Open the Ownership tab on your name, click Edit Roles, and point the Owner at a cold wallet while leaving the Manager and ETH Address on your daily hot wallet. The name keeps working as usual — records edit, funds arrive, Primary Name shows up — but a drained hot wallet can't take the name away. ENS names can't be recovered after theft, so this setup is the standard defence.
Before you start — the three roles
A .eth name has three roles, and they don't have to live on the same wallet. The multi-wallet setup splits them so day-to-day risk and ownership risk live in different places.
Role | What it does | Recommended wallet |
Owner | Holds the name's NFT. Can transfer the name, change the Manager, and use Send. | Cold wallet |
Manager | Controls the name's records — can change the ETH Address, set text records, and so on. Can hand off Manager to another wallet, but can't transfer the Owner. | Hot wallet |
ETH Address | The wallet the name points at. Funds sent to | Hot wallet |
Quick check before you click: start the flow connected to the wallet that's currently the Owner (probably your hot wallet today). Make sure you have access to the cold wallet's seed phrase and have tested receiving a small transaction to it — once you move Owner to the cold wallet, that's the only wallet that can change it back.
For wrapped names, the Manager role is merged into the Owner role on the ERC-1155 token contract — there's no separate Manager field, but Edit Roles still lets you set the ETH Address independently.
How to set it up
Open the Ownership tab. Go to app.ens.domains and connect the current Owner wallet. Search for your name, then open the Ownership tab and click Edit Roles.
Set the three roles. Click Change next to Owner, enter your cold wallet's address (ENS name or
0xaddress), and save. Repeat for Manager and ETH Address, setting both to your hot wallet. Click Save to start the transactions.
Approve each transaction in your wallet. Click Open Wallet and approve the first. Most confirm in 1–2 blocks (12–24 seconds); busy networks can take longer. Click Next, approve the second, and so on. Order: ETH Address → Manager → Owner.
Set the Primary Name on the hot wallet. Switch to the hot wallet and follow How do I set my Primary Name? — that's how
yourname.ethshows up across apps when you connect.
Once the Owner transaction lands, only the cold wallet can transfer or sell the name. Your hot wallet can still edit records, receive funds, and act as the Primary Name address — but a drained hot wallet can't take the name away.
Why this setup works
The Owner role is the one with sale and transfer authority. By keeping it on a wallet that never connects to apps, you remove the surface phishing and malware use to drain wallets. The Manager and ETH Address run on the hot wallet so the name stays usable — records get edited, payments arrive, the Primary Name badge shows up — but neither role can transfer the name. If a phishing site convinces your hot wallet to sign something nasty, the worst it can do is change a record or redirect funds; the name itself stays in the cold wallet.
What this setup doesn't protect:
Funds on the hot wallet. Those are still exposed to the usual hot-wallet risks. Keep balances small and treat each approval the way you'd treat a signature on a paper contract.
The records themselves. A compromised Manager can change the ETH Address or rewrite text records. Annoying, but reversible — re-edit from the cold wallet (or from a clean Manager wallet) and you're back.
You, if you connect the cold wallet to something dodgy. The protection comes from leaving the cold wallet offline. Sign on a phishing site and you lose the same way.
Good to know
The Owner role has the sale and transfer authority — protect the Owner wallet's keys above all else.
If you lose access to the cold wallet, the name can't be recovered. Back up the seed phrase the way you would for any high-value asset.
Changing the ETH Address redirects funds — once you change it, funds sent to
yourname.ethgo to the new wallet, and the old wallet stops receiving them.Needs ETH on Ethereum Mainnet for gas — no other cost.
The ENS App only handles
.ethnames and onchain subnames. For project subnames likebase.ethoruni.eth, use the project's own site. See What are project subnames?
Wallet types you can use
"Cold" and "hot" describe how a wallet is used, not a specific product. Mix and match the types below.
Type | What it is |
Cold wallet | Kept offline. Rarely connected to apps. Best for the Owner role. |
Hot wallet | Connects to apps and signs transactions often. Best for Manager and ETH Address. Keep small amounts here. |
Hardware wallet | A physical device that holds private keys offline. The usual cold-wallet choice. |
Safe (multisig) | A smart-contract wallet that needs approvals from several wallets before a transaction confirms. Useful for shared ownership. |
A hardware wallet keeps keys on the device itself; every transaction has to be approved on the device. It protects against viruses, fake login sites, fake wallet apps, token-approval scams, and compromised seed phrases on a hot machine. It doesn't protect you from approving a malicious transaction yourself, so always check the prompt on the device screen.
A Safe (multisig) spreads transaction authority across several wallets — no single key can move the name. Common in DAOs, project treasuries, and high-value individual holdings.
Cold storage doesn't directly block scam transactions — it works by keeping the cold wallet offline so it can't be tricked into signing one. If you connect the cold wallet to a phishing site, you lose the protection.
If your hot wallet has already been compromised
Don't wait. From a clean device, use Edit Roles or Send to move the Owner to a safe wallet before the attacker does. Then walk through What to Do If your Wallet is Compromised.
What's next?