The Harmony ONEWeekly

4/22/2022

ONEWeekly Welcome:

Hello everyone and welcome back. We have a number of incredibly important topics to cover regarding the Harmony One network, security, and best practices to keeping yourself and your assets safe. In this edition of ONEWeekly, we receive insight from Harmony’s cybersecurity task force and cover additional topics such as hot and cold wallets, tips on how to protect yourself, and we review a handful of known exploits and stolen funds in the cryptocurrency space.

The phrase “to be our own bank” means taking on the responsibilities, awareness, and caution with regards to securing one’s own assets. While we have seen an uptick in reports of lost or stolen funds, we are also seeing community members step up to create videos and guides on how to set up and activate hardware wallets, sharing educational content to make us more knowledgeable as well as coming together to identify these nefarious actors.

Let’s begin with the first topic in this week’s article, an upcoming AMA with the Harmony cybersecurity task force and what they are doing behind the scenes to investigate thefts and raise awareness about security best practices.

Inside Scoop

We sat down for a moment with Aaron Li, architect of the underlying technology behind 1Wallet. Aaron shared insights about Google Chrome’s zero-day exploit, browser vulnerabilities, and methods one can protect themselves against said vulnerabilities. Here’s what Aaron had to say:

Harmony Contributer; Expertise in Security, Smart Contracts and 1Wallet development

“While many users have heard of Google Chrome’s “zero-day exploit”, they may be unfamiliar with what it actually describes. A zero-day attack is when a threat actor exploits a vulnerability before software developers can find a fix; this situation occurred on March 25th, 2022 The Harmony Team believes this is the root cause of the uptick of thefts as of late.

One thing people often don’t realize is the Chrome browser is very vulnerable. Many hacks rely on “zero-day” vulnerabilities that allow arbitrary execution of code or memory access, which mean someone already figured out how to use these bugs and deployed the exploits in some websites. When you visit these websites, they silently run some scripts that could potentially steal the storage that contains your wallet’s private keys. Even though most wallets encrypt these private keys with your password, it is often only a matter of time to decrypt the private key by brute-force if the password is less than 10-digits. Despite Google and Chrome team’s best efforts to patch them, there are 16 zero-day vulnerabilities alone in 2021, and already 1 in 2022. It was reported that some hacker groups are in fact using the one in 2022 to steal crypto.

That said, such an exploit still requires the user to trigger it by visiting a compromised website, and the storage method containing the private key to be somewhere in the browser. So there are at least two simple ways to protect yourself from browser vulnerabilities: (1) use a wallet that doesn’t store the critical credentials in the browser. For example, hardware wallets such as Ledger, 1Wallet web or app, wallets built on 1Wallet, or other well-known mobile app wallets. They all have some ways to be used in the browser and interact with the dApps. (2) isolate the computer which you use the wallet, add network management tools such as LittleSnitch to manually approve outgoing network connections, and use other devices for regular browsing or dApp interactions.”

Aaron joined a few others from Harmony to discuss wallet security in an AMA hosted by the Harmony Community DAO. We’ll touch on that in the Technical Corner below.

Technical Corner

Harmony Team Q&A: Aaron, Elias, Jack and Quoc

On Friday April 22nd; Aaron, Elias, Jack and Quoc participated in an AMA on the Community DAO’s Twitter Spaces to address all the recent concerns expressed by the community regarding the Chrome exploits, concerns with the Harmony wallet as well as Metamask. They also discussed the underlying technology within the 1Wallet, security practices and a handful of other questions/topics from the audience.

If you missed the AMA, you can listen to the recording and learn more about wallet security from the team.

Wallet Types and Differences

This is not a comprehensive and exhaustive list, but merely to provide you with ideas and highlight some examples available to users. Our goal today is to identify specific options and bring awareness to those available. We want our community to be able to make smart, educated decisions and be knowledgeable about what’s going on in real time. Therefore, let’s review a few of the options available to you and a brief outline of each.

Users have choices between wallet types, but we begin at distinguishing between a hot and a cold wallet. Hot wallets, such as Metamask or the Coinbase Wallet, are secure but always online. Cold wallets, such as the Trezor Wallet or Ledger Nano S/X, are more secure due to storing your private key offline on a physical device, preventing malicious actors from interacting with your assets.

Image Source: https://enterprise.ledger.com/

Hot Wallets

First, we have desktop and chrome extension wallets — these are the least secure type of wallet since they lack application isolation, meaning other applications on your computer have the ability to interact with other applications, including your wallet.

Comparatively, users can also choose to utilize mobile wallets — wallets on your phone as an app. These wallets are considered secure because of application isolation, meaning your mobile wallet will not interact with other apps that might attempt access to your assets.

Examples of hot wallets include:

Metamask: Installing Metamask can be done on either mobile or PC and is considered a hot wallet. Metamask allows you to add networks within the application to function on networks such as Ethereum, Harmony, Polygon etc.

• Note: It is good practice to disconnect from sites after you are done using them. Also, if you use MM on mobile, it is highly recommended to disable back-ups to iCloud.

Blits Wallet: Blits is another hot wallet option, available on mobile devices, and provides users with the ability to stake their ONE.

Other notable options include Trust Wallet, Infinity Wallet, Trustee Wallet, Guarda, and more. Check out our full list of supported hot wallets.

Again, these are only some of the available hot wallet options and users should find one that they like, tokens supported, UI/UX comfort, functionality, and safety.

In the process of creating your hot wallet, it is highly recommended that you use a secure password of 14 characters minimum and a combination of upper and lowercase letters, numbers, and symbols. Ensure to write both down and store your seed phrase and password in a VERY safe location.

Cold Wallets — Most Secure

Hardware wallets are considered cold, very secure, and the most recommended type of wallet for the crypto community. These wallets aren’t installed on your computer or phone, but instead are small physical devices that store your private key offline. Compared to desktop and browser extensions that keep your private key on your computer, this option is considerably safer and makes it significantly more difficult for your assets to be compromised.

The Ledger Wallet comes with two versions, the S model and the X model. The biggest difference stems in the amount of storage space available for each model. If you have multiple assets and intend to keep growing your portfolio, then you may opt towards getting the X model.

Two other options users may consider are the Trezor Wallet, which integrates well with MetaMask, as well as the SafePal Wallet, which is developed and maintained by Binance Labs.

Safe Practices

Elias created an informative write up on wallet security and securing your assets. In the article, Elias highlights the critical message towards the Harmony Chrome extension wallet, recent and most notable hacks within the Harmony ecosystem and within the broader crypto community. We’ve seen an uptick in malicious behaviors and users being targeted within the Harmony community, but this issue is not exclusive to us. Criminals, hackers, thieves… whatever label you want to give them, when we are easy prey, they will find us and take what they can. So when we say, practice safe behaviors… we mean it.

If you want to read more regarding the latest scams, hacks or exploits, you can head over to the REKT Database to see what’s been reported.

Options everyone should focus on to protect their assets come in a variety of forms. From a technological aspect, we have various cold wallets, malware protection software, and conscious behaviors to avoid risky websites and not click or respond to unknown links or DM’s. Another great habit to get into is to document your passwords to an encrypted file saved directly to an external USB Flash drive that’s plugged in only when you need to access, otherwise left locked in a safe or safety deposit box. Password vaults are a great way to store passwords while making it easy to have different passwords for all your online accounts — if one gets compromised, your other accounts are completely safe.

Personally, I’m a fan of the typed and printed sheet, laminated and stored in a safe location because, well, technology can fail. Ledger also provides items such as the Cryptosteel Capsule which you can store your 24 seed phrase within a fully protected shell. They also provide The Billfodl, a metal sheet that lets you note and store your 24 seed phrase which is resistant to fire, water and other elements.

For those who use browser-extension based wallets such as MetaMask without any hardware wallet, they should consider using a multiple signature smart contract wallet (multisig) to manage the assets, such as Gnosis Safe. With a multisig, transactions must be signed by multiple private keys before they can be issued.

The benefit of using a multisig wallet? Hackers now need to hack multiple wallets before they can steal your assets which can be substantially more difficult. Even if a device is lost or compromised, the owner(s) can still access funds so long as they possess most of their other devices.

Harmony’s version of the Gnosis Safe can be found at https://multisig.harmony.one. Users can create multiple wallets using multiple devices (such as laptop, desktop, phones), and have them as owners to the multisig.

Note that a multisig smart contract wallet may have issues transferring funds to a centralized exchange such as Binance. Always send small amounts first.

With multisig, they should consider occasionally creating a new wallet, adding it as an owner, and removing the oldest wallet they have from the list of owners in the multisig. The reason is that the older your wallet is, the more likely it’s already compromised. Many hackers are patient. They sometimes wait for weeks, even months, and let the victim accumulate substantial assets, before they take action (and usually when they do, they steal everything).

With or without multisig wallets, it’s good practice to move assets to a newly created wallet every six months. When you create a new wallet, assuming it’s not a multi-sig, make sure to use a different seed phrase and private key, if they are using wallets like MetaMask.

One final word of advice; never take security and peace of mind for granted, always practice safe crypto and protect your crypto assets.

Previous Hacks & Stolen Funds

We wish to highlight numerous ways that funds can be lost, as they do not always occur simply through a scam. Exploits, scams and hacks occur on any network at any time and are constant reminders that audits, code reviews and the ability to have open and transparent codes can help reduce the chances of these events from occurring. To see specifics or read more about the breakdowns of various situations in which users lost funds, visit the REKT Database to learn more.

Scams and hacks occur on different networks and are a constant reminder that security should always be at the forefront. For example, Axie Infinity suffered a blow on March 28th, 2022 when a hacker used an exploit on the Ronin Network. The attacker used hacked private keys to successfully forge fake withdrawals. Using a gas-free RPC node, the culprits were able to use a backdoor to get a signature for the Axie DAO validator. The bridge was exploited for 173,600 ETH and 25.5M USDC.

The Cashio Protocol, hosted on the Solana Network, suffered an exploit which stemmed from incorrect collateral validation during the minting process, which led to infinite minting. The exploit was totaled at approx. $48M; accounts that had less than $100k in them were returned and the rest was donated to charity.

On the Harmony side, we detail some of the thefts that occurred in the community in a couple articles published over the past few months. One in particular occurred recently, where a community member’s account was compromised. The assets were tied to a handful of browser extension wallets sharing the same private key. The compromise unfortunately resulted in the loss of JEWEL tokens worth over $40M.

Conclusion

Once again, we want to thank each and everyone of you for being a part of the Harmony community and we hope you found this helpful. Stay tuned next week for more updates on all things Harmony in ONEWeekly.

About Harmony

Build on Harmony, Bridge to All Chains.

Harmony is an open and fast blockchain. Our mainnet runs Ethereum applications with 2-second transaction finality and 100 times lower fees. Our secure bridges offer cross-chain transfers with Ethereum, Binance and 3 other chains.

Build on Harmony, bridge to all chains. We are an open platform for your assets, collectibles, identity and governance.

We 💙 Developers.

Telegram | Twitter | Discord | Youtube | Medium | Facebook | LinkedIn | Reddit | Instagram