Every day Web3 captivates the attention of more and more users, how wouldn’t it? that promise of removing power from the oppressors who unilaterally decide what should and should not be allowed, recovering our data from companies that only see us as a product and target for more ads.
Web3 also allows novel ways for human coordination, public goods funding, and empowering what before was neglected, but as Uncle Ben says:
“With great power comes great responsibility”
Decentralization means that there is no customer help that you can reach for support, you are mostly responsible for your own actions and criminals will take advantage of this fact in order to steal your hard-earned assets.
But worry not, you are not alone, there are tons of communities ready to help you out on this adventure. And you can use this post as a base to understand basic concepts regards blockchain, security, common attack patterns, and some tips to avoid falling victim to a hacker.
If you can only take something from this post is this: “Don’t trust. verify”, A well-known phrase by blockchain enthusiasts, as cryptocurrencies and blockchain tech comes to change a lot of paradigms it was mostly funded by skeptics in traditional systems. While this concept might be a little exaggerated to the day-to-day users, the web3 space is so full of adversaries (hackers and scammers) that you need to start taking a don’t trust, verify approach more seriously in order to protect your funds.
Before going onto the most common types of attacks and some best practices on how to protect yourself, I will explain some basic concepts. Feel free to skip to the next section if you already feel confident with it.
Hot Wallet: A hot wallet is one that it’s always connected to the internet, doesn’t matter if it’s via a mobile phone application or a browser extension.
Cold Wallet: A cold wallet is never connected to the internet, the key generation is made offline and only receives funds. Perfect for storing assets for long periods. Usually, they are paper or hardware wallets and require advanced knowledge to set them up.
Warm Wallet: This is the most common type of wallet after the hot wallet, it’s a cold wallet that has been connected to the internet to do transactions, removing its status of cold but at the same time the signing is done offline using hardware making it more secure, usable and still user friendly.
Burner Wallet: Wallets with ephemeral private keys, usually created to do only one transaction or a really low amount of funds, after being used there is no need to keep track of it and it gets lost, also known as burning.
These types of wallets can be subdivided into more types depending on the technology that they implement.
Mobile Wallet: As the name suggests, these are the wallets that save the private key on a mobile phone. These are perfect on the go but are always connected to the internet so avoid having a lot of funds on them, you can also connect to a website by scanning a QR code using WalletConnect.
Extension Wallets: These are browser extensions like Metamask or dapper, the same as mobile wallets that are always connected to the internet so avoid having a lot of funds. Another important fact is that extension wallets save the private key encrypted on the computer, so a hacker could steal the funds somehow from a computer.
Hardware Wallet: Hardware wallets use specialized hardware to save the private keys on tamper-proof devices, doing separation of the private key from the wallet connection, for example, you can connect your hardware wallet to a mobile device or a browser extension and create a signature on these applications but sign using your hardware wallet, further increasing security. The only problem with these devices is that they usually have small screens and are susceptible to blind signing attacks. The most common brands for hardware wallets are Trezor, Ledger, and Lattice.
Paper Wallets: Prehistoric wallets were used by the ancients that used paper and the randomness of a flip coin to create a total offline wallet.
Smart Contract Wallet: This wallet is built using smart contracts, meaning that it’s, in reality, a contract and doesn’t have a private key, this allows it to add functionality like permissions for transactions above a threshold, adding guardians to recover accounts, pay gas with other tokens, among others. The issue is that transactions are more expensive and are not supported on some dapps.
The most used smart contract wallet is the Gnosis Safe, usually known as a multi-sig wallet, it allows you to set multiple signers from any of the other types of wallets which adds an extra layer of security. Gnosis Safe is used to host huge treasuries of DAOs and protocols for years with no issues.
The usual flow of generating a transaction in Ethereum requires the user to generate a transaction and append a signature generated by a private key, this transaction includes all the data needed to understand what action will make, the gas fees, and the signature to prove ownership. Once the transaction is created then it’s sent to the network so a miner (validator in proof of stake) can include it into a block.
Signing can be used for other actions than submitting transactions to the blockchain, for example, proving ownership of an account to log in.
Another cool implementation of signatures is for meta-transactions, where you sign some data related to a transaction (think like a part of a whole transaction) and another person or company grabs it and includes it into the blockchain for you, covering gas costs or charging a fee on another token improving the usability for the end user (Uniswap uses this).
Ok, back to the main topic of this article, security.
Web3 Criminals will do anything in their power to gain information that can be used in their favor to steal your private assets, yet the execution is always the same:
They will use a variety of tools at their disposal to do this. The most common are:
Metamask and various hot wallets save the private key encrypted on the device, opening an infected file will install a virus that will send this encrypted file to the hacker, and then he only needs to guess the password or steal it from you grabbing all your keystrokes. Commonly hackers target people that use windows, as there is a way to hide files as a type while in reality, it’s another. They can grab your discord session and log in with your account to scam others with the same method.
Be careful of hidden .bat, .cmd, .com, .lnk, .pif, .scr, .vb, .vbe, .vbs, .wsh files.
Usually, when you see a transaction you can see all the information regards the transaction, it’s a good practice by smart contract developers to make this data readable and verifiable to the end user.
Blind signing is when you can’t understand what you are signing, this is usually on purpose by hackers, so you don’t see you are sending them your assets.
Another vector of attack is adding custom code to browser extensions that you won’t notice, for example changing your clipboard (what you copy with ctrl + c). For example, an extension can behave normally but when it sees that the clipboard has an address, let’s say 0x1234…1345, it changes it for the hacker’s address 0x5412…1231, if you are in a rush, you might not notice the change until it’s too late, this is why saving address, double checking on Etherscan and using ENS it’s recommended.
Usually, these sites are exactly like the official ones with a big button saying “Mint” or “Claim Airdrop”. When you hit claim you will see a blind transaction trying to steal your assets.
Other types of common attacks that you need to be careful of:
Some hackers are master manipulators, but it doesn’t mean that they are good with technical hacking, some cybercriminals favor the art of human manipulation. This is known as social engineering, meaning exploiting human errors and behaviors.
This is when the attacker contacts you using any platform and acts like a legitimate institution, person, or even someone you know.
If the hacker tricks you into believing he is legitimate, he will send you fake files such as pdfs, excels, term sheets, investment proposals, design proposals, artwork, or will try to send you to a fake website.
Sometimes these hackers steal the accounts of legit users to attack you, this includes friends, family, or celebrities, you should always assume that the person you're talking to is a scammer (don’t trust, verify).
Hackers have bots that are monitoring the network in search of people in need and immediately respond with phishing attempts acting like an official account. Really common on Twitter and Discord groups.
Another example of an attack I’ve seen with fake support is getting into a call making the user screen share and then suggesting that he change the language to another language while giving instructions to trick the user to reveal the secret words and proceed to drain the wallet.
On bull markets, the space fills with “do this now or you will lose your chance forever” schemes, these antics are created to generate FOMO (fear of missing out), making the users stop thinking and rushing to grab the opportunity, hackers take advantage of this behavior and make posts about a special token airdrop or special NFT mint, then they share a fake website prompting users to send them their most precious NFTs instead of getting an airdrop.
If someone asks you to act fast, 99.5% of the time is a scam. Even if it’s true it’s not worth the risk.
Another tool at hackers disposition to hack you is sending you fake tokens, when you try to sell or transfer they do damage. Avoid at all cost interacting with Tokens or NFTs that you don’t know where it comes from.
For the final part of this article, I will share with you some tips and best practices to avoid getting hacked, this is not a checklist, but the more items you practice the more secure your assets will be.
Non-related to crypto assets but good practices:
There is so much to cover regarding security, but want to keep this post short. You can also contribute by spreading the word and sharing this post. Feel free to contact me on Twitter @Crisgarner if you think I’m missing something (or just to say hi).