by 0xSong and impossiblehodl from Impossible Research 2021.12.14
With a lot of hacks happening recently, and many of them getting progressively getting more sophisticated, we felt it was necessary to highlight the importance of web3 security measures. After some discussions internally and with the help of our friends and partners, we believe taking the following actions is minimally necessary for everyone living in web3. As such, we're releasing this article which covers quite an array of security measures to make your experience in web3 as smooth as possible.
[This is general generations and what we see as market best practices based on our experience only. You should form your own view based on your circumstances and formulate your own safeguards]
Let's start with some basics:
Saving passwords in Chrome or Firefox is NOT safe because they can be easily compromised. Therefore, having a password manager can ensure that every password is different, making sure your system is significantly less vulnerable if a breach were to occur. Some of the popular password managers used by our team are 1Password and LastPass, some also mentioned Bitwarden. This also makes tracking long and complex passwords far, since you only need to memorize the master password.
Once you've secured all your passwords, you should also secure your password manager by using two-factor authentication (either via OTP such as Google Authenticator or hardware solutions like Yubikey). Password+2FA is the minimum necessary for everything, EVERYTHING!
It's also recommended to have more than 1 yubikey so that if anything happens to one, another one can be used as a failsafe. SMS is not recommended because it can be compromised easily, or your phone may become lost.
Here is a how-to guide on yubikey: https://www.wired.com/story/how-to-use-a-yubikey/
It is recommended to use different account login credentials on different platforms to avoid one compromised system leading to others.
Google Voice or Phoner are some commonly used services to generate phone numbers. Firefox Relay can be used to generate email addresses. (this is compatible with other browsers)
Tips on privacy: anonymize your email addresses for some accounts that you want to stay anonymous. Most password managers support tagging and notes for each email account so you can keep track which account is being used where.
One more thing about security especially when you are working outside or using an unsecured wi-fi, you're greatly exposed to the theft of personal information and other malicious activities. As such, using a VPN service whenever possible is vital because it makes it harder for others to see what you are doing and target you for an attack. Some of the most recommended ones are ProtonVPN and MullVad VPN.
Now we move to the world of web3:
Metamask allows you to create multiple accounts, utilize this not just for farming airdrops but also for splitting tokens across different wallets. Additionally, having multiple wallets with different seeds can help secure your funds even more. By using different wallets for NFTs, Degen plays, and long-term holds; you'd be able to feel a lot safer when entering a new farm.
It is also best to avoid using the same wallet for different chains as it would increase your risk of being compromised. Lastly, as an added measure, set a recurring calendar to remind yourself to migrate wallets if you want to be super safe (just watch out for gas fees as it can get quite gas-intensive).
This is VERY important if you are frequently ape-ing into something you do not know well or are skeptical about. The best practice is to limit the spending amount AND revoke these contracts if you've stopped using them. This might cost some gas fees in the short term but it will be beneficial from a wallet hygiene perspective in the long run. This would even extend to protocols that have been audited or are "safe" as hacks happen all the time, and there's nothing wrong with being more cautious about your own funds!
Here are some sites that can help you with it: https://revoke.cash/ or https://debank.com/ or https://etherscan.io/tokenapprovalchecker. DeBank is probably the most user-friendly - all you have to do is paste your address and look for a section called approval. Once you're on that section it's as simple as clicking on "decline".
Finally, with signing/approvals, this is probably the most tricky to verify but more often than not, looking at a contract to see if it's verified or if the activity looks legitimate can be a strong indication of whether the contract is safe for approval.
CryptoCat also has a good thread about it here: https://twitter.com/CryptoCatVC/status/1466380960648380419?s=20
Use hardware wallets whenever possible. If the value you're holding starts to substantial throughout the bull run, you should definitely consider a hardware wallet. As it gets progressively bigger, more cold wallets would be needed to split these funds. This is paramount for security because it adds another layer of protection from malicious activities. It goes without saying that your seed phrases should always be offline, never on your PC, especially if it's one that constantly interacts online.
How to back up seed phrases offline: Do not use paper (it's not durable), instead create metal sheets (cryptosteel). Furthermore, splitting up your seed phrase can also be a good alternative. However, no matter what medium you choose to manage your seed phrases, it should always be stored in a safe location.
The most commonly used hardware wallets are available from Trezor and Ledger but there isn't an industry standard. NEVER BUY A SECONDHAND HARDWARE WALLET!
Social Engineering related:
Some of the recent hacks are related to files with viruses. Combined with social engineering, these attacks are very difficult to detect and prevent. For anyone looking at project decks on a daily basis, consider getting a dedicated machine (or pad) just for opening and reading these files.
To be extra safe, use virtual machines to open files and periodically create new ones.
Last but not least, always beware when clicking on a link to open a web3 site. This is because links can be easily redirected, even if the link ultimately opens the correct website. When entering a web3 site for the first time, confirm the URL with the project's Twitter account or via the URL provided on Coingecko but official discord servers or medium pages can do the trick as well. Once the URL is confirmed, bookmark it and the next time you open the website it should show up as having been bookmarked and it makes it much easier to navigate sites you've previously visited if it's all bookmarked in a single file.
We expect the web3 space to become even more sophisticated in the future, but currently, these are some of the practices that will help you stay on top of everything. So, stay vigilant and ape safely!
Finally, a big shoutout to friends of Impossible Finance who contributed <3
Metamask approval hygiene
Please review the Disclaimers, Terms and Risks for the legal notices of this document, its content, and its risk factors. In particular, you should Do-Your-Own-Research (DYOR) before any investments, and note the risks relating to forward-looking statements as set out in this document.
Trading and/or generally investing in any cryptocurrency involve significant risks and can result in the complete loss of your capital. You should not invest more than you can afford to lose and you should ensure that you fully understand the risks involved. Before investing, please consider your level of experience, objectives, and risk tolerance, and seek independent financial and legal advice if necessary. It is your responsibility to ascertain whether you are permitted to use the services of Impossible Finance based on the legal and regulatory requirements of your country of residence and/or applicable jurisdiction(s).