Earlier parts of this series covered what a wallet actually stores, how Zelcore derives keys across 80-plus chains, how to send your first transaction, and which coins each account type supports. Now it is time to plug Zelcore into the rest of the on-chain world. WalletConnect is the protocol that lets a dApp in your desktop browser ask your phone to sign a transaction, without ever touching your keys — if you use it correctly.
Before You Start
Get three things in place before you tap Connect.
Unlock Zelcore on the device that holds the account you want to expose, and make sure both that device and the device running the dApp have live internet. WalletConnect rides on a public relay network; Bluetooth, AirDrop, and local Wi-Fi do not come into this. If either side is on airplane mode, a corporate VPN that blocks relay.walletconnect.org, or a captive portal, pairing will silently fail.
Decide which account you are actually connecting. Zelcore lets you pick a specific EVM account per session. Pair the one with the funds you need for this swap or mint — not your top-balance hot wallet and certainly not an account that holds long-term stacks. Think of every WalletConnect session as a temporary hot-wallet spin-up.
Understand the two mistakes that cause almost every WalletConnect drain. The first is approving a session that requests blind signing before you have clicked anything meaningful. The second is leaving sessions and token approvals alive for months on dApps you have forgotten. Both are easy to avoid once you know what to look for, which is most of what this article teaches.
What WalletConnect Actually Is
WalletConnect is an open protocol, now stewarded by the Reown organisation, for end-to-end encrypted messaging between a dApp and a wallet over a public relay network. Version 2 launched in 2023 and fully superseded v1 — the v1 bridge servers were shut down at 2pm UTC on June 28, 2023 — so everything Zelcore talks to today is v2 or later.
Three primitives are worth knowing by name.
Pairing is the one-time handshake. When you scan a QR code or tap a deep link, your wallet and the dApp derive a shared symmetric key. That key never leaves either device. The QR or wc: URI is just the courier.
Session is the scoped agreement layered on top of the pairing. It says which chains the dApp may request, which JSON-RPC methods it may call, and which of your accounts it can see. A session has a finite lifetime and can be revoked from either side.
Relay is the encrypted pub/sub transport between the two peers. The relay sees ciphertext only. Even if the relay operator were fully compromised, they could not read your transactions or derive your keys.
The v2 upgrade that matters most day-to-day is multi-chain namespaces. A single session can be scoped across Ethereum mainnet, Base, Polygon, Arbitrum, and more at once, using EIP-155 chain IDs like eip155:1 and eip155:8453. You no longer re-pair every time the dApp switches network, but you now have to read the chain list carefully before approving.
Pairing Zelcore With a dApp, Step by Step
The most common flow is desktop dApp plus mobile Zelcore.
- On the dApp, click Connect Wallet and choose WalletConnect from the modal. A QR code appears along with a list of wallet logos.
- Open Zelcore on your phone and go to the WalletConnect or dApp-browser section. Tap the scan icon.
- Point the camera at the QR code. The session-approval screen appears on the phone.
- Read every field on that screen (next section) and only then tap Approve.
- The dApp now shows your address as connected. From here on, every transaction or message signature the dApp requests triggers a fresh prompt in Zelcore, which you sign one at a time.
The mobile-to-mobile flow is almost identical. Instead of scanning a QR, tap Copy Link in the dApp modal (or let it hand off via the OS). Zelcore opens the same approval screen from the wc: URI.
If the QR times out — pairings typically live about five minutes — refresh the dApp to generate a new one. Never scan a stale QR from a screenshot someone sent you. That is a textbook phishing vector.
Reading the Permission Prompt Like an Auditor
Zelcore's approval screen is the last checkpoint before a dApp can ask you to sign anything. Read it the way a security auditor would.
Verify the origin first. The dApp's name, icon, and URL all appear at the top of the screen. Check that the URL exactly matches the tab you think you are on. Phishing clones swap one letter or use a homograph domain, and drainer kits copy legitimate branding pixel-perfect.
Scan the chain list. WalletConnect v2 prompts list EIP-155 chains explicitly. If a DEX you expect to be Ethereum-only requests a dozen chains — or asks for a chain the project does not actually deploy to — cancel. Over-broad namespaces are a drainer tell.
Check the JSON-RPC methods. The standard set is eth_sendTransaction, personal_sign, and eth_signTypedData_v4 (the EIP-712 method behind Permit, Permit2, and Seaport). Legacy eth_sign is effectively never safe — reject any session that asks for it. A browse-only or read-only dApp has no business requesting eth_sendTransaction at connection time.
Refuse blind signing up front. Legitimate DEXes ask you to sign one swap at a time, with the token amounts clearly shown. If the first thing a dApp pushes is a signature before you have clicked anything meaningful, assume drainer until proven otherwise. Signature phishing — tricking users into signing malicious permits that hand over entire token balances — was behind hundreds of millions of dollars in 2024 crypto losses (Scam Sniffer tracked roughly $494M stolen by wallet drainers alone), and those numbers are part of why token approvals are the real attack surface in DeFi.
Refuse unlimited approvals by reflex. If a dApp pushes an ERC-20 approve(spender, uint256.max) as the first transaction, it is asking for unbounded spending of that token forever. Reduce the amount to exactly what you are swapping. Zelcore exposes the approval-amount field; use it.
Treat Permit2 as a double-edged tool. Uniswap's Permit2 replaces the old one-approval-per-token-per-DEX pattern with two contracts — AllowanceTransfer for time-bounded recurring allowances and SignatureTransfer for one-shot permits bypassing stored allowances entirely. You approve Permit2 once and then sign time-bounded EIP-712 permits per swap, which is safer when used correctly. The problem is that drainers copy this UX pattern to steal tokens. Always verify the contract address is the real Uniswap Permit2: 0x000000000022D473030F116dDEE9F6B43aC78BA3, the same on every supported EVM chain. If the address differs, it is not Permit2.
For a broader picture of how signature phishing and wallet drainers actually work, keep that companion article open in another tab the first few times you connect to a new protocol.
Revoking Sessions and Revoking On-Chain Approvals Are Different
This is the single biggest user misunderstanding on WalletConnect. Killing a session stops the dApp from requesting new signatures. It does not revoke any approvals you have already signed on-chain. Those live in the token contracts themselves and survive until you explicitly reset them.
You need to do both.
Revoke the WalletConnect session. In Zelcore, open Settings → WalletConnect (or the Connected dApps list), tap the session, and choose Disconnect. This invalidates the session key on the relay and the dApp's connection indicator goes cold. For good measure, click Disconnect on the dApp side too, so neither peer has a half-open state that could re-emit requests.
Revoke on-chain ERC-20 and Permit2 approvals. Visit revoke.cash and connect the same address. It scans over 100 EVM networks, lists every contract you have ever granted spending rights to, and lets you revoke or reduce each one with a single transaction. Each revoke costs gas on the chain where the approval lives. Permit2 permissions show up as their own entries — revoke those separately.
Use block-explorer tools as a second opinion. Etherscan has a built-in Token Approval Checker at etherscan.io/tokenapprovalchecker. BscScan, Polygonscan, Arbiscan, and Basescan all offer the same tool for their chain. If something on revoke.cash looks off, cross-check on the explorer before you sign the reset transaction.
Build a habit: audit approvals monthly and revoke anything you have not used in thirty days. Drainers exploit approvals you forgot, not approvals you remember. This is the same discipline that shows up on your full crypto attack surface, which is worth re-reading after your first few WalletConnect sessions.
Troubleshooting
QR will not scan. Tap Copy Link on the dApp modal and paste the wc: URI directly into Zelcore's WalletConnect screen. This bypasses camera focus and lighting problems.
Stuck on "connecting…" The relay occasionally hiccups. Cancel, refresh the dApp, and generate a fresh QR. Do not reuse the old one — pairings are one-shot and the expired QR will never work.
Session drops mid-swap. Zelcore and the dApp re-pair automatically, but any transaction you have already broadcast is on-chain and will confirm regardless of session state. Check a block explorer for that transaction hash before retrying — you do not want to spend gas twice.
"Unsupported chain" error. The dApp requested a namespace Zelcore did not approve. Disconnect, re-pair, and on the approval screen make sure the chain you intend to use is included in the namespace list.
Phone and dApp cannot see each other. Both sides need internet. Airplane mode, a corporate VPN that blocks WalletConnect relays, or an overly aggressive ad-blocker on desktop will all break pairing.
When in doubt, tear it all down. Disconnect on Zelcore, clear the session on the dApp, refresh the page, and pair from scratch. This is faster than debugging a half-dead pairing and it resets any stale state on either peer.
Next in the Series
You can now plug Zelcore into DeFi front-ends, NFT marketplaces, and governance portals with your eyes open. But sessions and approvals are only part of the story — they all depend on a seed phrase that, if lost, takes every account with it. Part 7 covers backup and recovery: how to write down your seed, where to store it, how to test a restore without moving funds, and how to plan for the day your phone takes a swim.
