Dialogue between Wang Yishi and Super Jun: How many more CeFi explosions will it take for holders to be willing to use their own wallets?

Host: Ziyu

Guests: OneKey Wang Yishi, Super Jun, the organizer of Benmo Community

In the latest Twitter Space event hosted by Ziyu, core contributor Wang Yishi from OneKey and Super Jun, the organizer of Benmo Community, were invited. They discussed the historical CeFi explosions and pitfalls, as well as how users should use hardware wallets to ensure the safety of their funds.

Ziyu: Let's officially start today's topic. I am Ziyu, and I am also an old investor. Today, we have invited core contributor Wang Yishi from OneKey and Super Jun, the organizer of Benmo Community. We should all be quite familiar with these two friends. To be honest, today's theme is a bit heart-wrenching, which is not your keys, not your coins. I mainly want to talk about how many times CeFi has exploded before holders are willing to use their own wallets. This is also a very heavy lesson from this market turmoil.

In fact, regarding hardware wallets and wallet usage, over the years, wallet platform entrepreneurs have spent some time educating users, but it is far less profound than the education brought by the market this time. Everyone suddenly realizes how important security is to us, leading to hardware wallets selling out recently. We would like to ask the two guests to briefly share their experiences with CeFi explosions over the years and the pitfalls they have encountered.

Super Jun: Hello everyone, I am Super Jun. The biggest explosion I encountered since entering the space was Mt. Gox. That incident educated everyone; people realized that decentralization is the right path, and keeping coins on exchanges is a very risky thing. This incident triggered the withdrawal movement of that year, and Sihai is now the main advocate of the withdrawal movement. However, once a year or two passes, the pain is gradually forgotten, and the market begins to feel that exchanges are safe again. Until the recent FTX incident, which instantly awakened people's awareness of asset security.

Unfortunately, I have been on Twitter for quite a long time, previously active on Weibo. I feel that Twitter users are relatively young and have not experienced CeFi explosions; they do not know the dangers involved. So every time I see some KOLs on Twitter advising users to keep their coins on top exchanges, it is hard to avoid incidents like FTX. But how far are we from cold wallets? It's actually very simple. My mother graduated from elementary school, and she can do it. She may not know what that word means, but she knows to write it down. It's that simple. Why do holders find it difficult?

It's strange that some KOLs always say hardware wallets are very difficult and advise beginners not to touch or use them. They probably do not understand the significance of hardware wallets and have never used them, thinking that everyone does not need to use them. Many people even consider MetaMask as a significant security guarantee, which is a big misconception and a major security risk.

In fact, not only large CeFi like Mt. Gox, but small CeFi incidents happen even more frequently. Some have their owners arrested, some have their websites shut down for various reasons, and some people have their life savings trapped there. It is heartbreaking to watch, while some people do not care, as the loss of others' wealth is someone else's deep pain. So the only person who truly cares about your financial security is yourself; do not trust advice that suggests you hand over your private key rights to CeFi.

Wang Yishi: Super Jun is indeed very OG. The FTX explosion is not the first time; it has happened countless times, as Super Jun just mentioned. However, telling everyone to put their coins in their own wallets is useless, no matter how many times you say it, until one day they get cut. This lesson is not an awakening; it is a regretful realization.

There seems to be an inherent resistance to the threshold of cold wallets; people feel they cannot manage cold wallets and choose to entrust their coins to a platform they consider relatively reliable. Even with so many exchanges exploding, some users still think, "This one exploded; can I switch to another?" When managing our assets, we must have this kind of psychological preparation: if you choose to entrust your assets to someone else, you must be ready for the worst outcome, which is that they may disappear for various reasons, whether due to regulation, hacking incidents, self-theft, or insolvency.

You need to be prepared; can you accept this outcome? If you cannot, then you should not do it. No matter how reliable or trustworthy they seem, when they collapse, all your previous assumptions about them become invalid. In the past week, before the FTX incident, how many people thought FTX was second only to Binance? Many, including myself, thought so because it had indeed grown too fast. But who could have predicted today's events?

So when it comes to managing your assets, you really need to put in a little effort. This effort is just a slight lift, and you can place yourself in a relatively safe position.

Many hardware wallets are no different from using these wallets; you just need to write down those 12 words. It's just that with hot wallets, you write them down in an app, while with hardware wallets, you write them down in front of the hardware. There is no difference, so some KOLs who have never used them and do not understand them tell everyone that it is dangerous and that they should not use them, just keep them on exchanges. This behavior truly misleads people.

Another argument is that mnemonic phrases are easy to lose, so they suggest putting them in Evernote, fearing that Evernote's servers might scan them. They even go so far as to encrypt and compress them. But this kind of encryption is useless and can be easily cracked. Everyone should avoid doing this. The road to security education is long and arduous.

We need to clarify one idea: hardware wallets are a necessary path for you. Regardless of how much your assets are, you cannot measure how to manage them based on today's value. For example, if I think these coins are worth 100,000 yuan now, I can just keep them in MetaMask. But what if one day your MetaMask computer gets hacked, or your hard drive is stolen, or a Trojan virus copies your mnemonic phrase? You would completely lose a hundredfold opportunity.

Hardware wallets are available for comparison because there are indeed many on the market; you can choose according to your preferences. Hardware wallets can be bought for just a few hundred yuan, which is only the price of a hot pot meal.

Super Jun: Actually, it's just one DeFi transaction fee.

Wang Yishi: The use of hardware wallets is a one-way door. Once you step through this door, you can no longer accept a world without hardware wallets.

DeFi whales can mine casually for millions or even tens of millions of USDT, and they dare not operate on MetaMask; what if something goes wrong?

Risk control, the core of risk control, is to avoid risks you cannot bear. Therefore, hardware wallets are a great solution; they physically isolate your assets, which is the most thorough method.

Ziyu: Wang Yishi just mentioned that there are many hardware wallets on the market, and everyone can choose according to their preferences. However, a very concerning issue for users is that many of us are blank in this area; we do not know how to filter for safe wallets. First, to trust a wallet, one needs to overcome certain psychological barriers. So how to filter for safe wallets and how to use wallets safely is a question many people want to know.

Super Jun: Yishi has written a very powerful article; everyone can just read that article of his. (Link at the end)

Wang Yishi: Let me briefly explain how to choose a wallet. Generally, we can divide wallets into two categories: software and hardware. I think every user entering Web3 is basically a MetaMask user. MetaMask is indeed the ceiling of software wallets, with around 30 million monthly active users globally. There are many hardware wallets, such as Ledger, Trezor, and OneKey. When choosing a wallet, I think the first thing to look at is whether the wallet is open-source. Why? Because the cost of malicious behavior for open-source wallets is much higher than for closed-source wallets. If several wallets, A, B, and C, look similar and have similar functions, you may not be able to distinguish between them. At this point, you can see which one is more thoroughly open-source.

Open-source is a very, very important indicator. If a wallet has something to hide, it would not dare to be open-source. A closed-source wallet can upgrade at will and include some hidden features. Previously, there was an incident with the Slope wallet; I don't know if everyone remembers. At that time, a good investor friend asked us how that wallet was doing. I tried it and found the UI interaction quite good. But who knew that just two months later, it was revealed that it was sending users' private keys directly to the server? Can you imagine that?

So if a wallet is not open-source, it gives many companies or teams opportunities for malicious behavior, and when they do so, we cannot see it, which is very scary.

So which wallets are open-source and thoroughly so? Software wallets like Trust Wallet and MetaMask. Hardware wallets like OneKey and Trezor. Although Ledger is one of the most mainstream hardware wallets in the world, its hardware part is indeed not open-source. I am not lying to everyone; you can check its code repository; it is indeed not open-source. Of course, Ledger has its reasons for being closed-source; I won't comment on that.

So back to the earlier point about how to choose a wallet. The first thing to check is whether it is open-source. The second is subjective; generally, the coins you want to use should be supported, so the number of supported public chains is also a necessary factor.

Additionally, there are user experience aspects, including support across multiple platforms. Some wallets are only available as plugins, some only on mobile, and some only as hardware. So OneKey has created a full suite; if you prefer convenience, you can choose OneKey. As a deep user myself, I find it quite good to use.

Super Jun: I would like to add a point. Some people may prefer to use an old iPhone, download a wallet app, and then go offline to generate a mnemonic phrase. Generally speaking, this is also a good method. The only thing to note is that you must download a wallet software developed by a reputable team that truly has no vulnerabilities. This is a prerequisite; it is not that generating a mnemonic phrase offline is completely risk-free. In fact, if the wallet is malicious, it can record your mnemonic phrase in advance and deduce the order of your mnemonic phrase. This is a risk point.

Daxiong has written an article that I personally think is quite on point. We hope to take a step further, not just to persuade you to buy a hardware wallet, but to have a concept of how to truly protect your assets safely. Even in the face of CeFi explosions or other incidents, you can avoid them.

I have previously held courses teaching people how to use hardware wallets. I feel that persuading someone is really difficult; many times it relies on their own sudden realization. Preachers may be more idealistic because, in the past, the concept of cold wallets was just Bitcoin wallets, offline Bitcoin wallets, or wallets that do not connect to the internet. But now there is Ethereum, and this system is developing better and better, becoming more prosperous. Therefore, you often engage in on-chain interactions, and many people subconsciously feel that on-chain wallets must be more convenient than hardware wallets or cold wallets. However, greater convenience represents greater risk. So I require the Benmo community to use hardware wallets for DeFi; for others, I can only try to persuade them, although it is difficult to convince.

Ziyu: DeFi users have experienced or witnessed asset theft due to signatures or authorizations. Can hardware wallets prevent this situation?

Wang Yishi: No, let me clarify a concept for everyone: the only thing a hardware wallet does is store your private keys in the hardware and prevent them from leaking in any form. As for whether on-chain interactions and authorizations can be stolen, all wallets, whether hardware or software, cannot protect against this. Why? This is a design flaw in Ethereum's mechanism. How to prevent it? For example, you can use some tools to revoke authorizations. OneKey has created a website called Revoke.gg, which detects all your authorizations on EVM chains and allows you to revoke them with one click. Sometimes you may not remember what you authorized, and with one click, you can cancel everything, which helps users mitigate risks. This is actually a pretty good feature.

Another point is, some users say that if I import my MetaMask mnemonic phrase into a hardware wallet, does that make my wallet a cold wallet? My answer is: no. Why? Because your MetaMask mnemonic phrase is generated on the software side. Wallets generated on the software side are essentially hot wallets. The generation process must be completed offline in the hardware to be considered a cold wallet.

If you complete it on the hot side, it is like you cooked a meal at home and then took it to the restaurant to sell; it is generated in a hot wallet environment, including the way its random numbers are generated, which is different from cold wallets, especially in environments like browser plugins where there are many uncontrollable factors.

Many people install a plugin, create a wallet, copy the mnemonic phrase, paste it into a local document or note-taking software, and think they are done. At this point, your mnemonic phrase is already in your computer's operating environment. You cannot be sure; for example, if you installed something like Sogou or Baidu, congratulations, you are done for. As long as these input methods have internet access, they will upload everything in your clipboard. Even if they do not do it, can you guarantee that the people working in those companies who can read the backend service logs will not do it? You cannot guarantee that.

So I want to emphasize two points. The first point is: can hardware wallets prevent Ethereum authorization attacks? The answer is no; not only can hardware wallets not do it, but no wallets can. However, you can use tools like Revoke.gg or Revoke.cash to clean up your authorizations in a timely manner.

The second question is: if I create a mnemonic phrase on a hot wallet and import it into a hardware wallet, is it still cold? No.

Super Jun: Let me add a point: the first principle is to separate the coin-holding wallet from the DeFi wallet.

The second principle is that it is best to use one address for each mine. When you mine, use one address. This is where using a hardware wallet has an advantage; you can easily create another address in one second because it can be the same set of mnemonic phrases. Even if that address has risks, it will not transfer to other addresses or other chains.

The third principle is that it is best to change to a new address. However, if you have addresses that have long-term on-chain relationships, such as lending relationships, you cannot remove them in a short time. Therefore, you can periodically clean up your authorization status. As Daxiong mentioned earlier, OneKey also has a website that can automatically detect and clear authorizations, which is quite convenient.

Another important point is to avoid mining interests that you do not understand. For every mine you dig, you need to know where the interest comes from. There are always some high-yield opportunities, but you do not know how they come about. How did FTX's 5% come about? No one can explain it clearly. Generally, when it cannot be explained clearly, you are likely the source of the interest. If you can do this, you can avoid over 95% of the pitfalls.

Wang Yishi: I want to say that based on what Super Jun just said, do not think that using this wallet is complicated, requiring address isolation and revoking authorizations. Can’t I just put my coins there and interact normally without any issues? I tell you, that does not exist. If it did, where would it be? It would be on FTX. You have seen the results of FTX.

Many things in this world, many people say we need to solve pain points, and users managing their own assets is too difficult. We need to create NPC wallets or whatever. I tell you, every shortcut you take to avoid this pain will come back to you one day.

You say you do not want to engage in DeFi; it is too complicated. You do not want to hold your own private keys; it is too complicated. But you want to earn interest, so you put your coins in FTX because it looks good. Congratulations, you have now lost everything. If one day you truly learn that the private keys or mnemonic phrases in my hands mean that this wallet is mine, then congratulations, you have truly transitioned from Web2 to Web3.

Wang Yishi: For large assets, I only trust hardware wallets; offline mobile devices cannot replace the use of hardware wallets. Hardware wallets can be friends with time, while top exchanges change too quickly over time.

Super Jun: There is no such thing as a company that is too big to fail in this industry.

Ziyu: What if a hardware wallet, being an electronic product, gets damaged? What if the hardware wallet company goes bankrupt?

Wang Yishi: If the company goes bankrupt, it does not matter; if the wallet is broken, it is broken. You can import it into another wallet and recover it.
It is very normal for companies to go bankrupt. The success rate of startups is only about 10%, right? There is a statistic that says the average lifespan of startups worldwide is two and a half years. Just two and a half years! Think about how many companies go under in one or two years. This brings us back to why you should keep your assets in a hardware wallet where you control the private keys: because the form of mnemonic phrases or private keys is universal.

For example, if you think Ledger is particularly good and will not go bankrupt, the actual result is that even if it goes bankrupt, it does not matter. You can import its private keys into OneKey. If OneKey has an issue, it does not matter; later, there will still be TwoKey, ThreeKey, and so on. There will always be a way. It is not like exchanges; if they go down, they really go down. Your coins will truly be gone, and you cannot get them back.

Ziyu: This is also the theme of today: Not Your Keys, Not Your Coins.

Super Jun: I want to emphasize that mnemonic phrases must not be stored online. As far as I know, there are several companies that specialize in this business. They may be like the treasure hunters of the past, searching for treasure maps. They are a professional team that specifically scours the internet for mnemonic phrases and searches for mnemonic phrase information stored on personal computers. Their search capabilities are quite strong, scanning the internet daily for similar mnemonic phrases and automatically identifying them. Your personal computer is also frequently breached, allowing them to obtain your mnemonic phrases.

Wang Yishi: I advise everyone to be cautious with various cloud storage services. Every day, there are numerous machines scanning for private keys on GitHub repositories. I know that many people have accidentally uploaded their private keys to GitHub, and the next second, they are gone. It happens very quickly; it is all automated, not manual.

So, be very careful with those cloud storage services. Do not be clever and think you can store your mnemonic phrases in a local TXT file or some other file, encrypt it with compression software, and set a password, like your birthday.

Super Jun: Regarding mnemonic phrases, I recommend that OneKey has recently released a titanium plate for storing mnemonic phrases.

I think this is a relatively good method, but there are many details to discuss, such as where to place this plate when going through security checks, how to back it up, and many other things to talk about.

Ziyu: We can open another session to discuss mnemonic phrases.

Wang Yishi: Do not store mnemonic phrases online. Next time, we will talk about how to store mnemonic phrases.

Ziyu: Today, we initially planned for a 30-minute discussion, but we have talked for 70 minutes. Thank you very much to Wang Yishi and Super Jun for their sharing, and thanks to OneKey for providing such a great product for everyone. I hope all the listeners present today will not find themselves in a future CeFi explosion incident, and that we can all live long and safely in the crypto space. Remember the key point we discussed today: Not Your Keys, Not Your Coins.

Wang Yishi: Guide to Safe Internet Access https://yishi.io/guide-to-safe-access-internet/