How To Secure Your Crypto Wallet On A Virtual Machine And Stop Front-Running
TLDR: We will create a Ubuntu virtual machine which will run behind a VPN and use the Brave browser with enforced HTTPS, JS filtering, and domain protection extensions together with a FlashBots RPC to prevent bots from front-running our transactions.
You may have heard stories about the Ethereum dark forest, a place where bots and searchers try to maximize profit by taking advantage of MEV opportunities. This results in users paying the cost, since most of them are not aware of such trickery, much less on how to avoid it.
The same concept applies to the current world wide web, where malicious links, wallet hacks, browser exploits, and other attacks lurk in the dark waiting to be triggered by distracted users. 2021 alone was a record breaker.
The point is, neither blockchains, nor the internet are safe places. Nevertheless, we can still take steps to increase our personal security and reduce the probabilities of getting pwned.
So, in this guide, we are going to create a VM (virtual machine) running Ubuntu, a Linux distribution, to achieve two things: 1) isolate MetaMask from your normal computer workflow to minimize the impacts of any malicious website we visit, link we click, or cool browser extensions we install, and 2) set up a custom network RPC on MetaMask to prevent bots from front-running our transactions.
Security is not a process. It’s a state until you get pwned.
Average User Security Posture: Low
Currently, although more users are becoming aware of the consequences of not caring about security — especially in the crypto space — they still do not implement rigorous enough security mechanisms to protect themselves.
Let’s consider this simple diagram where a user navigates to a new profitable DeFi application that offers 69,000% APY. The user requests a website using his regular browser from his private IP address and proceeds to click links, buttons, sign transactions, enable extensions, and so on.
The user ends up joining a Discord server where he is messaged by an “admin” who sends a phishing link which either requests the user’s seed phrase, downloads malware, or exploits a browser/add-on vulnerability.
Finally, the situation becomes FUBAR for the user.
In this article, we will implement a couple more layers of security between the user and the malicious actors, decreasing the probabilities of getting compromised.
The intention behind connecting to a website using a VM and a disposable MetaMask (or other) wallet is to test the waters and see if everything behaves as expected before committing more money. If things go sideways, only one wallet has been compromised, a small number of funds lost, and the browser as well as the VM can be safely deleted, thus saving us the absolute nightmare of dealing with a whole system compromise.
So, What Are We Doing Here?
- Enabling hardware virtualization
- Installing Virtual Box
- Downloading a Ubuntu image
- Creating and configuring a new Virtual Machine (VM)
- Improving the VM: Installing guest additions
- Installing Brave browser
- Installing tools such as uMatrix, HTTPS EVERYWHERE and EAL
- Installing a VPN
- Connecting to Flashbots Protect
Ubuntu Good, What About Tails?
If you are somewhat paranoid and don’t care much about UX, you could install the Tails Operating System on a USB drive or on a VM. Tails runs fully on memory, which means it does not touch the hard drive. When you are done your work, poof! No data is saved.
You can use Rufus to create a bootable USB flash drive.
But for this guide, we are going to use Ubuntu for the following reasons:
- We want the advantages that come with a fully fledged operating system to increase our UX while surfing the web and clicking around
- Ubuntu is “more secure” than Windows
- Tails is focused on extreme privacy, which is overkill for most users
- Tails does not save data, so if you want to save notes, browser extensions, bookmarks about your favourite DeFi protocols, etc…, then ngmi
- Ubuntu is fun, and you will learn some technical skills
Before We Start
Make sure your computer supports hardware virtualization, which is essential to run virtual machines. Enable it.
1 ) Download Virtual Box
When installing, leave everything as default.
2) Download A Ubuntu Image
3) Create a New Virtual Machine
Is your Virtual Box installed and the Ubuntu image ready? Good.
- Select ‘New’ and call the new Virtual Machine “Ubuntu_clean”. Why “clean”? Because it is “clean-of-bad-stuff”, so after all the necessary software we need has been installed, we will make a copy of it.
This way if our copy “breaks” or gets compromised, we can safely delete it and make a new one using the original as reference, saving us the set up time.
- Save it at your location of choice
- ‘Type’ is Linux and the ‘Version’ is Ubuntu (64 should be fine unless you are using a 32bit architecture)
- Now, how much RAM do you want to allocate to it? If a low amount of memory is selected, it will run slowly. The intention is to use the guest virtual machine as if it was our host computer while browsing, so the more RAM the merrier. Leave some RAM for the host computer to keep doing its thing. My host computer has 16GB of RAM, so I'm going to give my guest 6GB
- Create a Virtual Hard Disk
- A Virtual Box Image is like a regular hard disk but only compatible with Virtual Box. You can easily move it to your external drive, upload it to the Google cloud … or load it on a new computer which has Virtual Box installed! (also convert it to other formats if necessary)
- Dynamic storage or fixed size? Depends on your needs. Let’s give it a fixed size to (1) keep track of how much information our guest is storing/avoid taking extra space from the host and (2) speed up read/write operations on disk
- Click “Create”
- Let’s load the Ubuntu image!
(1) Settings > (2) Storage > (3) Empty disk > (4) Select Disk File > (5) Select the Ubuntu .ISO
Then click “OK”
- Change settings to improve the guest’s performance, such as increasing the number of processors (if I’m not doing anything on my host computer, I allocate more to the guest) and increasing video RAM to make it run smoother.
- Proceed with the installation and come back when you are done
Congratulations! Your VM is up and running!
4) Installing Guest Additions
If you played around with the guest VM before reading this, you may have noticed the resolution is awful and other features like Drag-and-Drop or Clipboard Sharing aren’t working.
To satisfy our daily internet browsing needs using this virtual machine, we need to install Virtual Box Guest Additions. From the Virtual Box website:
Guest Additions are designed to be installed inside a virtual machine after the guest operating system has been installed. They consist of device drivers and system applications that optimize the guest operating system for better performance and usability.
- Open a terminal inside the guest VM by pressing CTRL+ALT + T or directly from the menu, and write down one by one these famous lines:
sudo apt update
sudo apt upgrade
After the package update and upgrades have finalized:
rebootto restart the machine
- When the guest is back up, run this command in the terminal:
sudo apt install build-essential dkms linux-headers-$(uname -r)
- When the installation is done, click in the navigation bar Devices > Insert Guest Additions CD image
This action will pop up a disk on the bottom left and a warning you can accept to run the program:
- When done, click “Enter”
Voila! Now it does feel like a real desktop computer, doesn’t it?
Feel free to make a clone (copy) of your brand new Virtual Machine now if you want. (I personally only make clones when I am certain most of the software Ineed has already been installed)
- Give it a new name to differentiate if from the original machine
- Select Full clone: a Linked clone would give us less flexibility if we where to move our VDI or make storage changes.
- Congratulations! Now you can mess around with the copy and always make a new clone whenever you wish!
5) Install Brave browser
Brave is a Chromium-based browser which has gotten a lot of attention in the crypto community because of its unusual, pre-installed features and business model:
- Custom tracker blocker installed by default
- Custom ad blocker installed by default, which rewards you with BAT tokens when you see an ad displayed by the Brave browser itself. (You can replace it with the one you prefer)
- TOR proxy, but does not include most privacy protections from the TOR browser
- Integrated IPFS for
- Other features like integrated Brave wallet, dashboard customization, etc.
You can install the Brave browser on a Linux distribution such as Ubuntu by using these commands. Source here.
sudo apt install apt-transport-https curl
sudo curl -fsSLo /usr/share/keyrings/brave-browser-archive-keyring.gpg https://brave-browser-apt-release.s3.brave.com/brave-browser-archive-keyring.gpg
echo "deb [signed-by=/usr/share/keyrings/brave-browser-archive-keyring.gpg arch=amd64] https://brave-browser-apt-release.s3.brave.com/ stable main"|sudo tee /etc/apt/sources.list.d/brave-browser-release.list
sudo apt update
sudo apt install brave-browser
reboot the virtual machine.
After reboot, if you can’t see the browser anywhere, just type
brave-browser in the terminal to initiate it. It will then appear on the Ubuntu menu.
In the menu, right click and add it to favourites to always display on the side panel.
5) Install Extra Tools: Extensions
- A must have, install MetaMask (or any other wallet you like)
- Install uMatrix, which is a web content blocker that allows you to control what the browser executes and downloads when requesting a website. Here is how you can get started with it!
- Install EtherAddressLookup. This extension blocks phishing domains based on a regularly maintained blacklist and adds hyperlinks to strings which look like Ethereum addresses to look them up on Etherscan
6) Installing A VPN
Simple privacy measures keep us more secure.
Using a VPN will hide our IP address. This way, we avoid malicious actors doing reconnaissance to find out more about us. You can also use Brave’s built-in TOR router as a proxy.
7) Connecting To Flashbots Protect
To avoid bots front-running our transactions, we are going to route them through a private network, in order to bypass the public mempool. Sending our transaction in a bundle (which miners running a mev-geth client can pick up) will provide us with another extra layer of security.
For Developers And Other Curious Beings
It is also possible to use Flashbots for other things, such as submitting custom bundles or integrating within your application.
If you want to run a test, git clone this repository and follow the instructions: https://github.com/misirov/FlashBots
Here is an example of a program which sends a transaction to a contract that only spends gas:
Note: now is a good time to make a clone of your “clean” machine!
If you made it to this point successfully, you are most likely a natural MVP. You’ve created an environment to protect yourself from malicious agents and know more about personal security than the vast, vast majority of users in this space. Congratulations!
Now, h4cker P3P3 is gonna have it rough. Gotta go, my VM got compromised...
Links Of Interest:
- Ethereum dark forest
- HTTPS EVERYWHERE
- Brave browser
- Tails Operating System
- Rufus to make bootable USB
- type 2 hypervisor
- Wallets and their attack vectors