Overview

This Policy type  enables you to govern your dApp connections directly from your workspace. You can Allow or Block specific dApps from being connected. Currently, the policy consists of ready-made, common whitelisted dApps. Later on, you will be able to create your own whitelisted dApps and include them into your connection rules. Additionally, this new policy allows you to control which initiator is permitted to create a dApp connection, which wallets can connect, and which dApps are allowed.

Benefits

The benefits of developing the dApp connection policy are:

• It adds an additional layer of protection to your assets by governing the dApp connection process.
• It prevents malicious attacks that connect existing, legitimate contracts to malicious dApps.
• It allows you to specify exactly who within your organization can connect to certain dApps based on their operational roles or areas of responsibility. 

Creating a dApp Connection Rule

To get started, in the Console’s left navigation panel, select Policies > dApp connection to create a Policy rule. An example dApp rule may look like the following:

Configuring an existing dApp Connection Rule

Use the Policy Editor to configure an existing rule. 

Enforcement Across Platforms

Once dApp connection rules are configured, Fireblocks enforces them across all dApp connection paths to ensure consistent security coverage. Enforcement applies across the following three interfaces:

Console

When you attempt to connect a vault to a dApp through the Console interface, you will be blocked or allowed based on the applicable policy. If a dApp is not on the whitelist, the connection will be rejected with a clear message and guidance to adjust the policy or whitelist the dApp. As an admin, you can manage, approve, and edit rules through the policy section of the Console.

Browser extension (DeFi)

When you interact with dApps via the browser extension, policy enforcement occurs before the dApp connection is finalized. If you switch vaults mid-session, the extension checks whether the new vault is permitted to connect to the dApp under the active policy.

If the new vault is not allowed to connect based on the Policy rules, and it is currently connected, you will be disconnected. If it is not connected, no action is required. These enforcement checks follow the same policy logic defined in the Console.

Mobile

The Fireblocks mobile app also enforces the connection policy. When you attempt to connect to a dApp via mobile device, you will see the same enforcement behavior as in the Console and extension. If an unauthorized connection attempt occurs, the app will guide you through steps to either request admin approval or modify existing Policy rules.

This multi-platform enforcement ensures secure and predictable behavior regardless of how you initiate a dApp connection.

To ensure secure interactions with a dApp, Fireblocks enforces dApp connection rules upon every dApp connection attempt and every transaction with a dApp, to make sure the connection is valid. 

Rollout strategy

Existing workspaces must opt into the dApp connection policy within 90 days, create a policy, and publish it. After 90 days, a default policy will be set in place, allowing only whitelisted dApps with configured rules. You are allowed to connect any dApp during the initial 90 days. We recommend that as an owner or admin, you take early action to define secure connection policies and assign them to your relevant users and groups.

Connection rejections and the “Connected dApps” view

Once a dApp connection rule is properly configured, you will only be able to connect to dApps that are explicitly allowed by that rule. When a connection is successfully made to an allowed dApp, it will appear in the Console’s Connected dApps section, located under the Web3 access tab, which shows all currently active or recently connected dApps.

If you try to connect to a dApp that is not included in the whitelist (and not permitted under any rule), the system will block the connection. In such case, you will see the “This connection is not allowed by the policy” rejection message displayed:

• In the Console, when attempting a connection manually.
• In the DeFi extension, during interaction with a non-authorized dApp.
• In the mobile app, upon triggering an unauthorized dApp connection.

The message indicates that the dApp either:

• Has not been added to an approved whitelist, or;
• Is not permitted by any active policy rule assigned to you or to the vault.

You will be prompted, where applicable, to take further action, such as submitting the dApp for approval or requesting a policy change from an admin.