Immunefi
Published in

Immunefi

Security Best Practices of Web3 Wallets

Just yesterday, MetaMask celebrated a new milestone of reaching 21M monthly active users — and it goes to show how far humans have come from trading seashells, metals, and regular paper currency.

With Web3 wallets, millions of dollars can be moved with the tap of a button. And yet, despite their popularity, the inner workings of Web3 wallets like MetaMask are often still a mystery to most users — as are security best practices.

Even the smart folks can’t get it right, as shown by this one very public and hilarious meltdown of a financial economist and former Forbes contributor.

There’s incorrect, and then there’s definitely incorrect. Full thread here.

In this article, we’ll dive into some of the key concepts surrounding crypto-wallets, how to secure them, and the best practices recommended by experts.

And to clarify, yes, you can receive tokens even while your wallet is “offline”.

Why are we writing this article now?

Tons of new users and developers are flooding into crypto by the day, and wallets like MetaMask are somewhat mystifying to understand and use. Not only can they be hard to understand and use, but following best security practices is even more difficult. This applies to new users and to users who have already been in crypto for a while.

But the most important reason is simple: knowing best security practices of Web3 wallets is no longer optional, since we’re starting to observe blackhats upgrading malware to drain Web3 browser wallets like MetaMask after infecting computers.

That’s extremely dangerous. Blackhats now have every reason to increase their efforts to get access to your computer. They don’t care about your personal files, and bank accounts are also often hard to access. But once they capture your wallet’s seed phrase, they can steal all tokens and all NFTs. Just like that. This is now happening every day, and it’s only going to increase.

You need to start taking steps to secure yourself, or else risk clicking on the wrong link or opening the wrong file and one day waking up to an empty wallet.

Keys — What Are They, How Do They Work?

“Not your keys, not your crypto” is an oft-repeated phrase in the crypto world. What this means is that if you don’t hold the private key (a series of letters and/or numbers produced from a method known as KDF) of your crypto wallet, you effectively don’t have full control over it.

This is true in the sense that if you ever want to switch to a different wallet app, or if you wanted to restore your wallet (after losing your device), you’d have to rely on your private key to do so. Without this piece of information, you are effectively surrendering control over your wallet to someone else.

That is how exchange wallets work. Exchanges, such as Coinbase, have your private key, and therefore control your wallet. You have to ask them for permission every time you want to withdraw or move your funds. This is known as a “custodial wallet”. You can never restore an exchange wallet because you don’t hold the private key.

This is why some users opt for a browser or hardware wallet, where you do have custody of your keys.

Browser vs Hardware Wallets

Many users seem to have unanswered questions about the use of hardware wallets, such as:

Something I had difficulty with when first getting into crypto was to figure out what potential risk vectors each wallet type presented. Everyone was always saying ‘hardware wallets are the best!’, but no one explained something like ‘Hey if you use a browser wallet here are the ways that we know for how you can get screwed’.

Browser wallets are browser extensions that allow you to access your crypto keys in order to make transactions in your browser. The most popular one is MetaMask which serves a multitude of EVM-based chains (Ethereum, BSC, Harmony, Polygon, Avalanche etc.), but there are also browser wallets that serve specific chains like Terra Station (Terra), Phantom (Solana), and Yoroi (Cardano).

One big advantage of using a browser wallet is that it’s easy to interact with dApps — it allows you to sign transactions without even leaving your browser window. The major disadvantage however, is that you open yourself up to risk: if either your browser, machine, or Wifi connection is compromised, you may be kissing your money goodbye.

Hardware wallets have the opposite effect: they are cumbersome when it comes to using dApps, but much harder to break into. Hardware wallets have the ability to generate keys or restore them, without relying on an external connection or device. This means that there is as little interference as possible from a potential attacker.

Both hardware and software wallets generate keys using the same method, which was defined by BIP-32, and BIP-39. BIPs are short for Bitcoin Improvement Proposal, which are community documents and initiatives for adding new features to Bitcoin. These two proposals in particular enjoyed near-universal adoption as the main method of deriving keys for wallet creation.

Cold Wallets, Hot Wallets

Hardware wallets are also sometimes referred to as “cold wallets” or “offline wallets”. The term ‘cold wallet’ is generally taken to mean a wallet that is not connected to the internet, but there can be much room for misunderstanding around this.

For example, if your wallet is truly offline, how do you sign transactions or receive any coins from the blockchain at all?

A good way to think about this is that your wallet is more like an electronic check book — it is not a place to physically “store” crypto tokens or coins. Whenever you sign a transaction, you are metaphorically writing a check that the blockchain then deposits, in order for the funds to be moved from your account to the recipient(s).

When you use a hardware wallet like a Ledger to sign transactions, there is an external device involved, like your computer or your mobile phone, which sends and receives information to the blockchain.

This means that your actual Ledger does not connect to the internet. Having this separation from your computer means that your hardware wallet is protected. Any malware on your desktop computer or mobile phone would have a hard time trying to steal your private keys from your hardware wallet, since it cannot communicate directly with its memory, processor, or operating system.

The most it could do is to alter the transaction information as it is sent to your hardware wallet, and if you’re not carefully checking the address you might end up sending your crypto to the scammer’s wallet instead of your intended recipient.

This is unlike online, or hot wallets, which are the ones generated on your mobile phone or desktop. They are frequently used by Web3 users: to mint NFTs and use dApps, in addition to simply sending or receiving funds.

Hot wallets live on your desktop or mobile phone and use the same storage, processor, and operating system as your device. This makes them more vulnerable to attack since all of these things can be affected by any malware living on your device. However, it’s possible to boost your hot wallet security by creating a separate virtual machine (VM) on your existing computer and only using that VM for for hot wallet transactions — nothing else. We’ll write a follow-up article soon giving you step-by-step instructions on how to create that VM.

In that sense, cold wallets are much better for storing funds that you don’t need to move often. Hot wallets, on the other hand, are much better for day-to-day transactions.

The idea of having a cold wallet and a hot wallet is mainly to compartmentalize your funds: you create a ‘bucket’ that’s separate from your daily activities, which keeps it on the down-low.

Paper Wallets

You can even create a paper wallet (a wallet that you’ve generated using BIP-39 seed phrase, but only keep note of it on paper), so that you never enter it onto any electronic device until the day that you need it.

The possibility of someone finding your wallet is so minuscule, that it would be much easier to find a specific grain of sand in the Sahara desert (9.2 million km2, 8 octillion grains of sand — 8 x 10^37) than for someone to brute-force or randomly guess your passphrase (5.4 duodecillion possible wallets, or 5.4445179 × 10^39).

Seed Phrases

A seed phrase is an encoded group of words that are used to restore your crypto wallet. A seed phrase looks like this:

“Cow-bungee-dispute-alabaster-golden-long-algebra-river-suit-bag-eleven-dog”

Seed phrases are simply a human-readable form of the “wallet seed” used to generate your wallets, based on the previously mentioned BIP-39 standards. It is very important to keep them to yourself, since anyone with your seed phrase can use it to take over your wallet.

This is where hackers come in and use various methods, including social engineering, to try and steal your seed phrase. One form of this is a scam where they pretend to be support staff from Binance, Sushiswap, Opensea, etc. and ask for your details such as:

  1. Seed Phrase/Recovery Phrase.
  2. Ask you to share your screen and show your MetaMask recovery QR code.

Even experienced crypto-natives have fallen for these types of scams, so don’t underestimate them. Whenever someone asks you for the above information, it should immediately ring alarm bells in your head.

Secure Your Browser and Device

In this section, device refers to: your phone, your laptop, your hardware wallet, etc.

Whichever type of wallet you use, take caution and practice a security-conscious approach to keeping your device and browser clear of any potential malware. This includes doing due diligence on websites you interact with, keeping your software up-to-date with security patches, and ignoring emails, links, or DMs from strangers etc.

Attacks on your browser or device can result in someone stealing your private keys (since it lives on your device, which gives them access to your wallet as if they are the owner.

There are also other ways hackers can trick you and gain your funds. For example, this malware substitutes your wallet address with the hacker’s wallet address when you copy and paste it into MetaMask. If you didn’t check the address, you’d end up sending funds to the hacker’s account. And in crypto — there are no clawbacks.

A compromised device or browser could also show incorrect transaction information. For example, you may think that you are signing a token swap transaction, when in reality you are signing a transaction to send your tokens to an unknown address.

This is because malware can change how your device or browser displays information. To counteract this, you could get a hardware wallet that displays the smart contract information of the transaction you are about to sign.

Some hardware wallets are able to display the contract information for the transaction you are about to sign, but most don’t have this capability yet. Until this feature becomes common, it may be difficult to properly verify your transactions, especially with existing wallets like Ledger or Trezor. But you can at least ensure that it is being sent to the right address.

Best Practices

Our overall best practices for using your web3 wallet are:

  1. Generate your keys securely (on a newly reset, offline device if possible).
  2. Only buy your hardware wallets directly from the manufacturer (don’t buy from shopping sites like Amazon or from resellers).
  3. Keep your device, such as mobile phone or desktop, clear of malware and frequently updated to the latest security patch.
  4. Have multiple wallets. Separate your daily use wallet from the wallet where you keep the bulk of your funds.
  5. Consider creating a separate VM on your computer and only using it for hot wallet transactions.
  6. Be vigilant — Always double check your transactions, recipient addresses, and browser URL. And if something sounds too good to be true, it probably is.

Closing thoughts

You can never be too careful about your wallet security: even if you don’t hold much crypto, it is always good to be aware of the underlying risks and how to secure against them. Cryptography is a good tool against adversaries — but it alone is not enough to protect you from con-men, misleading webpages, phony giveaways, and malware.

And most importantly, no amount of encryption and no hardware wallet can protect you from simply making a bad decision, being tricked. Practice due diligence when swapping tokens, and use dApps that are known and reputable, and don’t trust — verify whenever possible.

In terms of smart contract risk, auditors and whitehats from bug bounty programs in DeFi do their best to ensure that this is minimized as much as possible. But in terms of personal wallet security — it’s mostly on you to learn the risks and how to mitigate it.

Don’t let that stop you from exploring and interacting with crypto dApps and DeFi. There’s a world of opportunity out there, but just remember to take the necessary precautions.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store