0xNerdery
Cover photo

Personal security foundations for web3 and beyond

Top tips for protecting your self-sovereign assets and identity

iSpeakNerd

iSpeakNerd

Cybercrime is an ever-present threat in the digital world. Wallet scams are often the most common and damaging, leaving victims financially and emotionally vulnerable. Fortunately, there are steps you can take to protect yourself from becoming a victim of cybercrime. By understanding the actions you can take ahead of time, you can better shield yourself from potential losses and preserve your peace of mind. Here are my top eight tips for securing your digital life in web3.

Basic Security

1. Use a quality password manager

Securing online accounts with strong and unique passwords is number one. Passwords leak online via data breaches or can usually be easily guessed by hackers.

Unfortunately, keeping track of all these passwords can be a challenge. That is where a quality password manager comes in. A password manager can help you create strong and unique passwords for each account and store them in one place, secured by your single master password. This way, you only need to remember one password and never have to worry about forgetting passwords or using the same password for multiple accounts again.

Use a quality password manager.

2. Use 2FA everywhere possible

Two-factor authentication (2FA) adds an additional security layer to your digital life. With hackers running rampant, two-factor authentication (2FA) is a must. SMS-based (text message) 2FA is still a popular method of authentication, but it is vulnerable to SIM swap attacks. App-based 2FA is a more secure solution. Finally, using a physical security key for 2FA offers the ultimate protection.

post image
@iSpeakNerd

Avoid copycat sites + addresses

3. Bookmark sites

In recent years, scammers have found an easy way to target unsuspecting victims through sponsored Google search ads. Using these ads, they trick people looking for legitimate websites, directing them instead to fake versions of those sites to steal their wallet contents. Protect yourself by bookmarking the legitimate version; then navigate to the site via the bookmark rather than using search.

4. Use the Address Book

The wallet Address Book is the web3 equivalent of a bookmark, it allows people to save approved addresses with a human-readable name. Later, when sending a transaction, they can (re)check the address before proceeding. Copycat sites with fake contracts will appear in the wallet as a 0x.... address and not as the named address that got saved earlier. This way, you can ensure that you only interact with addresses and contracts you know about and protect yourself from malicious smart contracts. Don't trust, verify!


web3 security

5. Install wallet warning browser extensions

One of the best things you can do to keep your cryptocurrency safe is to use a browser extension like Pocket Universe, Revoke.Cash, Fire, and/or Stelo. These extensions are designed to help protect users from malicious activity by decoding transactions ahead of time to provide real-time warnings about what the transaction is about to do in plain English. With the help of these extensions, you can have peace of mind knowing that your wallet is secure and that you're fully aware of its activity at all times. Know before you FOMO.

6. Revoke infinite approvals

I know what you're thinking now, "Well, I just won't sign any transactions then!" You can do that, but you won't get much done in web3 and it won't protect you from all scams either.

Even gasless message signatures can result in your wallet getting drained if you have infinite approvals on erc20s or have already given OpenSea approval to sell your NFTs. Little known fact, OpenSea uses the setApprovalForAll method, which means that when you allow OpenSea to list an item for sale on your behalf, it can do that for ALL assets from that collection (contract).

This is how the recent Kevin Rose hack happened, he already had approved those assets for sale; one gasless signature later, oops! OpenSea accepted the hacker’s 0 ETH offers for his NFTs.

Revoke infinite approvals using revoke.cash or etherscan.io/tokenapprovalchecker to protect yourself from this exploit.

7. Maintain assets in "wallet silos"

The single best practice a user can do is to maintain the separation of their assets by purpose into different wallets. Basically, as more money gets stored in a single wallet, you should be extra cautious and restrict what you use that address for.

post image
@BowTiedPickle

High-value assets ("blue-chips") and large amounts of crypto should be kept in a hardware wallet, a VAULT account that is not directly connected to the internet. This is the least-accessed account, think of it as your safety-deposit box at the bank.

Your day-to-day funds can be kept in an operational wallet, a separate internet-connected account that you use to interact with trusted entities, be they dapps, exchanges, or people.

Finally, you want to have a third, risky "degen" wallet. This is the condom for all your other assets, preventing those untested NFT minting contracts, those unsafe airdrops, etc. from putting the rest of your money at risk. If you interact with the wrong contract and lose ALL the funds in this account, it shouldn't hurt too bad because your funds are elsewhere.... they are elsewhere, right? :|

8. Delegate provable ownership

Tools like Delegate.cash and Warm.xyz allow proving ownership of vault-stored NFTs at a different registered wallet. This means you can safely connect your vault and degen wallets via a read-only connection. This is essential when meeting conditions to claim airdrops and mint NFTs. Scammers use those carrots to get people to connect their wallets and then drain them. With delegated ownership, you can prove you meet requirements indirectly and use a degen hot wallet to mint while keeping your high-value NFTs in a separate wallet.


Extra

Take the Bankless Academy security lesson to earn a non-transferrable NFT proving your understanding.


Notes

iSpeakNerd is an educator, wordsmith, and DAO techie at Collab.Land. He does community education, documentation, UX, IT, security research, and helps with Operations and tooling for multiple DAOs. His background is in physical science and education.

This article was originally published on iSpeakNerd's Mirror.

Collect this post as an NFT.

0xNerdery

Subscribe to 0xNerdery to receive new posts directly to your inbox.

Over 400 subscribers

SageFarcaster
Sage
Commented 1 year ago

As a rookie, some topics I find it hard to get started with: 1. How to bridge (especially to degen L3, but also DEX recommendations for other stuff) 2. How to store crypto (hot wallet or hardware wallet, which one?) 3. Storing keys and seed phrases 4. As a FC new user, load eth on OP / Base? Help appreciated!

SageFarcaster
Sage
Commented 1 year ago

Have been reading online but what do the veterans of FBI do? Would love to know.

Kunal 👑🎩Farcaster
Kunal 👑🎩
Commented 1 year ago

Great questions! I am writing a detailed thread on this here today.

iSpeakNerd 🧙‍♂️Farcaster
iSpeakNerd 🧙‍♂️
Commented 1 year ago

great qs 333 $DEGEN 1 - info is on degen.tips 4 - dont understand what you're asking 2,3 - check out my security article Top Tips for Securing your Digital Life 🔐 https://paragraph.xyz/@ispeaknerd.eth/personal-security-for-web3-and-beyond?referrer=0x3eEFAa9d6e2ab7972C1001D41C82BB4881389257

Sumedha 🎩Farcaster
Sumedha 🎩
Commented 1 year ago

honestly, how to bridge has been my biggest problem. Debridge is reliable but if you have most of your crypto on chains like solana - there is no direct route to bridge to base. Bridging from polygon to base is easy on debridge though.

SageFarcaster
Sage
Commented 1 year ago

What I did for Solana to Base: Swapped to USDC on Solana, bridged using wormhole to ETH, then bungee exchange to Base. Not easy at all.

Sumedha 🎩Farcaster
Sumedha 🎩
Commented 1 year ago

Omg yes I tried this and instantly was sick of it haha

Sumedha 🎩Farcaster
Sumedha 🎩
Commented 1 year ago

Hardware wallets are useful once you’ve crossed a certain small milestone (like for me personally it’s like $1500/2000$). Storing key phrases in a trusty password manager (like proton pass) And I usually load ETH on base.

iSpeakNerd 🧙‍♂️Farcaster
iSpeakNerd 🧙‍♂️
Commented 1 year ago

Keep your stuff secure folks I've been moving to 1password OTP progressively for a while, don't leave yourself vuln to sim swaps

iSpeakNerd 🧙‍♂️Farcaster
iSpeakNerd 🧙‍♂️
Commented 1 year ago
iSpeakNerd 🧙‍♂️Farcaster
iSpeakNerd 🧙‍♂️
Commented 1 year ago

Sorry, frame not working, here's the relevant section

Personal security foundations for web3 and beyond