It’s called NFT Cheats because each newsletter is designed as a cheat sheet that will bring you up to speed on a given niche within the NFT space.
NFT Security is the second subject in the series (you can see the previous issue on Historical NFTs here).
To put together a cheat sheet on today’s topic, we talked to Feld from Boring Security, a community-led Web3 security project.
Feld got into crypto before the big run up in 2013. “That was a fun time to be in crypto for sure," he chuckles. "All graphic cards were sold out. Signing up for Coinbase was nearly impossible".
At the time, Feld was transitioning his career to security, which has been his day job since. Feld is also known as a moderator in the BAYC Discord, where he’s been helping the community with stolen items.He eventually started Boring Security with eight people who wanted to address the security problem in the crypto space without turning it into a business.
“One of the biggest problems in the space now is when you hear someone say something about security, they either have something to sell you, or they're not saying quite the right things,” Feld explains.
Before we jump into it, here’s a boring, yet important disclaimer; DO NOT treat any of the information below as financial advice, and do your own research (DYOR) before buying into any asset.
The interview has been edited and condensed, meaning the content below is attributed to the guest expert, but shouldn’t be treated as a direct quote.
2 security problems you should fix ASAP 🛡️
There are two things that can seriously compromise your security right now.
The first is not realizing how bad not having a hardware wallet is. Not using one is just plain silly.
Storing a seed phrase on your local machine would also fall into that category. We're doing all kinds of stuff on our devices, and once someone gets access to it, they get access to your seed phrase, meaning all of your assets can be gone in an instant.
Secondly, not understanding the relationships between approvals and signatures is also dangerous.
It is surprisingly easy to sign away an asset with a simple (gasless) message from a phishing (or compromised) site that uses your perfectly legitimate approval to a marketplace like OpenSea, against you. This is why we emphasize heavily at Boring Security to have different wallet addresses for different activities on the blockchain, so that one mistaken signature doesn’t empty dozens of assets at once!
Using different wallets for different occasions (i..e having a mint wallet, a vault wallet etc. — we’ll get into that later) and understanding of approvals and signatures should provide a solid foundation that will allow you to be better off than 95% of the space.
Because at the end of the day, what we're really trying to do at Boring Security is to help people protect themselves from themselves.
Like eventually I'm gonna wake up at 5:00 am, I'm gonna do a mint… am I necessarily going to read the smart contract if it's a hype mint and I've got a 10 second window to get my transaction through?
If you’re doing this on the same wallet address that contains valuable crypto or NFTs, (eventually) you’re gonna have a bad time.
Before you connect your wallet to any website 🔌
When you connect your wallet, what you're really doing is you're giving that Dapp the ability to see what assets and approvals you have on that wallet.
So basically, it lets that Dapp see the entire state of your wallet and therefore assess what single signature or transaction they can prompt to you that can take the most amount of that money.
It also lets that Dapp send transaction requests at you. So when you connect to Rarible, for example, you go there to sell an NFT. When you hit that sell button, what happens? Your Metamask pops up, meaning a transaction request is sent to you. That is what connecting your wallet allows those Dapps to do.
The key thing here is that just by connecting, there is no inherent risk of losing your funds.
But there's a tail risk: sometimes malicious sites try to double request, meaning they'll send you two scam transactions with the hope being that you reject one of them, and then later when you go to do a legitimate transaction elsewhere, you approve the other one without thinking because that request was still pending on your Metamask.
There are also some vulnerabilities that could happen if you’re not using a hardware wallet: for instance, if there was an active clickjacking vulnerability on Metamask, or if there was a browser vulnerability that allowed some other weird behavior. That is highly unlikely, but still yet another reason that you should be using a hardware wallet when you're going around Web3.
Before you sign anything with your wallet 💳
Once you've connected and the Dapp sends you a signature request, there’s a couple of things I tell people to consider.
First, I always say to use bookmarks and bookmarks.
What I mean by that is when you connect your wallet to a Dapp, you should go to that site using a bookmark that you double verified.
Imagine you're gonna go to Rarible. You know it's not rarible.xyz, because on the Rarible official Twitter, it says: “rarible.com”. Once you know that, you can go there and bookmark that URL.
Then you can take an extra step. Whenever you get to interact with the Rarible contract while on the official URL, you bookmark that contract address as well.
This is something I don't see a lot of people doing, but the benefits of that are actually huge.
Because now if you're interacting with that legitimate website, you can tell: ‘Hey, the contract changed’. Why is that? Maybe the website got hacked. Maybe they did a contract upgrade. Either way, it’s something you should probably look into before doing a transaction there.
That is why knowing that you're on the right website and knowing that you're interacting with the right contract is huge.
Additionally, knowing what you sign and then understanding the different signature types is all so very helpful. Which is why I’m not a big fan of Dapps that just shoot you a big hex string instead of human readable messages when you’re signing a transaction.
Utilizing things like Transaction Insights - and other tools that decode your transaction before you sign them - can help a great deal with that.
Signatures vs confirmations 🧱
Some people think that transactions are more dangerous than signatures, while I would actually say that the opposite is true.
Imagine you have a wallet that has an approval for OpenSea for every collection that you have in there. All this stuff can instantly be taken with one signature, one gasless message.
Whereas if you have a really clean vault, there's no way to send all your NFTs from there at once. I can't send you my Bored Ape and my Punk in the same transaction without making a proxy or some other crazy stuff first.
So I'm actually more afraid of signatures, as they're generally harder to decode by wallets and they're a little bit more confusing on what exactly they're leveraging.
And that leads me to the next point.
The 3 wallet method: Why you should adapt it NOW 🪢
There is a three-wallet method that I recommend adopting.
Imagine you have a mint wallet, a marketplace wallet and a vault wallet. You could have all three of these addresses on your Ledger, Trezor, etc.
Needless to say, you can have as many addresses as you want, but we recommend having at least three—especially if you're living and breathing Web3.
The mint wallet you use to connect to all kinds of Dapps, you can pretty much do whatever you want with it (as long as you don't download malware and use common sense, of course).
You have a small amount of funds in there, just as much as you might need to mint a project here or there. Even if you're a big whale, you should never have more than 2 to 5 ETH in there, and I think most people should have far less than that. Mine, for example, has about 0.4 ETH in there right now.
Then you have your marketplace wallet. This is the one that you're a little bit more careful with. You should only connect it to established NFT marketplaces like Rarible, Foundation, OpenSea, etc. because this is where you're probably going to have a couple of assets that you may be actively trying to sell (which means they have open approvals on them, and therefore a simple gasless signature that starts with a hex code or something like a SeaPort port listing, can take everything you have approved — all at once).
Finally, we have this idea of a vault wallet that you should have no approvals on whatsoever.
This wallet should contain all of your highest valuable assets that you are not actively trying to sell. The logic is really simple: if you don't have any approvals on that wallet (to marketplaces, etc.), no message (gasless) signatures can get you.
The only thing that could get you is if you're actually making an approval transaction on your vault wallet, which should trigger the mental model you adapt with your vault wallet: “Oh my gosh, it's requesting an approval on my vault wallet - nope!”.
You should be very careful when you connect your vault wallet to any Dapp. But what I tell people is just don't even put any ETH in your vault wallet. Like, you can connect it to PREMINT or Collab.Land, and even if those services get hacked, there is no signature or approval request that can wreck you because, well, you have no ETH to sign the transaction anyway. And there's no signature in the world that can get you because you don't have any approvals that are open anyway.
And so people think it's weird because I tell them: “go crazy, go sign whatever you want on your vault wallet - just make sure you keep it a vault.
Every once in a while, even if you know you haven’t signed any approvals, check it on Revoke.cash or a similar site just to be safe.
Assume you're the target 🕵️ ️
People are not used to being targeted individually: Unless you’re 70 or older, the probability of you being actively targeted by and/or falling for web2 scams is super low. Most of the time those emails about a random $300 bill that you can ‘refund’ just fall into your spam box, never to be seen or opened.
But the game changes when it's a targeted scam, and there is much more of that in the Web3 space.
Crypto is a ‘dog eat dog’ kind of world, and there will be people who will target you individually, slide into your DMs and act very friendly.
If somebody assumes that you might be a little bit or inexperienced and you hold something valuable, you can become the target. They will follow you into every Discord server that you're in, check your tweets. There are discord add-ons where they can see all servers, see what permissions you have on each one.
Scammers never sleep, these guys are crazy. So you should realize three things:
- You can be a target
- You're in control of your own destiny
- There are resources out there to help you
Levelling your security before you put in a ton of money is always a good idea. Experiment, go have fun, be curious, but then once you start putting in real money, take the time to make sure you're doing things right.