Scan to download
Home
Article
Flash
Token Unlock
Hot Projects
Specials
Columns
ETF
Knowledge Base
Calendar
Activity
Tools

Cryptocurrency Anti-Hacking Guide: Multiple Measures to Protect Personal Assets

Deep Tide TechFlow
2024-08-16 22:54:18
Collection
Don't be the one who is forced to learn about security after losing everything or a significant amount of assets.

Original Title: 《How To Never Get Rugged In Crypto Again》

Author: INSIGHTFUL

Translation: Shenchao TechFlow

Disclaimer

This guide does not guarantee any content and is not written from the perspective of "crypto or cybersecurity experts," but rather is the result of continuous learning from multiple sources and personal experiences.

For example, when I first entered this field, I was deceived by scams (fake live streaming scams and fake MEV bot scams) due to fear of missing out (FOMO) and greed, which is why I took the time to seriously learn, set up, and understand security.

Do not be the person who is forced to learn about security after losing everything or a significant amount of assets.

Hacking or User Error?

All types of "hacks" or compromises involving wallets, tokens, or NFTs can generally be divided into two categories:

  • Abuse of previously granted token approvals.
  • Leakage of private keys or mnemonic phrases (usually occurring with hot wallets).

Token Approvals

Token approvals essentially grant permission for smart contracts to access and move specific types or amounts of tokens in your wallet.

For example:

  • Granting OpenSea permission to move your NFTs so you can sell them.
  • Granting Uniswap permission to use your tokens for swaps.

As background information, essentially everything on the Ethereum network, except ETH, is an ERC-20 token.

One feature of ERC-20 tokens is the ability to grant approval permissions to other smart contracts.

If you want to engage in core DeFi interactions (like swapping or bridging tokens), these approvals are necessary at some point.

NFTs are respectively ERC-721 and ERC-1155 tokens; their approval mechanisms are similar to ERC-20 but apply to NFT markets.

The initial token approval prompt from MetaMask (MM) provides several pieces of information, the most relevant being:

  • The tokens you are granting approval for
  • The website you are interacting with
  • The smart contract you are interacting with
  • The ability to edit the amount of token permissions

In the full details dropdown menu, we see an additional piece of information: the approval function.

All ERC-20 tokens must have certain features and attributes outlined by the ERC-20 standard.

One of these is the ability for smart contracts to move tokens based on the amount approved.

The danger of these approvals is that if you grant token permissions to a malicious smart contract, your assets could be stolen or drained.

Unlimited vs. Custom Limit Approvals (ERC-20 Tokens)

Many DeFi applications will prompt you for unlimited approvals for ERC-20 tokens by default.

This is done to improve user experience, as it is more convenient and saves time and gas fees by not requiring potential additional approvals in the future.

Why Is This Important?

Allowing approvals for an unlimited number of tokens can put your funds at risk.

Manually setting token approvals to a specific amount can limit the maximum number of tokens that the dApp can move without signing a new larger approval.

This reduces your risk if the smart contract is exploited. If you grant unlimited approval to a dApp and that dApp has a vulnerability, you could lose all the approved tokens from the wallet that holds those assets and granted that approval.

For example, the Multichain WETH (WETH is the ERC-20 token wrapped version of ETH) has encountered such a vulnerability.

This commonly used bridge was attacked due to the abuse of previously granted unlimited token permissions, resulting in user funds being stolen.

Here is an example (using the Zerion wallet) showing how to change the default unlimited approval to a manual approval.

NFT Approvals

setApprovalForAll is used for NFTs.

This is a commonly used but potentially dangerous approval, typically granted to trusted NFT markets when you want to sell an NFT.

This allows the market's smart contract to transfer your NFTs. Therefore, when you sell an NFT to a buyer, the market's smart contract can automatically move the NFT to the buyer.

This approval grants access to all NFT tokens of a specific collection or contract address.

This can also be exploited by malicious websites or contracts to steal your NFTs.

Examples of Malicious Actors Abusing setApprovalForAll

A classic example of "wallet account shrinkage" in the case of FOMO free minting is as follows:

  • The user visits a malicious website they believe to be legitimate.
  • When they connect their wallet to the site, the site can only view the contents of the wallet.
  • However, the malicious site scans for the highest value NFTs in the wallet and prompts the user to "set approval for all" for that NFT's contract address from MetaMask (MM).
  • The user thinks they are minting an NFT, but they are actually granting the malicious contract permission to move those tokens.
  • Subsequently, the scammer steals the tokens and liquidates them into bids on OpenSea or Blur before the items are marked as stolen.

Signatures and Approvals

Approvals require gas fees because they involve transaction processing.

Signatures do not require gas and are typically used to log into dApps to prove your control over that wallet.

Signatures are usually low-risk operations but can still be used to exploit previously granted approvals to trusted sites like OpenSea.

For ERC-20 tokens, you can also modify your approvals through gasless signatures, as functionality allowing this has recently been introduced on Ethereum.

You can see this when using decentralized exchanges (DEX) like 1inch.

Key Points on Token Approvals

Be cautious when granting any approvals, ensuring you know which tokens you are approving and for which smart contract (which can be checked via etherscan).

Limit your approval risks:

  • Use multiple wallets (approvals are wallet-specific) ------ do not sign approvals for your vault or high-value wallets.
  • Ideally, reduce or completely avoid granting unlimited approvals for ERC-20 tokens.
  • Regularly check and revoke approvals via etherscan or revoke.cash.

Hardware / Cold Wallets

Hot wallets connect to the internet through your computer or phone, with keys and wallet credentials stored online or locally in your browser.

Cold wallets are hardware devices where keys are generated and stored in a completely offline state, physically close to you.

Considering that a Ledger costs about $120, if you have over $1000 in crypto assets, you should consider purchasing and setting up a Ledger. You can connect the Ledger wallet to your MetaMask (MM) to enjoy the same functionalities as other hot wallets while maintaining a certain level of security.

Ledger and Trezor are the most popular choices. I prefer Ledger because it has the best compatibility with browser wallets (similar to Rabby and MM).

Best Practices When Purchasing a Ledger

Always buy from the official manufacturer's website and never from eBay or Amazon ------ it may be tampered with or preloaded with malware.

Ensure that the packaging is sealed when you receive the item.

When setting up the Ledger for the first time, it will generate a mnemonic phrase.

The mnemonic phrase should only be written on physical paper or, in the future, on a steel plate to ensure your mnemonic phrase is fireproof and waterproof.

Never take a photo of or input the mnemonic phrase on any keyboard (including your phone) ------ this digitizes the mnemonic phrase, making your cold wallet an insecure hot wallet.

Crypto assets are not stored on the hardware wallet but "in" the wallet generated by the mnemonic phrase.

The mnemonic phrase (12-24 words) is everything and must be protected and secured at all costs.

It provides complete control and access to all wallets generated under that mnemonic phrase.

The mnemonic phrase is not device-specific; you can "import" it into another hardware wallet as a backup (if needed).

If the mnemonic phrase is lost or damaged, and the original hardware wallet is also lost, damaged, or locked, you will permanently lose access to all assets.

There are various methods for storing mnemonic phrases, such as splitting them into multiple parts, increasing the physical distance between parts, and storing them in inconspicuous places (e.g., a soup can at the bottom of the fridge, somewhere underground on your property, etc.).

At a minimum, you should have 2-3 copies, one of which should be steel to protect against water and fire.

The "private key" is similar to the mnemonic phrase but is specific to one wallet. It is typically used to import a hot wallet into a new MetaMask (MM) account or for use in automated tools (like trading bots).

The 25th Word - Ledger

In addition to the original 24-word mnemonic phrase, Ledger offers an optional extra security feature.

The passphrase is an advanced feature that allows you to add a 25th word of up to 100 characters of your choice to your recovery phrase.

Using a passphrase generates a completely different set of addresses that cannot be accessed solely through the 24-word recovery phrase.

In addition to adding a layer of security, the passphrase also provides plausible deniability when you are under threat.

If you use a passphrase, be sure to store it securely or remember it accurately, character by character and case-sensitive.

This is the only and ultimate defense against physical threats like the "$5 wrench attack."

Why go through all this trouble to set up a hardware wallet?

Hot wallets store private keys in a location connected to the internet.

It is extremely easy to be deceived, misled, and manipulated over the internet into leaking these credentials.

Having a cold wallet means that scammers need to physically find and obtain your Ledger or mnemonic phrase to access those wallets and their internal assets.

Once the mnemonic phrase is leaked, all hot wallets and their assets will be at risk, even those that have not interacted with malicious websites or contracts.

Common Ways People Have Been "Hacked" in the Past

Common ways people have encountered "hacks" through hot wallets (mnemonic phrase leakage) in the past include:

  1. Being tricked into downloading malware, such as through job opportunity PDFs, beta games, running macros via Google Forms, or mimicking legitimate websites and services.
  2. Interacting with malicious contracts: FOMO minting on imitation websites or interacting with unknown airdrop or received NFT contracts.
  3. Inputting or sending keys and mnemonic phrases to "customer support" or related programs/forms.
Blockchain Security Guide

Blockchain Security Guide

What are the common security issues in blockchain? How to ensure the security of crypto assets and projects?
Topic or theme
Related tags
OpenSea Uniswap MetaMask ERC-20 tokens NFT anti-hacking guide
ChainCatcher reminds readers to view blockchain rationally, enhance risk awareness, and be cautious of various virtual token issuances and speculations. All content on this site is solely market information or related party opinions, and does not constitute any form of investment advice. If you find sensitive information in the content, please click "Report", and we will handle it promptly.
Deep Tide TechFlow

Deep Tide TechFlow

After the burst of the AI Agent bubble, where are the next trends and projects?
After the burst of the AI Agent bubble, where are the next trends and projects?
Animoca Brands Research Report: 5000 Followers = Ticket to Influence? A Data Perspective on the Marketing Status of Crypto KOLs
Animoca Brands Research Report: 5000 Followers = Ticket to Influence? A Data Perspective on the Marketing Status of Crypto KOLs
Related tags
OpenSea Uniswap MetaMask ERC-20 tokens NFT anti-hacking guide
Related reading
Spending $80 million on "subsidies" for growth, Uniswap is taking a big step
Spending $80 million on "subsidies" for growth, Uniswap is taking a big step
Detailed Explanation of Unichain Ecosystem's First Memecoin Launch Platform Pure | CryptoSeed
Detailed Explanation of Unichain Ecosystem's First Memecoin Launch Platform Pure | CryptoSeed
Daily Report | Binance will list Nillion (NIL) and open trading pairs; Trump will attend the New York Digital Assets Summit and give a speech this Thursday
Daily Report | Binance will list Nillion (NIL) and open trading pairs; Trump will attend the New York Digital Assets Summit and give a speech this Thursday
The House overturns the "Defi Broker Rule," how many obstacles are left on the road to crypto regulation?
The House overturns the "Defi Broker Rule," how many obstacles are left on the road to crypto regulation?
Copyright © 2023
About Us
Media Kit
Apply for a column
Disclaimer
RSS LINK
Recruitment
Qiong ICP No. 2021009392
Qiong ICP No. 2021009392
ChainCatcher Building the Web3 world with innovators
Open the app