DeFi Farmer logo
DeFi Farmer

How to verify a points program is real (and avoid fake sites)

· 7 min read

A safer workflow for verifying points programs: find primary sources, validate domains, and reduce the odds of getting phished while questing.

pointssecurityguidechecklist
Table of contents

Neon shield and verified checkmark on a dark grid background

Points programs attract scammers for the same reason they attract users: lots of people connect wallets, sign messages, and move funds quickly. If you only fix one part of your process, fix how you verify links and sources.

This post gives you a repeatable workflow you can follow every time you see a new campaign. It’s written for reality: mobile browsing, time pressure, and the temptation to click fast.

If you want a sourced starting point, don’t start from social media. Start here: points directory.

Quick take

Before you connect a wallet:

  • Find the program from a primary source (docs or the official app UI).
  • Confirm the official domain matches the official sources (character-by-character).
  • Bookmark the official domain; stop searching it every time.
  • Assume any “claim” page is hostile until proven otherwise.
  • If something feels urgent (“ending soon”), slow down.

Nothing here is financial advice. This is operational safety.

Your threat model (why this keeps happening)

Most “airdrop farming losses” are not smart contract exploits. They’re operational mistakes:

  • You clicked a lookalike domain.
  • You signed an approval you didn’t understand.
  • You reused a high-value wallet for low-trust quests.
  • You trusted a community post more than primary sources.

The fix isn’t “be smarter.” The fix is a workflow that reduces mistakes.

Step 1: start from a sourced hub page

For points programs, “where you start” matters.

Good starting points:

  • A protocol page that lists official sources
  • Official docs
  • The official app UI

Bad starting points:

  • Search results (ads can be malicious)
  • Random “airdrop list” sites
  • DMs and invite links

DeFi Farmer is built to be a safer starting point:

Then click out only after you’ve read the sources.

Step 2: validate the domain like you’re defusing a bomb

Treat domain validation as part of “doing the quest.”

Checklist:

  • Compare the domain to official docs and official announcements.
  • Check every character (lookalikes are subtle).
  • Watch for extra words and suffixes (e.g., “-claim”, “-airdrop”, “-rewards”).
  • Be suspicious of new subdomains you’ve never seen before.

If you’re on mobile, zoom in. If you’re tired, stop and do it later.

Use a “two-source rule” for official domains

One mention is not enough. Before you trust a domain, try to confirm it from two independent primary sources, for example:

  • the official docs site references the app domain, and the app links back to the docs
  • the official docs site references the domain, and an official announcement links to the same domain

If you can’t find a second confirmation, treat the domain as unverified. That single step kills most phishing attempts.

Step 3: verify the path to the app (not the domain alone)

Some scams use the real domain but a malicious path via redirects, typos, or compromised links.

When possible:

  • Navigate from the homepage or docs navigation.
  • Avoid deep links shared by strangers.
  • Use bookmarks you created yourself.

Step 3.5: confirm contract addresses when you’re about to approve or deposit

You don’t need to inspect every contract for every swap, but when you’re about to:

  • grant a large approval
  • deposit into a contract that holds funds
  • stake into a position with lockups

Try to find published contract addresses in official sources (docs or official UI). If a protocol won’t publish addresses for contracts that custody user funds, treat that as a trust negative.

Step 4: do a “what will I sign?” pre-check

Before connecting, decide what is normal for the action you plan to take.

Examples:

  • A swap usually asks for an allowance approval for the input token.
  • A bridge often asks you to approve a token, then initiate a transfer.
  • A “claim” page can ask you to sign a message; message signing can still be used to drain you depending on what you sign and where you sign it.

You don’t need to become a security researcher, but you do need to recognize the risky patterns.

If approvals are a blind spot, read: token approvals and Permit2.

Common claim-page red flags (especially during snapshots)

Scams cluster around claim windows because users are primed to click fast. Watch for:

  • “Connect wallet to check eligibility” on a domain you didn’t bookmark
  • pressure language (“ending soon,” “final hours,” “act now”)
  • signature prompts that don’t match the action (for example, a “claim” that asks for broad permissions)
  • the UI asking you to add a new network or change settings in an unusual way

If something feels off, step back and verify again from primary sources. Missing a claim is painful; getting drained is worse.

Step 5: segment wallets to contain blast radius

A clean wallet setup prevents one mistake from becoming a total loss.

A simple model:

  • Vault wallet: long-term storage; never used for quests; no approvals.
  • Spending wallet: small balances; used for normal DeFi.
  • Farming wallet: used for points programs and quests; treated as higher risk.

If you want a detailed setup, read: wallet hygiene for points farming.

The verification checklist (copy/paste)

Use this checklist for every new program as of 2025-12-30.

What you’re checkingHow to verifyFailure mode you’re avoiding
Program existsOfficial docs or official UI mentions itFake campaigns invented by aggregators
Official domainDomain matches docs + official announcementsLookalike domains and ad traps
Official linksLinks are consistent across sourcesMalicious redirects and link swaps
ContractsContract addresses are published in official sourcesApproving the wrong contract
PermissionsYou understand why an approval is needed“Unlimited approval” drains
Exit pathYou can unwind without a mystery stepFunds stuck behind cooldowns/queues
Timing claimsDeadlines are sourced, not rumoredPanic clicking and rushed signing

If you can’t verify one row, treat the program as unverified and reduce exposure.

If you already clicked something sketchy

Focus on damage control, not blame.

  • Disconnect the site from your wallet (wallet UI).
  • Review recent approvals and revoke what you don’t recognize.
  • Move remaining funds to a clean wallet if you suspect compromise.

The goal is to stop a bad approval from becoming a slow bleed.

FAQ

Can message signing drain my wallet?

Sometimes. A message signature can authorize actions off-chain that later execute on-chain, depending on the system you’re interacting with. Treat unexpected signature requests as high risk.

Are verified social accounts “enough” proof?

They’re helpful, but not enough. You want a chain of evidence: the official app and docs should match the announcements.

Is it safer to use internal links than external links?

Internal links reduce the chance you end up on a random domain. They don’t replace verification, but they reduce mis-clicks.

What’s the single safest habit?

Bookmarks you made yourself. Stop searching for the same app every day.

What should I do if I’m not sure the program is real?

Default to “unverified,” don’t connect a wallet, and move on. You can always come back after you find primary sources with dates.

Next step

Sources and further reading

Related articles