Overview
This Policy type enables you to govern your dApp connections directly from your workspace. You can allow or block specific dApps from being connected to your workspace.
With our latest update, dApp connections are restricted to a Managed dApps list. This list can include:
- Fireblocks predefined list: a curated set of frequently used dApps, defined by Fireblocks.
- Customer-defined list: dApps that you whitelist and approve within your workspace.
▶
Fireblocks Predefined dApps List
| dApp Name | URL |
|---|---|
| 1inch | 1inch.io |
| Aave | aave.com |
| Aerodrome Finance | aerodrome.finance |
| Arbitrum | arbitrum.io |
| Arbiscan | arbiscan.io |
| August Digital | augustdigital.io |
| Balancer | balancer.fi |
| BaseScan | basescan.org |
| Beefy Finance | beefy.com |
| Bitbond | bitbond.com |
| Blockdaemon | blockdaemon.com |
| Bosonic | bosonic.digital |
| BscScan | bscscan.com |
| Camelot | camelot.exchange |
| CCTP | cctp.io |
| Chainlink | chain.link |
| Circle | circle.com |
| Compound Finance | compound.finance |
| CoW Protocol | cow.fi |
| Curve Finance | curve.fi |
| deBridge Finance | debridge.finance |
| DeFiLlama | defillama.com |
| Definitive Finance | definitive.fi |
| Derive | derive.xyz |
| DiGift | digift.sg |
| Drift | drift.trade |
| Enclave Market | enclave.market |
| Ethena | ethena.fi |
| Ether.fi | ether.fi |
| Etherscan | etherscan.io |
| Euler Finance | euler.finance |
| Falcon Finance | falcon.finance |
| Felix | usefelix.xyz |
| Figment | figment.io |
| GMX Protocol | gmx.io |
| GoBob | gobob.xyz |
| GunzChain | gunzchain.io |
| Hedgey Finance | hedgey.finance |
| Hyperliquid | hyperliquid.xyz |
| Hyperliquid Testnet | hyperliquid-testnet.xyz |
| Immutable | immutable.com |
| Jito Network | jito.network |
| Jumper Exchange | jumper.exchange |
| Jupiter | jup.ag |
| JustLend | justlend.org |
| Kamino Finance | kamino.finance |
| Kayen | kayen.org |
| Kiln | kiln.fi |
| Lido | lido.fi |
| Liquifi | liquifi.finance |
| M0 | m0.org |
| Magna | magna.so |
| Maple Finance | maple.finance |
| Meteora AG | meteora.ag |
| Metapool | metapool.app |
| Molecula | molecula.io |
| Morpho | morpho.org |
| Obligate | obligate.com |
| Ondo Finance | ondo.finance |
| OnBeam | onbeam.com |
| Open Trade | open-trade.io |
| OpenSea | opensea.io |
| PancakeSwap | pancakeswap.finance |
| Peaq | peaq.xyz |
| Pectra Staking | pectrastaking.com |
| Pendle Finance | pendle.finance |
| Polygon | polygon.technology |
| PolygonScan | polygonscan.com |
| Portal Bridge | portalbridge.com |
| Pudgy Penguins | pudgypenguins.com |
| Pyth Network | pyth.network |
| Rabby | rabby.io |
| Railway | railway.app |
| Raydium | raydium.io |
| Ready Player.me | readyplayer.me |
| Relay | relay.link |
| Render Network | rendernetwork.com |
| Reown | reown.com |
| Request Finance | request.finance |
| Sablier | sablier.com |
| Safe | safe.global |
| Securitize | securitize.io |
| Sky Money | sky.money |
| Sonic Labs | soniclabs.com |
| Sovrun | sovrun.org |
| Spark Finance | spark.fi |
| Squads | squads.so |
| Stargate | stargate.finance |
| Streamflow Finance | streamflow.finance |
| Subsquid | subsquid.io |
| Superbridge | superbridge.app |
| Testnet.fi | testnet.fi |
| Tokeny | tokeny.com |
| TokenOps | tokenops.xyz |
| Uniswap | uniswap.org |
| Usual Money | usual.money |
| Virtuals | virtuals.io |
| WalletConnect | walletconnect.com |
| Wildcat Finance | wildcat.finance |
| XinFin Network | xinfin.network |
| Zeebu Finance | zeebu.fi |
Benefits
The benefits of developing the dApp connection policy are:
- It adds an additional layer of protection to your assets by governing the dApp connection process.
- It prevents malicious attacks that connect existing, legitimate contracts to malicious dApps.
- It allows you to specify exactly who within your organization can connect to certain dApps based on their operational roles or areas of responsibility.
Creating a dApp Connection Rule
To get started, in the Console’s left navigation panel, select Policies > dApp connection to create a Policy rule.
When defining a rule, the Destination must be selected from the Managed dApps list. You can select from:
- Fireblocks predefined dApps: A curated set of ~100 commonly used dApps, defined by Fireblocks.
- Customer-defined dApps: dApps that your organization adds to its workspace by creating and whitelisting them (see Adding dApps to the workspace section below).
If a dApp is not in either list, the connection will be blocked until it is added to your workspace’s whitelist and approved.
Adding dApps to the Workspace
To extend beyond the Fireblocks predefined list, you can add your own dApps directly into your workspace:
- In the Console’s left navigation panel, go to Whitelisted Addresses.
- Select Add.
- Select Whitelisted dApp wallet.
- In the Add a whitelisted dApp wallet modal, enter the container name (e.g., DeFi dApps).
- Select Add wallet.
- Select Add dApp.
- In the Whitelisted a dApp modal, enter the dApp details (name and URL).
- Submit for quorum approval, the same way you approve external or internal wallets or contracts.
Once approved, these dApps appear in your workspace under the Whitelisted addresses.
When you next create or edit a dApp Connection Policy rule, you can select from:
- Fireblocks predefined dApps
- The dApps you have created and approved within your workspace
This workflow ensures that only allowed dApps, whether Fireblocks-defined or customer-defined, are available for connections.
Note:
dApp Connection enforcement is executed against the main URL (no subdomains and directories are included). For that reason, when a URL is saved as a Whitelisted dApp, using subdomains and directories, it is trimmed to its main URL form, e.g. subdomain.url.com/directory will be trimmed to url.com and the enforcement of all connections to this domain will be done against url.com.
Configuring an existing dApp Connection Rule
Use the Policy Editor to configure an existing rule.
Enforcement Across Platforms
Once dApp connection rules are configured, Fireblocks enforces them across all dApp connection paths to ensure consistent security coverage. Enforcement now checks against the Managed dApps list:
- If the dApp is predefined or customer-defined, the rule applies as expected (Allow/Block). If the dApp is not in the Managed dApps list, the connection is automatically blocked.
- If the dApp is not predefined or customer-defined, the connection is automatically blocked.
- When attempting to add a new dApp, workspace quorum rules apply — admins may need to approve the dApp before it can be used.
If a dApp is flagged as suspicious (e.g., by Fireblocks’ security integrations), users are warned, and an admin signature/approval may be required.
Enforcement applies consistently across the following interfaces:
Console
When you attempt to connect a vault to a dApp through the Console interface, you will be blocked or allowed based on the applicable policy. If a dApp is not on the Managed dApps list (predefined or customer-defined), the connection will be rejected with a clear message and guidance to adjust the policy or add the dApp to your workspace whitelist. As an admin, you can manage, approve, and edit rules through the policy section of the Console.
Browser extension (DeFi)
When you interact with dApps via the browser extension, policy enforcement occurs before the dApp connection is finalized. If you switch vaults mid-session, the extension checks whether the new vault is permitted to connect to the dApp under the active policy.
If the new vault is not allowed to connect based on the Policy rules, and it is currently connected, you will be disconnected. If it is not connected, no action is required. These enforcement checks follow the same policy logic defined in the Console.
Mobile
The Fireblocks mobile app also enforces the connection policy. When you attempt to connect to a dApp via mobile device, you will see the same enforcement behavior as in the Console and extension. If an unauthorized connection attempt occurs, the app will guide you through steps to either request admin approval or modify existing Policy rules.
This multi-platform enforcement ensures secure and predictable behavior regardless of how you initiate a dApp connection.
To ensure secure interactions with a dApp, Fireblocks enforces dApp connection rules upon every dApp connection attempt and every transaction with a dApp, to make sure the connection is valid.
Note:
If Block is selected upon rule creation, the admin will be notified via email.
Connection rejections and the “Connected dApps” view
Once a dApp connection rule is properly configured, you will only be able to connect to dApps that are explicitly allowed by that rule. When a connection is successfully made to an allowed dApp, it will appear in the Console’s Connected dApps section, located under the Web3 access tab, which shows all currently active or recently connected dApps.
If you try to connect to a dApp that is not included in the Managed dApps list (predefined or customer-defined, and not permitted under any rule), the system will block the connection.
In such blocking case, you will see the “This connection is not allowed by the policy” rejection message displayed:
- In the Console, when attempting a connection manually.
- In the DeFi extension, during interaction with a non-authorized dApp.
- In the mobile app, upon triggering an unauthorized dApp connection.
The message indicates that the dApp either:
- Has not been added to the Managed dApps list (predefined or customer-defined), or;
- Is not permitted by any active policy rule assigned to you or to the vault.
You will be prompted, where applicable, to take further action, such as submitting the dApp for approval or requesting a policy change from an admin.