Updated 4/28/2022: added “Bookmark Frequently Used Sites” section
Keeping your funds secure is an ongoing process that requires regular attention and action. Wallets should be disconnected from dapps and websites you are not currently using, and permissions should be revoked for projects you’re no longer invested in. Use separate wallets for holding, DEX trading, and yield farming. If you have high value NFTs, they should be held in separate wallets as well. Never store funds on a CEX or any other custodial wallet, and never, under any circumstances, give out your seed phrase or private key.
Crypto assets like tokens and NFTs are stored on their respective blockchains. Wallets hold the keys that give you access to those assets, allowing you to interact with them. For web3 websites and dapps, wallets also act as login credentials, allowing you to access your account in lieu of (or sometimes in conjunction with) entering a username and password. If you lose control of your wallet or private key/seed phrase, you lose control of your assets and web3 accounts. Needless to say, keeping your wallet safe should be a top priority.
As with everything in crypto, understanding your own threat model is important here. Somebody holding 7-8 figures in crypto and multiple NFTs worth hundreds of ETH each has a very different threat model than someone who put a few dollars into Coinbase because of a Super Bowl ad. What follows are tips and best practices for keeping your wallet and keys secure. You decide, based on your own threat model and risk tolerance, what steps are appropriate for you to take.
Every crypto account has two 256-bit keys associated with it: a public key which allows the account to receive funds, and a private key which allows it to send funds. The account’s address (0x…. on most chains) is simply a hash of its public key. So, knowing a wallet address only gives someone access to send funds to it, not withdraw funds from it. To withdraw funds, you need the private key, or its seed phrase.
Basically, the seed phrase is a 12-24 word passphrase that a wallet can use to derive the account’s private key. The only time you will ever have to enter your seed phrase is if you are importing an existing account into a wallet. For example, if you use the mobile-based TrustWallet and you get a new phone, you will have to download the TrustWallet app and enter your seed phrase to import your account. Same thing if you use a browser-based wallet like Metamask, and want to import a new account.
You will never have to enter your seed phrase for tech support, connecting to a website, entering a giveaway, using a CEX/DEX, or anything else other than to import an account into a wallet.
Here are some tips for keeping your seed phrase secure:
Every time you connect your wallet to a website or dapp, it will usually stay connected until you explicitly disconnect it. It’s generally good practice to disconnect your wallet from any site you’re not actively using, in case the site is compromised by bad actors. Think of it this way: the more places that you’ve given permission to access your wallet, the more directions bad actors could attack you from. For most wallets, you can view the connected sites in the account settings.
When connecting to a site, pay close attention to the permissions it’s asking for:
Malicious sites or dapps can ask for unlimited access to your funds, effectively allowing them to drain everything from your wallet once you connect. In the example above, PancakeSwap is asking to view my address/funds/history (which is all publicly available on a block explorer) and to suggest transactions to approve. If a site or dapp is requesting permission to access or spend your funds directly, it is likely a malicious site.
Similar to connected sites, you must explicitly give permission for your wallet to interact with any smart contracts, most often to buy and sell tokens. This permission remains in effect until you revoke it. Sites like UnRekt can help scan for your current allowances, as can tools available on most blockchain explorers. If you are no longer invested in a token, or you invested in a token that turned out to be a scam, it’s best to revoke allowances from that contract as soon as possible.
Be aware, revoking allowances is a transaction that you’ll have to pay a gas fee for, so if you’re doing so on networks like Etherium that tend to have high gas fees, you may want to wait until gas fees are low before revoking permissions.
You can find allowance checkers for their respective chains here:
Centralized exchanges (CEXs) like Coinbase and Binance use non-custodial wallets to handle users' funds. That is, your funds are stored in a wallet that you don’t own. You do not have the private key or seed phrase for the wallet your funds are in, which means you do not ultimately control them. As the popular saying goes: no keys, no cheese.
CEXs are generally safe to use, but are regular targets for hackers, so funds should not be stored on them long-term. If you are going to use a CEX, transfer funds in, execute your trades, then move funds back out to a wallet that you have full control over.
You never want to have all your eggs in one basket - if you hold all of your assets in a single wallet and it gets compromised, you lose everything. On most popular wallets, you can make new accounts with just a few clicks or taps, so take advantage of that. Have one wallet (ideally a hardware wallet) for long-term holds, one for trading on decentralized exchanges (DEXs) like PancakeSwap and Uniswap, and one for riskier degen plays. If you own high-value NFTs, consider holding each one in their own wallet, or holding them in one wallet but use a separate one for trading them. The same goes for important web3 accounts - have a wallet dedicated to each one.
Much like diversifying your investment portfolio, you want to diversify where and how your assets are held. Every time you connect to a site, interact with a smart contract, or execute a trade, you are exposing yourself to some level of risk. So at the very least, you should have separate wallets for holding and trading.
Trading sites like PancakeSwap, TraderJoe, and dapps associated with popular projects are common targets for phishing attempts. A copycat site with a similar URL and identical (or nearly so) layout is set up in hopes that people will connect their wallets, allowing the scammer to drain its assets. As an added layer of security, bookmarking regularly used sites gives you a visual indication that you’re in the right place. The “Name Spoofing” section of this post goes over some ways the URL of a phishing site might be disguised.
For those that want a extra layer of security, consider having a separate computer dedicated to crypto, and nothing else. This device should not be used for social media, general web browsing, gaming, or anything else outside of conducting crypto transactions. It should not be signed in to any Google, iCloud, or other personal accounts either, unless you have a dedicated crypto account with those services that is not linked to your personal accounts. Always use a VPN when going online, and never do so on public Wi-Fi.
Essentially, you want a firewall between your personal and crypto-related activity, so if any of your personal accounts or devices are compromised, your crypto assets won’t be at risk.
Your wallets, and the seed phrases that allow access to them, are the most important things to secure in crypto. How you choose to secure them is up to you, and should be based on your own threat model and risk tolerance. That said, some of these measures are trivial to do, and will greatly increase your security. If nothing else, disconnect from sites and dapps when you are done with them, don’t leave funds on a CEX, and use separate wallets for holding and trading. If a wallet is somehow compromised, at least the losses won’t be absolute.
Have a question, comment, tip, inside info, or anything else? Email KnowYourCrook@ProtonMail.com