10 Steps for Crypto Security
Dear Bankless Nation,
With digital bandits on the prowl like never before, it's crucial to stay vigilant against potential threats.
Today, we've got a primer on how to fortify your defenses against phishing scams and beyond. Let's dive into 10 straightforward steps you can use to ensure your assets remain secure and your journey through the crypto frontier remains unimpeded.
Phishing scams impersonating Bankless are on the rise.
Ultimately, a successful phishing attack hinges on three main elements:
- A fake opportunity (typically a purported airdrop claim site or NFT mint page) looking real enough
- A victim being convinced enough by the fake opportunity to sign a malicious transaction
- A victim having valuable token approvals in place in their compromised wallet that the attacker can capitalize on through the malicious transaction
With a decent pitch and website, any one of us could initially be deceived by a phisher.
Fortunately, there is a series of practices and resources we can layer together to eliminate the chances of signing bad transactions or effectively minimize the impact of doing so.
Here are 10 great steps to lock down your crypto defenses in 2023 👇
1. Create a vault
Strategy: Create a multi-signature wallet for your long-term crypto holdings!
Recommended tool: A Safe wallet
A multi-sig wallet, often referred to as a "vault," is akin to crypto’s version of secure bank storage. It provides heightened security for your crypto by requiring multiple private keys, i.e. wallets, to authorize any transaction.
As such, a multi-sig is like a digital fortress that can ensure even if one of your keys gets compromised, your long-term holdings will remain protected.
Today one of the simplest ways to create a multi-sig is by making a Safe Account. You can add whichever addresses you want as signers, but starting with a 2-of-3 multi-sig is straightforward. Also, consider using hardware wallets like Ledger devices as some of your signers for an added layer of security!
2. Make a risk wallet
Strategy: Create a risk wallet that’s set up expressly for day-to-day activities!
Recommended tool: Delegate
Never use your vault for regular crypto activities like airdrop claims or NFT mints. For these sorts of things, set up a separate dedicated wallet that you only top up with ETH and etc. as needed.
The idea? The wallet you actively use shouldn’t be filled with all your onchain savings. You might also consider a service like Delegate for delegating the authority of your vault wallet to a risk wallet without moving or jeopardizing any assets, e.g. if you want to participate in an allowlist mint that one of your vaulted NFTs has qualified you for.
This way, even if you do accidentally sign a bad transaction with your risk wallet none of your long-term savings will be affected.
3. Use transaction preview tools
Strategy: Download a transaction previewer tool to alert yourself to malicious transaction attempts!
Wait a second??? I’m not trying to transfer 60,000 USDC and all my NFTs to this random address?!?! This is precisely the kind of information that previewer tools help you visualize before you get to approving anything.
These tools are free browser extensions you can download that will provide you with pop-ups explaining all proposed transactions. These extensions are an amazing shield against phishing incidents, so make sure you run one of these against all your transactions!
4. Audit your token allowances
Strategy: Remove your unlimited token spending approvals!
Recommended tool: Revoke.cash
Many Ethereum-based apps, e.g. in DeFi, will ask you to approve “unlimited” token spending so you don’t have to constantly re-approve spending your funds on them.
The problem? If your wallet gets compromised and you have a bunch of ongoing unlimited token approvals, the attacker can sweep everything out that's there.
As such, you want to be routinely monitoring your outstanding allowances and revoking or minimizing unlimited approvals where possible. The revoke.cash platform makes editing your allowances a breeze, so don’t sleep on it.
5. Research before experimenting
Strategy: Study the projects that you’re interested in before you try them!
Never fly in blind around the crypto frontier, always do your homework!
For example, recently I was exploring Ajna protocol, a newer governance-free DeFi lending protocol. I went straight to its documentation, its FAQs, its whitepaper, etc. so I could start wrapping my head around it and gauging its nuances and risk profile.
Due diligence, right: put the time in to understand the basics before diving into anything. Don’t needlessly put yourself in risky positions by aping recklessly. And if you can’t find good docs and similar educational resources for a project, that can be a big red flag in and of itself.
6. Monitor your positions
Strategy: Use portfolio trackers to keep an eye on your crypto positions!
In crypto, it's essential to keep a close eye on your assets, and portfolio trackers are your best friends in this regard. They provide overviews of your holdings across various wallets and platforms, allowing you to simply monitor your crypto in real-time.
Remember, staying informed about your positions isn’t just about watching gains; it's also a crucial part of risk management. By monitoring your assets regularly you can spot unusual activity that could indicate a security breach and potentially spring into action to protect your remaining assets.
(Editor's Note: MetaMask is indeed a Bankless sponsor but MetaMask's inclusion in this recommended tools list is not tied to its sponsorship in any way and was made at the sole discretion of this piece's writer.)
7. Stay updated on ecosystem news
Strategy: Stay abreast of crypto news like recent hacks!
Sometimes attacks on projects like DeFi protocols can indirectly or directly affect your crypto positions. To stay ahead of the curve (pun intended) regarding potential fallout, staying informed is critical.
No need to do all the work by yourself, though. For example, Bankless broke down the Curve reentrancy attacks in a Twitter thread within hours after the attacks began. We always strive to keep you informed in timely fashion like this, but there are many great additional resources for staying plugged in here, too, like DeFiLlama’s news aggregator chat on Telegram.
8. Lock down your web2 life
Strategy: Rely on good OpSec practices to secure your web2 activities!
Recommended resource: Officer’s Blog
Don’t give attackers an inch, even outside of web3.
Nefarious actors can compromise your email or social accounts to try and trick other people that trust you into clicking into scam websites. Don’t let them get that far! According to security researcher officercia.eth, the basics of strong operational security include:
- Using a secure email provider, e.g. Protonmail
- Use different strong passwords, and never reuse in multiple places
- Never link your phone number to crypto platforms
- Use 2FA to backup your accounts, but don’t use SMS-based 2FA
- Ask your phone’s carrier to lock down your phone’s SIM card
- Use up-to-date antivirus software
9. Create an escape hatch
Strategy: Create an evacuation strategy for your assets in case of worst-case scenarios!
Even with all of the aforementioned tools and practices, still consider preparing for the worst.
Toward this end, Web3 is one web3 security provider that lets you create a custom Backup Wallet + Panic Button system; in the event you ever do get attacked or even just spooked, you can use the platform’s “Panic” function to sweep all or any remaining assets to a predesignated backup wallet.
For more advanced users, there are other monitoring and protection services like Spotter that aim to help you detect and escape onchain attacks in milliseconds rather than minutes.
10. Sound the alarm
Strategy: Quickly sound the alarm if you do come across a phishing scam!
Recommended resource: CryptoScamDB
If you see something, say something!
If you do come across a crypto phishing scam attempt, raise the alarm so that others can be cautioned away. This may be a quick PSA message in your favorite group chat, or a social media post, or a report made to a scams database like the CryptoScamDB platform. The 30 seconds it takes you to do so could help save all of someone else’s crypto!
- 🔒 Double down on defense: Use these 10 crypto security tips to lock down your assets!
- Catch up on our previous tactic: How to use Ajna Finance