NFT security, hardware wallet is not the solution
DoubleNFT
0x9E55
May 18th, 2022

TLDR: 

  1. use a hardware wallet for storage
  2. do not connect hardware wallet to DApps
  3. transfer only the NFT you need to use from a hardware wallet to a hot wallet
  4. keep your recovery seed phrase safe in physical form only
  5. never export the private key of any wallet 

or

  1. Use DoubleWeb3

Wallets are usually safe, websites are always dangerous

Although NFTs are stored on the blockchain, that doesn't mean your digital assets can't be stolen. NFTs have been stolen many times before in the following ways:

  1. Wallets hack, hackers stole the private key of victims' wallets (seed phrase, QR code, private key, etc.)
  2. Phishing, websites that connect victims' crypto wallets to the hackers' smart contract

These two cases can be categorized as storage and usage risks, and the latter is way more common in NFT hacks. Hence, we need an NFT security solution to prevent hacks from phishing.

This article will walk through the best practice in NFT storage and usage; after that, we will analyze the disadvantage of the current approach and propose our innovative solution - DoubleWeb3.

How to store your NFT, and how to use it

The safest place to store your NFT is an air-gapped hardware wallet.

Air-gapped is a state where a device is completely isolated from any form of connection. By connection, we mean anything that connects the device to another device or the internet, such as USB, Bluetooth, WiFi, Cellular, or NFC. An air-gapped device is a device that is fully isolated and can never be connected to anything.

This is not the perfect solution, but this is by far the safest option.

After having an air-gapped hardware wallet, you need to prepare a hot wallet for daily use. It is also essential to change your hot wallet from time to time to prevent damage from the leak of the private key of your hot wallet.

Use your hardware wallet to store the NFT that won't be frequently used. If you need to sign anything with a wallet that holds the NFT, transfer the NFT to a newly generated hot wallet, and use it to sign those transactions. If you accidentally sign a malicious transaction, you will lose everything from your newly generated hot wallet while keeping everything else safe.

The myth of hardware wallet

Many people have a common misconception; they think a hardware wallet works like a vault that "protects" the NFTs stored inside. A hardware wallet cannot protect you from phishing; if you sign a malicious transaction with your hardware wallet, you will lose everything in that wallet.

A hardware wallet can only prevent the storage risk, but it cannot prevent the usage risk. The best practice that combines hardware and hot wallet can mitigate the loss of phishing hacks. Still, it cannot prevent it from happening.

Why we cannot use cold storage

NFT holders sometimes have to sign a message/transaction using a wallet that holds their NFT. Take Twitter as an example; we can now verify our NFT ownership with your wallet. We can expect more and more NFTs to be used for verification in social media, games, and other web services as the web3 prevail. In this case, we cannot just air-gapped our NFT wallet. Otherwise, there will be absolutely no utility for our NFTs.

The dilemma is that a hardware wallet cannot really project your NFTs unless you don't connect your wallet to any web3 services. But if you keep your NFTs air-gapped, you cannot use your NFTs.

A balance of usability and security - Double identity

If we can separate the ownership and usability of our NFTs, we can keep our NFTs safe without sacrificing their usability. Store the ownership part of your NFT in a hardware wallet, keeping the usable part in a hot wallet.

How can that be done? We can use @doubleWeb3

We have built an NFT security solution to separate the ownership and usability of our NFTs by creating a 'double' of NFTs. The created double stores all the metadata of the original NFT. It can be re-minted and remotely destroyed by the wallet that holds the original NFT through our smart contract anytime.

Take BAYC#1579 as an example. Assume you are the owner of BAYC#1579, and it is stored in the hardware wallet now:

Steps:

  • Transfer your BAYC#1579 from the hardware wallet (wallet A) to a newly generated hot wallet (wallet B) on MetaMask
  • Connect wallet B to doubleWeb3
  • Mint a double of BAYC#1579
  • Transfer BAYC#1579 back to (wallet A)
  • Transfer the double of BAYC#1579 to your daily using wallet (wallet C)
  • Connect wallet C to DApps to play blockchain games.
  • Using it to get a verified role in Discord or Twitter.
  • If one of the smart contracts you connected tricked you into signing a malicious transaction. The hacker stole your double.
  • Transfer your BAYC#1579 from the wallet A to wallet B
  • Connect wallet B to doubleWeb3 smart contract
  • Destroy the old 'double' and re-mint a new one
  • Transfer BAYC#1579 back to wallet A
  • Transfer the new double to a new wallet (wallet D)
  • Connect wallet D to DApps and use it as usual

If you are interested to know more, you can read our white paper.

If you are an owner of an NFT projects, you can also find us on discord double#6575 or Twitter, DoubleWeb3 is a free service and we provide free integration support to NFT projects.

Subscribe to DoubleNFT
Receive the latest updates directly to your inbox.
Verification
This entry has been permanently stored onchain and signed by its creator.
Arweave Transaction
MIddnInOjbJ2uw1…ZMS9iXGN6l4gSRg
Author Address
0x9E55C414aB8628F…8E17B5E30Ad1648
Content Digest
W3T2Fzcf8j6QURQ…wQztt6PDamSiZOM