe Mode

Clever Permissions Management That Guarantees More Protection

EOS is one of the most flexible blockchains for developers and users alike. While this is so critical for developing robust dApp user experiences, its relative complexity can also lead users to sign transactions they otherwise shouldn’t be signing. We’ve seen many people claim they were the victim of alleged phishing or malware attacks since the launch of the EOS blockchain. The result is usually the owner and active key pairs are changed on an account by the attacker and the user’s tokens are liquidated.

Permissions, Permissions, Permissions

Permissions management is one of the most robust features of the EOS blockchain. In EOS, the 12 character account name is the most important asset and is the thing to which tokens are tied to. This is unlike Bitcoin, where the public key essentially serves as one’s account. Essentially, this difference creates the ability to manipulate keypairs by creating, deleting, or modifying them without affecting token custody.

What one can end up with is a list of custom permissions with linked actions. This allows for very granular control over who can do what with any key pair. Let’s take a look at EOS New York permissions as an example:

Because we’ve organized our permissions this way we can interact with the EOS blockchain in many ways relatively risk-free.

Creating Custom Permissions is Not Good UX

Creating a custom permission is relatively easy to do and is a great way to keep your account secure. If the custom permission’s private key is compromised, the attacker can only do whatever it is that the permission itself is authorized to do. While the benefits are great for an organization, this is a pain for the normal user because they can no longer seamlessly switch between applications without switching permissions as well. Who would want to do this for every dApp they interact with? No one, because it breaks UX.

This is not to mention the fact that many dApps hardcode the Active permission as the required permission to use their dApp. So, even if one creates a custom permission, the dApp will only accept Active anyway.

With the creation of a single permission, you will make your account safer and exponentially more difficult to become a victim.

Your EOS Account in Safe Mode

WARNING: Before you begin please understand that modifying permissions on your EOS account can have irreversibly negative results if done incorrectly. Please pay attention, write down keys, double-check everything.

We now understand that creating a custom permission to whitelist every action you want to do is not a good UX. What if, instead of creating a new permission that whitelists, we create a new permission that blacklists instead?


In short, we are going to create a sibling permission to Active using theowner permission and call it safemode. Then, we will linkauthundelegatebw to this new permission. This will make it impossible for your Active key to unstake your EOS. So long as your Owner and Active keys are different, even if you were to give away your Active key to an attacker they will not be able to unstake your EOS tokens and liquidate them. You can continue to add actions to this permission that you wish to blacklist from your Active key. This permission should then be stored in the same way that your Owner permission is stored, safely offline.


  1. Ensure Active and Owner keys are different from one another

  2. Use Owner Permission to create new child permission called safemode

  3. Reset Owner Permission and store offline (consider Owner key a single-use key for security reasons)

  4. linkauth undelegatebw to safemode

  5. Stake the amount of EOS you want “kept safe”, leaving some liquid in your account to enjoy as you see fit.

  6. Enjoy your new account in Safe Mode

Step 1: Ensure Active & Owner Keys Are Different

Please see this guide we created in order to safely manage your Owner and Active Keys. If your keys are already different then you’re all set to move on.

Step 2: Create Safemode Permission

  1. Generate a key pair for the new permission. We recommend EOS Key, but most wallets will have a keypair creation tool. Please note, you should write this key down and store it offline in a safe place. This key will be able to unstake your EOS.

  2. Log into via your Owner Key and go to Wallet → Permissions Manager

  3. In permission name write: “safemode”

  4. In parent write: “owner”

  5. In keys write: [YOUR KEY]

Step 3: linkauth undelegatebw to safemode Permission

  1. Open link/unlink auth in the List of Tools sidebar in your wallet on Bloks.

  2. In permission enter: “safemode”

  3. In contract name enter: “eosio”

  4. In contract action enter: “undelegatebw”

  5. Click Link Auth button.

Step 5: Stake The Amount of EOS You Want to Lockdown

You can use your Active key with your normal wallet to complete this function. Please note that you will not be able to unstake your EOS with your Active key and must use your Safemode key to do so. Your Safemode key cannot do anything else besides unstake.

Step 6: Change Your Owner Key After Using

This is not a required step but it is a best practice. Think of your Owner Key as a one-time use item. Once you use it, you should reset it and store it securely offline. Please see this guide for managing Owner and Active Keys

Step 7: Enjoy

If you try to unstake your EOS with your Active key then it will fail. If an attacker obtains your Active key he or she will not be able to take the EOS you’ve staked, only the EOS that remains liquid. To prevent this or any other action you can continue to add actions to the safemode permission such as: specific dApp token transfers, selling REX, EOS token transfer, etc.

If you wish to remove this permission, it can be deleted by logging into Bloks with your Owner Permission and deleting safemode from the Permissions Manager tab.

Please note: this method will not work for updateauth, deleteauth, linkauth, unlinkauth, and canceldelay actions. These actions are treated specially in EOS and are linked to every permission by default.

Your account is now in Safe Mode! While you are more protected now than you were, please note that you should always be aware of what you’re signing. This does not give you a license to be careless, but it does give you extra security. For even more security, please visit and enter in your e-mail to be notified when the EOS Metro, the easiest to use Hardware Key for EOSIO, is released.


The easiest to use hardware key, period. Built exclusively for the EOS blockchain.

EOS New York is a Top 21 Block Producer on the EOS Mainnet

Website | Twitter | Medium | STEEM | Meetup | Telegram | Weibo | Bihu