PS

Best Practices

How to get the most out of private sending — from browser hygiene to transaction patterns.

Browser Security

Be mindful of your browser extensions.

RAILGUN provides gold-standard on-chain privacy, but your browser environment is part of the security picture too. Browser extensions have broad access to the pages you visit, which means they can potentially see what this app displays — balances, addresses, and transaction details.

Here's what to be aware of:

  • Extensions with page-access permissions can read content on any site you visit, including this app
  • An extension could theoretically read clipboard contents (e.g., a pasted recipient address), observe page interactions, or access browser storage where wallet data is kept
  • Extension developers occasionally change, and permissions can shift with updates — it's good practice to periodically review what you have installed

None of this is unique to this app — it applies to any web-based crypto wallet or dApp. The RAILGUN protocol itself remains secure regardless. This is simply about ensuring your local environment matches the privacy standard of the protocol.

Simple steps to stay secure:

  • Use a dedicated browser profile for crypto activity — Chrome, Firefox, and Brave all support multiple profiles. A clean profile with only MetaMask installed removes the most common source of browser-side exposure.
  • Review your installed extensions from time to time — remove ones you no longer use, and check what permissions they request.
  • MetaMask is the only extension needed to use this app — fewer extensions means a smaller surface area.
  • Private browsing mode does not disable extensions by default in most browsers — a separate profile is more effective.

For extra peace of mind:

  • A hardware wallet (Ledger, Trezor) connected through MetaMask means the signature that derives your RAILGUN key is signed on the device itself, adding a layer of protection.
  • Bookmark this site rather than navigating via search results or links — this avoids phishing sites that may look identical.

Transaction Privacy

  • Use broadcaster mode — your public address stays off the unshield transaction. This is the single most impactful privacy choice.
  • Avoid distinctive amounts — don't shield and unshield 1,337.42 tokens. Round numbers blend into larger anonymity sets. The more common the amount, the harder to correlate.
  • Wait before unshielding — the longer tokens sit in the shielded pool, the more other deposits and withdrawals occur around yours, growing the anonymity set.
  • Don't reuse the exact shield amount — if you shield 100 and immediately unshield 100, timing and amount correlation makes deanonymization straightforward.
  • Don't link sender and recipient — ensure the recipient address has no public, on-chain, or social-media association with your sender address.
  • Use a fresh recipient address when possible — an address with no prior history is ideal.
  • Consider multiple chains — using RAILGUN on different chains fragments your on-chain footprint further. Cross-chain correlation is significantly harder.

Operational Hygiene

  • Keep your browser data — clearing IndexedDB means your RAILGUN wallet database is deleted. You'll need to re-derive your wallet (same signature) and do a full merkle tree resync. Your tokens remain safe on-chain but the resync takes time.
  • Don't share your screen while using this app — screen recordings or screenshots can capture balances, addresses, transaction details, and pipeline state.
  • Don't discuss specific transaction details on social media or messaging apps — metadata correlation (timing, amounts, tokens mentioned) can be used to link activity.
  • Use a VPN or Tor for your internet connection if you want to prevent your ISP or network operator from seeing that you're interacting with RAILGUN RPC endpoints and the Waku broadcaster network. Note that some VPNs/firewalls may block Waku's libp2p connections (see Troubleshooting).
  • Be aware of timing correlation — if you publicly announce you're about to send tokens, then a shield appears on-chain moments later, the correlation is obvious regardless of the protocol's privacy guarantees.

Physical & Environmental

  • Use a trusted device — a compromised operating system (malware, keyloggers, remote access tools) defeats all browser-level and protocol-level privacy.
  • Keep your OS and browser updated — security patches close vulnerabilities that could be exploited to access browser storage or intercept cryptographic operations.
  • Lock your computer when stepping away — anyone with physical access to an unlocked session can interact with your wallet.
  • Be cautious on public or shared computers — the RAILGUN wallet key is derived from your MetaMask signature. If someone has access to your MetaMask (or the session is still unlocked), they can derive the same key.
Troubleshooting guide