THE ROADMAP TO WEB3 SECURITY
The Roadmap to Web3 Security:
A Comprehensive Guide for New Users
Web3 is a decentralized ecosystem that presents unique security challenges, but by following some simple steps, you can protect yourself and your digital assets from security breaches. In this guide, we'll take you through the key steps to stay safe in the web3 space.
Lesson 1: Choose the Right Wallet
The wallet you choose to store your digital assets is crucial to your security. There are three main types of wallets: hot wallets, cold wallets, and burner wallets.
Hot wallets are setup while connected to the Internet using software such as MetaMask or Trust Wallet. Although it is more convenient to create a hot wallet, they are more vulnerable to security breaches because of their exposure to the Internet upon creation.
Cold wallets are setup offline using a hardware device such as a Trezor or Ledger (be sure to purchase hardware wallets directly from their official websites and not on secondary markets like eBay to ensure they have not been tampered with). The device generates a wallet for you directly so it does not get exposed to the Internet, but they are less convenient to transact with as they are not so openly available as a software wallet ready to be accessed on your device.
Burner wallets are temporary wallets which are setup for small transactions in order to perform singular functions such as minting an NFT or interacting with a specific contract. They are not recommended for long-term storage considering that they should only be used for interactions you are not 100% sure about.
When choosing a wallet, consider factors like security, ease of use, and functionality. It is important to consider that security is often traded off for convenience. That being said, a cold wallet might not make sense for storing a hundred dollars worth of crypto, but might make a lot more sense for people storing a few thousand dollars or more (this is very dependent on an individuals risk tolerance).
Lesson 2: Social Engineering
Phishing scams are a common tactic used by scammers to steal your web3 assets. These scams usually involve impersonating legitimate websites, such as NFT projects, exchanges, or wallet providers in order to trick you into giving up your wallet private keys or other sensitive information.
Scammers will often throw you off guard by using factors such as fear, an immediate call to action or sense of urgency, or promises that are too good to be true. Be sure to turn off direct messages on communication platforms, such as Discord, while explicitly choosing who you interact with. Bookmarking links you interact with daily is also crucial to ensuring you are accessing a website from a legitimate source instead of using links you are sent through messages or ones you perform a search for. It is essential to always keep your guard up in web3 as it only takes one bad approval to compromise a wallet.
To protect yourself, educate yourself on the types of phishing scams and always be cautious when entering sensitive information online. Use security extensions like Wallet Guard that allow you to transact confidently by protectively detecting and blocking scams while giving clear human readable insights on transactions prior to your approval of them!
Lesson 3: Private Keys & Seed Phrases
Your private keys and seed phrase are crucial to accessing your digital assets. Always store them securely offline by writing it down and never storing it digitally or sharing it with others.
A seed phrase is like a master key in a bank vault, where a private key is like a single key for a safety deposit box in that vault. These are both for you and you alone, and again should never be shared with others.
Consider using a hardware wallet like Trezor or Ledger to store your private keys offline which provides an extra layer of security. Also consider the amount of assets you’re protecting when choosing a strategy; when storing a large sum of assets consider splitting the seed phrase into two separate pieces of paper and storing them in different safety deposit boxes. This way if that piece of paper is found it can not be used by itself to gain access to your assets considering they need the other half of paper to do so.
Lesson 4: Two-Factor Authentication (2FA)
App-based/hardware-based two-factor authentication (2FA) is an essential security measure that adds an extra layer of protection to your digital accounts. With 2FA, you'll need to enter a code in addition to your password to access your account. This makes it much more difficult for attackers to gain access to your account, even if they have your password.
App-based 2FA: Microsoft Authenticator, Authy (be sure to disable multi-device in settings)Hardware-based 2FA: YubiKey, Titan Security Key
If you are currently using 2FA with a SMS (text message based) authentication method, be sure to disable it immediately and switch to app-based/hardware-based 2FA! SMS based 2FA is susceptible to sim swap attacks and can be easily compromised because of this.
At the end of the day it is important to always be a more difficult target than others. One of the best recommendations we can make to harden your security is to invest in products like YubiKey (hardware-based 2FA). With a YubiKey an attacker would now need to know your account credentials plus also have access to your physical YubiKey which generates codes to access the account. We always recommend purchasing a backup YubiKey just incase you misplace one of them.
Lesson 5: Anti-Virus Software
Using an anti-virus such as MalwareBytes is critical (be sure to use the premium version; the free version does not provide active detection). Software like MalwareBytes can keep your computers much safer against RATs (Remote Access Trojan) & ransomware among many other threats.
Lesson 6: Password Managers
Data breaches are a constant problem for many companies, which causes user credentials to be exposed. It is important to utilize unique passwords across all your accounts so one data breach doesn’t compromise multiple accounts at the same time. We recommend password managers such as BitWarden & KeePassXC to create strong, unique passwords as both are open-source & able to be hosted locally by the user.
Lesson 7: Software Updates
Browsers can be seen as the main tool for the navigation of web3 therefore keeping your browser extensions & device operating system up-to-date is critical. Developers are continually releasing new updates for a reason as they address security vulnerabilities and improve overall performance. Ensure that you have the latest version of your wallet and any other software you use to stay as close to secure as possible.
Lesson 8: Smart Contract Approvals
We’re often asked what does “Set approval for all mean?”
When you want to use a web3 application that involves exchanging tokens, you need to give permission to the application to access your tokens. "Set approval for all" is a way to give permission for an application to spend your tokens without having to approve each transaction individually.
It's like giving a 3rd party permission to take money out of your bank account up to a certain amount. You don't have to give permission every time they make a withdrawal, but you trust them to only take out what you've agreed upon.
These types of approvals should be reserved for marketplaces such as Blur & OpenSea. They require these permissions to execute a trade on your behalf (For example, imagine you listed your NFT for 1 ETH and someone purchased it. Now this trade of ETH for an NFT can be executed in a trustless manner.)
Approvals can definitely get more complex than this which is why we encourage you to dive deeper into this matter.
- Solidity Documentation: The Solidity Documentation provides a comprehensive guide on how to write smart contracts that use approvals for token transfers. It includes sample code and explanations of key concepts.
- ConsenSys Academy: ConsenSys Academy offers a course called "Blockchain Basics" that covers approvals in web3, along with other fundamental concepts in blockchain technology. The course includes video lectures, interactive quizzes, and hands-on exercises.
Lesson 9: Revoking Approvals
By revoking approvals on smart contracts, you can ensure that third-party applications can no longer spend your tokens without your explicit consent. Attackers often leverage these open approvals to OpenSea & Blur to drain a victims wallet with one transaction.
Revoking approvals greatly mitigates risk if you were to fall victim to a wallet drainer. We recommend sites like https://revoke.cash which provide a convenient UI to manage approvals on both tokens & NFTs.
Lesson 10: Multi-Sig Wallets / EIP-4337
A multi-sig is like a special type of safe where you need multiple keys to open it. Each person has their own key, and all of the keys are needed to open the safe. This is often used to keep digital assets safe, so that multiple people have to agree before anything can be moved or spent.
In a personal setting one can use a multi-sig to avoid losing access to a wallet. For example, an individual may use a multi-sig that is best of out 3. This would require two of their wallets to approve a transaction before it would occur, creating an additional level of safety.
EIP-4337 makes the adoption of multi-sig technology much easier via reducing gas costs & allowing for different account types (for example, the creation of Smart Contract Accounts to act as an externally owned address).
By following these lessons, you'll be on your way to securing your web3 assets and staying safe in the decentralized world. Remember to stay vigilant and always be cautious when interacting with web3 platforms and apps.