Security ·

EVM Address Security: Ethereum, Base, Polygon, and More

The Ethereum Virtual Machine has become the dominant smart contract platform, and its address format extends far beyond Ethereum itself. Polygon, Arbitrum, Optimism, Base, BNB Chain, and Avalanche all share the same address system. This universality is powerful but introduces security nuances that every user needs to understand.

This guide covers how EVM addresses work under the hood, why a single private key controls assets across every EVM chain, how checksums protect you from typos, and the most common mistakes that lead to lost funds.

EVM Addresses Are Universal

Every EVM-compatible blockchain uses the same address format: a 40-character hexadecimal string prefixed with 0x. The address 0x742d35Cc6634C0532925a3b844Bc9e7595f2bD18 is valid on Ethereum, Polygon, Arbitrum, Optimism, Base, BNB Chain, Avalanche, and every other EVM chain that exists or will exist.

This universality is not coincidental. It is a direct consequence of how EVM addresses are derived. The process works the same way everywhere:

  1. Generate a random 256-bit private key.
  2. Compute the public key using the secp256k1 elliptic curve.
  3. Take the Keccak-256 hash of the public key (excluding the 0x04 prefix byte).
  4. Keep the last 20 bytes (40 hex characters) of the hash.
  5. Prepend 0x.

Because every EVM chain follows this exact derivation, the same private key always produces the same address on every chain. There is no chain-specific element in the address itself. The address is purely a function of the private key and the secp256k1 curve.

This is fundamentally different from how Bitcoin addresses work. Bitcoin has multiple address formats (Bech32, Base58Check, etc.) that encode version bytes and chain-specific data. A Bitcoin mainnet address is visually and structurally distinct from a testnet address. EVM chains have no such distinction, which is both a convenience and a source of risk.

One Private Key, Many Chains

When you create an Ethereum wallet, whether through MetaMask, a hardware wallet, or SafeSeed's Ethereum Seed Phrase Generator, your seed phrase gives you access to the same address on every EVM chain simultaneously. This is a feature, but it has important security implications.

The advantage: You only need to secure one seed phrase or private key to control your assets across all EVM chains. There is no need for separate wallets for Polygon, Arbitrum, or Base. Understanding seed phrases vs private keys helps clarify this relationship.

The risk: If your private key is compromised, an attacker gains access to your funds on every EVM chain at once. A single leaked seed phrase means losing your ETH on Ethereum, your MATIC on Polygon, your ARB on Arbitrum, and any tokens on any other EVM chain where that address holds value. The blast radius of a compromise is much larger than it would be with chain-specific keys.

This shared-key model also means that derivation paths matter. The standard Ethereum derivation path defined by BIP44 is m/44'/60'/0'/0/0. Most wallets use this same path for all EVM chains, which is why your address stays consistent across networks. Some wallets offer chain-specific derivation paths (for example, m/44'/137'/0'/0/0 for Polygon using its SLIP44 coin type), but this is uncommon in practice. If you used a non-standard derivation path, make sure to document it. Our deep dive into HD wallets and derivation paths covers the technical details.

Practical implication for key generation: When you generate an Ethereum wallet, you are generating a wallet for the entire EVM ecosystem. Treat the security of that wallet accordingly. Use proper entropy from a cryptographically secure source, generate offline if holding significant value, and follow cold storage best practices.

EIP-55 Mixed-Case Checksums

One of the subtler aspects of EVM address security is the checksum mechanism. Ethereum addresses are hexadecimal, using characters 0-9 and a-f. Since hex is case-insensitive, 0xab12cd and 0xAB12CD represent the same address. This creates a problem: there is no built-in way to detect typos.

EIP-55, authored by Vitalik Buterin, solved this by encoding a checksum in the capitalization of the address. Here is how it works:

  1. Take the lowercase address (without the 0x prefix).
  2. Compute the Keccak-256 hash of this lowercase address.
  3. For each character in the address: if the corresponding nibble in the hash is 8 or higher, capitalize the character. Otherwise, keep it lowercase.

The result is an address like 0x5aAeb6053F3E94C9b9A09f33669435E7Ef1BeAed where the capitalization pattern serves as a checksum. If you change any character, the capitalization pattern will no longer match, and a properly implemented wallet will flag the address as invalid.

This matters for security because:

  • Clipboard hijacking malware can replace copied addresses with an attacker's address. If the replacement address has a wrong checksum, a good wallet will warn you.
  • Manual transcription errors (entering an address by hand) are caught before funds are sent to a black hole.
  • Address poisoning attacks, where an attacker sends tiny transactions from a lookalike address, are partially mitigated since the checksum makes it harder to find collision addresses.

You can validate that an EVM address has a correct EIP-55 checksum using SafeSeed's Ethereum Address Validator. Always verify addresses before sending significant transactions. For a broader view of address format differences across chains, see our guide on crypto address formats.

A critical note: EIP-55 checksums are enforced by wallets, not by the blockchain itself. The Ethereum protocol accepts transactions to any 20-byte address regardless of capitalization. If your wallet software does not implement EIP-55 validation, you lose this protection. Always use well-maintained wallet software that performs checksum verification.

Common Cross-L2 Mistakes

The proliferation of Layer 2 networks and EVM sidechains has introduced new categories of user errors. Understanding these can save you from costly mistakes.

Sending tokens on the wrong network

The most common mistake: you mean to send USDC on Arbitrum but accidentally send it on Ethereum mainnet (paying much higher gas fees), or worse, you send to an address on a network where the recipient has no access. Since addresses are identical across chains, wallets cannot always detect this error.

Prevention: Always confirm the network selector in your wallet before signing a transaction. Double-check the chain ID, which is the technical identifier that distinguishes EVM networks from each other.

Sending to a contract address that does not exist on the target chain

A smart contract deployed on Ethereum at address 0xABC... may not exist on Polygon. If you send tokens directly to a contract address on a chain where no contract is deployed, your tokens go to an externally owned address (EOA) that nobody controls. They are permanently lost.

Prevention: If sending to a contract, verify that the contract is deployed on the specific chain you are using. Block explorers like Etherscan, Polygonscan, and Arbiscan each cover their respective chains.

Moving assets between EVM chains requires bridges, and bridges have been the source of some of the largest exploits in crypto history. The shared address format makes bridging feel seamless, but the underlying mechanics are anything but simple.

Prevention: Use well-established bridges with strong security track records. Never bridge through links found in emails, DMs, or unfamiliar websites. Verify bridge contract addresses through official documentation.

Address poisoning attacks

An attacker monitors the blockchain for your transactions, then sends a tiny amount from an address that visually resembles yours (matching the first and last few characters). Later, when you copy an address from your transaction history, you might accidentally copy the attacker's lookalike address.

Prevention: Never copy addresses from transaction history. Always use your address book or generate a fresh copy from your wallet. Validate any address before sending with a tool like SafeSeed's Ethereum Address Validator. Be especially cautious of addresses that match only the first and last four characters. Understanding common crypto scams involving seed phrases helps you recognize broader attack patterns.

Ignoring EIP-55 warnings

Some users, particularly those interacting with DeFi protocols through command-line tools or raw transactions, bypass checksum validation. This removes a critical safety net.

Prevention: Always use checksummed addresses. If a tool gives you a lowercase address, convert it to checksummed format before using it.

Generating EVM Addresses Safely

Given that a single EVM address controls assets across multiple chains worth potentially significant sums, the generation process deserves serious attention.

Use cryptographically secure randomness

The security of every EVM address begins with the quality of the random number used to generate the private key. SafeSeed's Ethereum Private Key Generator uses the Web Crypto API to source randomness from your operating system's cryptographic random number generator, all running entirely in your browser with nothing sent to any server. Learn more about what entropy means in crypto and why it matters for key generation.

Generate offline for high-value wallets

If you are creating a wallet that will hold significant value across multiple EVM chains, generate it offline. Download SafeSeed, disconnect from the internet, generate your seed phrase, record it physically, and close the browser before reconnecting. Our step-by-step guide to generating an Ethereum wallet offline walks through the entire process.

Derive addresses correctly

When generating from a BIP39 seed phrase, make sure you are using the correct derivation path for Ethereum: m/44'/60'/0'/0/0. Using the wrong path will produce a valid address, but one that your regular wallet software may not find when you restore from the seed phrase. This is a particularly stressful situation because your funds are not lost, but they appear missing until you discover the correct path.

Validate before funding

Before sending any cryptocurrency to a newly generated address, verify it with SafeSeed's Ethereum Address Validator. Confirm the EIP-55 checksum is correct. Consider sending a small test transaction first, then verifying receipt before transferring larger amounts.

Document your setup

Record which wallet software, derivation path, and network you used. If you are holding assets across multiple EVM chains from the same seed phrase, document which chains hold which assets. This information is critical for heirs or for your own recovery if you need to restore access years later.

The shared address model across EVM chains is one of the ecosystem's greatest conveniences. It is also a concentrated point of failure. By understanding how it works, respecting checksum validation, avoiding common cross-chain mistakes, and generating your keys securely, you can take full advantage of the multi-chain EVM world without exposing yourself to unnecessary risk.