Author: INSIGHTFUL; Compiler: TechFlow
This guide cannot guarantee anything and is not written from the perspective of a "crypto or cybersecurity expert", but is based on continuous learning from multiple sources and personal experience.
For example, I myself was deceived by fear of missing out (FOMO) and greed (fake live broadcast scams and fake MEV robot scams) when I first entered this field, so I took the time to study, set up and understand security seriously.
Don't be the person who is forced to learn security because he lost everything or a lot of assets.
All types of wallet, token, or NFT "hacks" or compromises can be roughly divided into two categories:
Abuse of previously granted token approvals.
Private key or mnemonic phrase leakage (usually happens on hot wallets).
Token approvals are essentially permissions that allow a smart contract to access and move a specific type or amount of tokens in your wallet.
For example:
Giving OpenSea permission to move your NFT so that you can sell it.
Give Uniswap permission to use your tokens for swaps.
As background information, basically everything on the Ethereum network, except ETH, is an ERC-20 token.
One of the features of ERC-20 tokens is the ability to grant approval permissions to other smart contracts.
These approvals will be required at some point if you want to do core DeFi interactions (like swapping or bridging tokens).
NFTs are ERC-721 and ERC-1155 tokens respectively; their approval mechanisms are similar to ERC-20, but for NFT markets.
The initial token approval prompt of MetaMask (MM) provides several pieces of information, the most relevant of which are:
The tokens you are granting approval
The website you are interacting with
The smart contract you are interacting with
The ability to edit the number of token permissions
In the Full Details drop-down menu, we see an additional information: Approval Function.
All ERC-20 tokens must have certain features and properties outlined by the ERC-20 standard.
One of these is the ability for smart contracts to move tokens based on approved quantities.
The danger of these approvals is that if you grant token permissions to a malicious smart contract, your assets could be stolen or drained.
Many DeFi applications will prompt you for unlimited approvals for ERC-20 tokens by default.
This is done to improve the user experience because it is more convenient and does not require possible additional approvals in the future, saving time and gas fees.
Allowing approval for an unlimited number of tokens may put your funds at risk.
Manually setting token approvals to a specific amount can limit the maximum number of tokens that the dApp can move before signing a new, larger approval.
This reduces your risk when a smart contract is exploited. If you grant unrestricted approval to a dApp and that dApp has a vulnerability, you could lose all approved tokens from the wallet that holds those assets and granted the approval.
For example, Multichain WETH (WETH is an ERC-20 token wrapper for ETH) has experienced such a vulnerability.
This commonly used bridge was attacked by abusing the previously unrestricted token permissions, resulting in user funds being stolen.
Here is an example (using the Zerion wallet) showing how to change the default unrestricted approval to manual approval.
「setApprovalForAll」for NFTs
This is a commonly used but potentially dangerous approval that is typically granted to trusted NFT marketplaces when you want to sell your NFT.
This enables the marketplace's smart contract to transfer your NFT. So when you sell your NFT to a buyer, the marketplace's smart contract can automatically move the NFT to the buyer.
This approval grants access to all NFT tokens in a specific collection or contract address.
This can also be used by malicious sites or contracts to steal your NFTs.
The classic "wallet account shrinkage" in the case of FOMO free casting looks like this:
Users visit a malicious website that they believe is legitimate.
When they connect their wallet to the website, the website can only view the contents of the wallet.
However, the malicious website scans the wallet for the highest value NFT and prompts the user to "Set All Approvals" from MetaMask (MM) for the contract address for that NFT.
The user thinks they are minting NFTs, but is actually granting the malicious contract permission to move those tokens.
The scammer then steals the tokens and liquidates them into bids on OpenSea or Blur before the items are marked as stolen.
Approvals cost gas fees because they are involved in transaction processing.
Signatures are gas-free and are often used to log into dApps to prove your control over that wallet.
Signatures are generally low-risk operations, but could still potentially be used to exploit previously granted approvals on trusted sites like OpenSea.
For ERC-20 tokens, you can also modify your approvals with gas-free signatures, as the permission feature was recently introduced on Ethereum.
You can see this in action if you use a decentralized exchange (DEX) like 1inch.
Be cautious when giving any approval, make sure you know which tokens you are approving and for which smart contract (use etherscan).
Limit your approval risk:
Use multiple wallets (approvals are wallet specific) - don't sign approvals for your vault or high value wallets.
Ideally, reduce or completely avoid granting unrestricted approvals for ERC-20 tokens.
Regularly check and revoke approvals via etherscan or revoke.cash.
Hot wallets are connected to the internet through your computer or mobile phone, and keys and wallet credentials are stored online or locally in your browser.
Cold wallets are hardware devices where keys are generated and stored completely offline and physically close to you.
Considering that a Ledger costs about $120, if you have more than $1000 in crypto assets, you should probably buy and set up a Ledger. You can connect a Ledger wallet to your MetaMask (MM) to enjoy the same features as other hot wallets while maintaining a certain level of security.
Ledger and Trezor are the most popular choices. I like Ledger because it has the best compatibility with browser wallets (similar to Rabby and MM).
Always buy from the official manufacturer website, never buy on Ebay or Amazon - it may be tampered with or pre-installed with malware.
Make sure the packaging is sealed when you receive the item.
When you first set up your Ledger, it will generate a mnemonic phrase.
Only write your recovery phrase on physical paper, or in the future write it on a steel plate to ensure that your recovery phrase is fireproof and waterproof.
Never photograph or type your recovery phrase on any keyboard (including mobile phones) - this will digitize the recovery phrase and your cold wallet will become an insecure hot wallet.
Crypto assets are not stored on hardware wallets, but "in" the wallet generated by the recovery phrase.
The recovery phrase (12-24 words) is the be-all and end-all and must be protected and secure at all costs.
It provides full control and access to all wallets generated under that recovery phrase.
The recovery phrase is not device-specific and you can "import" it into another hardware wallet as a backup (if needed).
If the mnemonic phrase is lost or damaged, and the original hardware wallet is also lost, damaged or locked, you will permanently lose access to all your assets.
There are various ways to store the mnemonic phrase, such as splitting it into multiple parts, increasing the physical distance between the parts, storing it in an inconspicuous place (e.g., a soup can at the bottom of the refrigerator, somewhere under your property, etc.).
At a minimum you should have 2-3 copies, one of which should be made of steel to be resistant to water and fire.
A "private key" is similar to a mnemonic phrase, but only for one specific wallet. It is often used to import a hot wallet into a new MetaMask (MM) account or for use in automated tools such as trading bots.
In addition to the original 24 word recovery phrase, Ledger offers an optional additional security feature.
Passphrase is an advanced feature that adds a 25th word of your choice of up to 100 characters to your recovery phrase.
Using a passphrase generates a completely different set of addresses that cannot be accessed with the 24 word recovery phrase alone.
In addition to an added layer of security, a passphrase provides plausible deniability in the event that you are compromised.
If using a passphrase, be sure to store it securely or remember it exactly, character by character and case sensitive.
This is the only and final defense against a physical threat scenario such as the "$5 Wrench Attack".
Why go through all the trouble of setting up a hardware wallet?
Hot wallets store private keys in a location that is connected to the internet.
It is extremely easy to be tricked, misled, and manipulated into revealing these credentials over the internet.
Owning a cold wallet means that a scammer would need to physically find and obtain your Ledger or mnemonic phrase to access these wallets and the assets within them.
Once the mnemonic phrase is compromised, all hot wallets and the assets within them are at risk, even those that have not interacted with a malicious website or contract.
Common ways people have been “hacked” (mnemonic phrase leaks) through hot wallets in the past include:
Being tricked into downloading malware, such as through job opportunity PDFs, beta games, running macros through Google Sheets, or imitating legitimate websites and services.
Interacting with malicious contracts: FOMO minting on imitation websites, or interacting with unknown airdropped or received NFT contracts.
Inserting or sending keys and mnemonics to “customer support” or related programs/forms.
Arkham Intel Exchange celebrates a milestone as two brilliant blockchain sleuths successfully claim the first-ever bounty reward for uncovering crucial evidence related to Do Kwon’s elusive crypto wallets.
BitcoinistSEC lawyers previewed a likely appeal to overturn portions of last week’s Ripple Labs in a separate enforcement case against TerraUSD and Luna creators Do Kwon and Terraform Labs.
TheBlockHe also asserted that the person he was caught with was innocent.
cryptopotatoKwon’s attorneys will seek to reduce the 30-day detention extention period ruled by the Montenegrin authorities.
cryptopotatoTerraform Labs is headquartered and registered in Singapore and this is the first time the country has publicly taken action against Do Kwon and his firm.
CryptoSlateAfter recently entering Serbia, Terra founder Do Kwon transferred 9.64 BTCS (then worth nearly $190,000) from the LFG wallet to the Binance wallet on November 8. This is the first time that on-chain data has captured Do Kwon's exchange of bitcoins for cash, such as dollars, while he was on the run.
OthersLUNC has bounced at the $0.000275 support area. LUNA has decreased by 66% since Sept. 9.
BeincryptoWhile Tornado Cash developers are fearing for their lives, Do Kwon is "partying," according to podcaster Eric Conner.
CointelegraphA new Anonymous video surfaced and it points its finger at the infamous Do Kwon. The Terra/ UST/ LUNA collapse ...
BitcoinistDo Kwon's co-founder and CEO of TerraForm Labs recently announced the Terra revival plan and received mixed reactions; many of ...
Bitcoinist