How To Secure Your Crypto Wallet On A Virtual Machine And Stop Front-Running

Published in

Immunefi

11 min readJan 9, 2022

Into the storm, Wenqing Yan. https://www.yuumeiart.com/

TLDR: We will create a Ubuntu virtual machine which will run behind a VPN and use the Brave browser with enforced HTTPS, JS filtering, and domain protection extensions together with a FlashBots RPC to prevent bots from front-running our transactions.

Introduction

You may have heard stories about the Ethereum dark forest, a place where bots and searchers try to maximize profit by taking advantage of MEV opportunities. This results in users paying the cost, since most of them are not aware of such trickery, much less on how to avoid it.

The same concept applies to the current world wide web, where malicious links, wallet hacks, browser exploits, and other attacks lurk in the dark waiting to be triggered by distracted users. 2021 alone was a record breaker.

The point is, neither blockchains, nor the internet are safe places. Nevertheless, we can still take steps to increase our personal security and reduce the probabilities of getting pwned.

So, in this guide, we are going to create a VM (virtual machine) running Ubuntu, a Linux distribution, to achieve two things: 1) isolate MetaMask from your normal computer workflow to minimize the impacts of any malicious website we visit, link we click, or cool browser extensions we install, and 2) set up a custom network RPC on MetaMask to prevent bots from front-running our transactions.

Security is not a process. It’s a state until you get pwned.
Zero-day.cz

Average User Security Posture: Low

Currently, although more users are becoming aware of the consequences of not caring about security — especially in the crypto space — they still do not implement rigorous enough security mechanisms to protect themselves.

Let’s consider this simple diagram where a user navigates to a new profitable DeFi application that offers 69,000% APY. The user requests a website using his regular browser from his private IP address and proceeds to click links, buttons, sign transactions, enable extensions, and so on.

The user ends up joining a Discord server where he is messaged by an “admin” who sends a phishing link which either requests the user’s seed phrase, downloads malware, or exploits a browser/add-on vulnerability.

Finally, the situation becomes FUBAR for the user.

In this article, we will implement a couple more layers of security between the user and the malicious actors, decreasing the probabilities of getting compromised.

The intention behind connecting to a website using a VM and a disposable MetaMask (or other) wallet is to test the waters and see if everything behaves as expected before committing more money. If things go sideways, only one wallet has been compromised, a small number of funds lost, and the browser as well as the VM can be safely deleted, thus saving us the absolute nightmare of dealing with a whole system compromise.

Many people have lost time, energy, and money, due to not testing the waters first.

We will also connect to a Flashbots Protect RPC to protect ourselves from bots lurking in the Ethereum dark forest that are monitoring the mempool and front-running our transactions.

Preventing bots from seeing our transactions.

So, What Are We Doing Here?

Enabling hardware virtualization
Installing Virtual Box
Downloading a Ubuntu image
Creating and configuring a new Virtual Machine (VM)
Improving the VM: Installing guest additions
Installing Brave browser
Installing tools such as uMatrix, HTTPS EVERYWHERE and EAL
Installing a VPN
Connecting to Flashbots Protect

Ubuntu Good, What About Tails?

If you are somewhat paranoid and don’t care much about UX, you could install the Tails Operating System on a USB drive or on a VM. Tails runs fully on memory, which means it does not touch the hard drive. When you are done your work, poof! No data is saved.

You can use Rufus to create a bootable USB flash drive.

But for this guide, we are going to use Ubuntu for the following reasons:

We want the advantages that come with a fully fledged operating system to increase our UX while surfing the web and clicking around
Ubuntu is “more secure” than Windows
Tails is focused on extreme privacy, which is overkill for most users
Tails does not save data, so if you want to save notes, browser extensions, bookmarks about your favourite DeFi protocols, etc…, then ngmi
Ubuntu is fun, and you will learn some technical skills

Before We Start

Make sure your computer supports hardware virtualization, which is essential to run virtual machines. Enable it.

task manager showing virtualization enabled

1 ) Download Virtual Box

Virtual Box is a type 2 hypervisor software which allows our computer (host) to create virtual computers (guests). Download it here.

When installing, leave everything as default.

https://www.fosslinux.com/16360/how-to-install-ubuntu-in-virtualbox-on-windows-pc.htm

2) Download A Ubuntu Image

To run Ubuntu, we must first download the .ISO file from the official site. Download it here.

3) Create a New Virtual Machine

Is your Virtual Box installed and the Ubuntu image ready? Good.

Select ‘New’ and call the new Virtual Machine “Ubuntu_clean”. Why “clean”? Because it is “clean-of-bad-stuff”, so after all the necessary software we need has been installed, we will make a copy of it.

This way if our copy “breaks” or gets compromised, we can safely delete it and make a new one using the original as reference, saving us the set up time.

Save it at your location of choice
‘Type’ is Linux and the ‘Version’ is Ubuntu (64 should be fine unless you are using a 32bit architecture)

Now, how much RAM do you want to allocate to it? If a low amount of memory is selected, it will run slowly. The intention is to use the guest virtual machine as if it was our host computer while browsing, so the more RAM the merrier. Leave some RAM for the host computer to keep doing its thing. My host computer has 16GB of RAM, so I'm going to give my guest 6GB

Create a Virtual Hard Disk

(Ignore “Kali_2021 ..” It’s a Virtual Disk image I previously imported from another computer. Pretty handy, huh?)

A Virtual Box Image is like a regular hard disk but only compatible with Virtual Box. You can easily move it to your external drive, upload it to the Google cloud … or load it on a new computer which has Virtual Box installed! (also convert it to other formats if necessary)

Fun Fact: this is also how law enforcement keeps track of information while conducting investigations. Creating a VHD, doing their thing and then archiving the VHD for future references or sending it to prosecution / forensics.

Dynamic storage or fixed size? Depends on your needs. Let’s give it a fixed size to (1) keep track of how much information our guest is storing/avoid taking extra space from the host and (2) speed up read/write operations on disk

Click “Create”

Let’s load the Ubuntu image!

(1) Settings > (2) Storage > (3) Empty disk > (4) Select Disk File > (5) Select the Ubuntu .ISO

Then click “OK”

Change settings to improve the guest’s performance, such as increasing the number of processors (if I’m not doing anything on my host computer, I allocate more to the guest) and increasing video RAM to make it run smoother.

These settings can be changed anytime after the VM has been created

Proceed with the installation and come back when you are done

Congratulations! Your VM is up and running!

4) Installing Guest Additions

If you played around with the guest VM before reading this, you may have noticed the resolution is awful and other features like Drag-and-Drop or Clipboard Sharing aren’t working.

Ew, terrible resolution. Can’t use this in my daily life. Can’t drag and drop, either.

To satisfy our daily internet browsing needs using this virtual machine, we need to install Virtual Box Guest Additions. From the Virtual Box website:

Guest Additions are designed to be installed inside a virtual machine after the guest operating system has been installed. They consist of device drivers and system applications that optimize the guest operating system for better performance and usability.

Open a terminal inside the guest VM by pressing CTRL+ALT + T or directly from the menu, and write down one by one these famous lines:

sudo apt update
sudo apt upgrade

After the package update and upgrades have finalized:

*sudo* means “superuser do <something>”. Therefore, you need to supply your password before these commands are executed.

Run reboot to restart the machine
When the guest is back up, run this command in the terminal:

sudo apt install build-essential dkms linux-headers-$(uname -r)

When the installation is done, click in the navigation bar Devices > Insert Guest Additions CD image

This action will pop up a disk on the bottom left and a warning you can accept to run the program:

When done, click “Enter”

Voila! Now it does feel like a real desktop computer, doesn’t it?

Feel free to make a clone (copy) of your brand new Virtual Machine now if you want. (I personally only make clones when I am certain most of the software Ineed has already been installed)

Right click with your mouse to open the options panel.

Give it a new name to differentiate if from the original machine

Select Full clone: a Linked clone would give us less flexibility if we where to move our VDI or make storage changes.

Congratulations! Now you can mess around with the copy and always make a new clone whenever you wish!

Clean original version, and the one you can “dirty”

5) Install Brave browser

Brave is a Chromium-based browser which has gotten a lot of attention in the crypto community because of its unusual, pre-installed features and business model:

Custom tracker blocker installed by default
Custom ad blocker installed by default, which rewards you with BAT tokens when you see an ad displayed by the Brave browser itself. (You can replace it with the one you prefer)
TOR proxy, but does not include most privacy protections from the TOR browser
Integrated IPFS for ipfs://<CID> URLs
Other features like integrated Brave wallet, dashboard customization, etc.

You can install the Brave browser on a Linux distribution such as Ubuntu by using these commands. Source here.

sudo apt install apt-transport-https curl

sudo curl -fsSLo /usr/share/keyrings/brave-browser-archive-keyring.gpg https://brave-browser-apt-release.s3.brave.com/brave-browser-archive-keyring.gpg

echo "deb [signed-by=/usr/share/keyrings/brave-browser-archive-keyring.gpg arch=amd64] https://brave-browser-apt-release.s3.brave.com/ stable main"|sudo tee /etc/apt/sources.list.d/brave-browser-release.list

sudo apt update

sudo apt install brave-browser

After installation, reboot the virtual machine.

After reboot, if you can’t see the browser anywhere, just type brave-browser in the terminal to initiate it. It will then appear on the Ubuntu menu.

In the menu, right click and add it to favourites to always display on the side panel.

Since I’ve already added it to favorites, the opposite option is displayed.

5) Install Extra Tools: Extensions

A must have, install MetaMask (or any other wallet you like)

Install HTTPS EVERYWHERE. In the 21st century there is no excuse for any website to not use simple encryption. Visiting non-encrypted pages may result in a MITM attack. You can try a demo of a malicious Javascript code injected on a website page here! (ps: it’s legit)

Example of a non-HTTPS site blocked by the extension

Install uMatrix, which is a web content blocker that allows you to control what the browser executes and downloads when requesting a website. Here is how you can get started with it!

Now we can see all the connections a website is making, if something looks weird, we can simply filter it

Install EtherAddressLookup. This extension blocks phishing domains based on a regularly maintained blacklist and adds hyperlinks to strings which look like Ethereum addresses to look them up on Etherscan

I searched for olympusdao.io (scam domain).

6) Installing A VPN

Simple privacy measures keep us more secure.

Using a VPN will hide our IP address. This way, we avoid malicious actors doing reconnaissance to find out more about us. You can also use Brave’s built-in TOR router as a proxy.

If you don’t want to create you own VPN, a free alternative is to download ProtonVPN from here on your host machine.

7) Connecting To Flashbots Protect

To avoid bots front-running our transactions, we are going to route them through a private network, in order to bypass the public mempool. Sending our transaction in a bundle (which miners running a mev-geth client can pick up) will provide us with another extra layer of security.

The folks at Flashbots have made it quite easy to get started with Flashbots Protect. Check it out here!

Now all transactions will be sent to the relayer instead of the public mempool

For Developers And Other Curious Beings

It is also possible to use Flashbots for other things, such as submitting custom bundles or integrating within your application.

If you want to run a test, git clone this repository and follow the instructions: https://github.com/misirov/FlashBots

Here is an example of a program which sends a transaction to a contract that only spends gas:

Sending bundles to the flashbot goerli endpoint until one is accepted.

It may take some tries to get your bundle included. Beware of gas requirements.

For more information and troubleshooting, check their documentation here and this guide on troubleshooting mev-geth on flashbots.

Note: now is a good time to make a clone of your “clean” machine!

Conclusion

If you made it to this point successfully, you are most likely a natural MVP. You’ve created an environment to protect yourself from malicious agents and know more about personal security than the vast, vast majority of users in this space. Congratulations!

Now, h4cker P3P3 is gonna have it rough. Gotta go, my VM got compromised...