Nightmare Scenario
It’s 2022. Everybody is talking about something called NFTs – your Twitter timeline, the news, your coworkers, your family. Projects popping up left and right, but you’re lost. Then, among the shuffle, you spot it – something called Azuki. You think back to your childhood, growing up watching Naruto, Bleach, One Piece – and your love of anime and curiosity of a new technology compels you to buy one.
As the months go on, you’re there to experience it all: “check your wallets,” the ever-adorable Beanz are airdropped to you for free, jacket claim, Enter the Alley in NYC. And throughout the whole journey, you’ve made lifelong friends and connections. You’re on the top of the world. Then one day, you wake up and your heart sinks. The collection you had amassed is gone. The ETH you’ve worked for is gone. Your wallet has been completely drained.
Unfortunately, this isn’t just a hypothetical. For many holders, this is a version of that nightmare turned into a reality. As Web3 continues to grow at an accelerated pace, with projects such as Azuki becoming leaders in this technological shift, holders are becoming bigger targets to scammers and phishers. Web3 is all about change and adapting. Just as not paying attention to the current meta can cost NFT collectors a lot of money, not keeping up with information and tools to safeguard your assets will leave you behind. So what can you, an individual holder do to ensure that you do not become a victim in the next scam?
Cold Storage (aka Hardware Wallet)
Using a cold storage/cold wallet solution to store your assets is THE number 1 thing an NFT collector or cryptocurrency trader can do. This has proven to be the best way to protect your precious Beanz, Azuki, and ETH.
Cold wallets are another term for hardware wallets, which are cryptocurrency wallets with the secret keys stored within a physical device. While we will go further in-depth into different types of wallets in future posts, we will introduce some of the basic tenets of utilizing a cold wallet here. Examples of hardware wallets include Ledger Wallet and Trezor.
The primary benefit of cold/hardware wallets is that they are designed to protect against hacks. In order to sign and approve a transaction – whether to list, bid on, transfer, or buy an NFT – the physical device must be present. It is impossible for a malicious third-party to sign a transaction without your physical wallet device.
Hot wallets, on the other hand, are extremely vulnerable to a number of threats and attacks. Because hot wallets are always connected online, a skilled hacker can gain access to your devices and hot wallets and approve transfers from your hot wallet, in order to steal your assets.
If the value of the assets you hold is greater than the price of a cold storage device (ie: a Ledger Wallet), then the general wisdom is that you should move over your funds onto cold storage. If you can pay $79 in gas fees for a mint, you can spend $79 to secure your funds!
Vigilance
Securing your assets with a cold storage device is the best thing any Crypto or NFT trader can do. However, a cold wallet is useless if the owner does not use common sense and best practices for security. A hacker might not be able to fool a Ledger, but they can fool a holder much more easily. Thus, It’s important to always stay vigilant.
Much of the marketing, conversation, and communications around NFTs takes place online – on platforms like Twitter or Discord. Often, said platforms draw in phishers and hackers who seek to trick an unsuspecting holder into giving up his/her assets. Even with a cold wallet, if you click on a fake link and accidentally sign a transaction on a malicious contract, you risk giving a third party control over your assets.
As an example, think about a physical safe that you would use to store your physical valuables. A bad actor may not be able to physically break into your safe, nor would they be able to guess your code – but if that bad actor were to trick you into opening the safe for them, they wouldn’t need to break in. Similarly, even if you have your assets stored on a hardware wallet, user error could lead to a breach.
Here are tips to consider:
Be wary of links
Any time you see a link shared with you, verify that the person or account sharing the link with you has not been compromised. Check their username to ensure no one is impersonating that individual or account. Also look at the url itself. If something feels off, do not click on it. Verify with trusted parties, official accounts, before you consider clicking. To be safe, do not click on them regardless.
Be wary of fake accounts and fake emails
Similar to scam links, fake accounts and fake emails are also often employed by scammers to fool holders into giving up their assets or private information. For instance, look at just how many accounts there are on Twitter that pretend to be MetaMask Support. As a rule of thumb, don’t interact with any account claiming to be MetaMask or OpenSea. There is no real benefit to this, and the real accounts have no reason to reach out directly to you.
Ask yourself: Is this too good to be true?
Even if you’ve verified that an account is legit, ask yourself if a link is too good to be true. If you see a link that touts a free airdrop, or receive a DM claiming that they’ll double any ETH you send to their address – ask yourself if it’s realistic. In this space, when something sounds too good to be true, it’s usually not real. Don’t ever let greed get in the way of good security. Missing out on the promise of gains pales in comparison to the risk of losing your assets.
Create a separate vault account
Whether you’re a frequent trader, NFT degen, or someone who loves trying out new dApps – every new smart contract you interact with is another contract that you’re giving access to your wallet. If you know you’ll hold your Azuki, Beanz, and other assets for a long time, consider moving them over to a fresh wallet that has not been used for anything other than storing your assets. This new wallet that stores your Azuki and Beanz will serve as your vault.
Your vault wallet should not interact with any dApp at all – not even to list one for sale on OpenSea. This ensures that you remove the risk of malicious smart contracts entirely. When you’re ready to sell an asset you hold in your vault account, simply transfer it from your vault, back to a wallet you use for active trading before listing.
Btw, the final part is extremely important so pay attention…
🚨 Secure your seed phrase!!! 🚨
Any time you set up a new wallet, whether with a hot wallet or cold wallet, you will invariably be prompted to write down something called a seed phrase. A seed phrase is a string of randomly generated words (usually between 12-24 words) in a specific order. It serves as a recovery password for your crypto wallet, in the off-chance that you lose access to your hardware wallet or the device that stored your hot wallet.
This is the single most important piece of information in securing your assets.
This is because even if you were to lose your hardware wallet, or had your computer data wiped, you can recover your crypto wallet as long as you have the seed. With the seed, you can recover your crypto wallet on most other wallets, whether it’s a new hardware wallet or a different hot wallet. You can even recover your seed on multiple devices and wallets, with each one allowing you to access your funds.
For this reason, it’s essential that you NEVER share your seed phrase with anybody. Someone who knows your seed phrase can recover your wallet and siphon your funds before you can secure them. No customer support or project will ever ask for your seed phrase for any reason. If someone claims to be from Metamask or Ledger support, and asks you for your seed – they are lying to you. No legitimate player in the space will ever ask you for your seed.
Make sure to have a backup (or several) copy of your seed, and store it somewhere only you have access. Do not even tell someone where it’s located, unless it's with an individual you know and trust (such as a spouse or family member).
NEVER store your seed phrase on anything digital. NO to Notes app. NO to an encrypted drive on your computer. Never type the words down anywhere. Secure your seed by writing it down manually. Get creative with how you hide your seed and where you hide it – as long as it's something you won’t forget either!
Sources:
-
Bean #2268 on Featured Image, courtesy of @Sanza_eth
-
Red & Green Beanz on Featured Image, from @Azuki Twitter Account