NFTs, Crypto, Wallets, Safety

NFT Security Basics, Part 2 of 2: Crypto Wallet Safety

I’ve split a previous article into two parts. This one is on web3 / crypto wallet security, the other on general cyber security. (It was simply too long as a single article.)

Photo by Meghan Hessler on Unsplash. Thinking that a good article on wallet safety should be short and easy to digest? Well … online safety is really quite in-depth. How far down the rabbit hole should we go?

Last time, we covered the basics on online security — everything else I had to say outside of the crypto / NFT / web3 space. This article is part two where we’ll focus on these new areas. This article is meant as a companion to these other articles:

• NFT Basics: How to Setup a MetaMask Wallet for Buying Ethereum NFTs
• NFT Basics: How to Mint Your First NFT from an NFT Drop’s Mint Page
• NFT Security Basics, Part 1 of 2: General Cyber Security

Okay, let’s going with web3 security notes!

Never Share Your Seed Phrase or Private Key

• Never. (Simple rule, right?!)
• But what if I’m having an issue and meet someone I trust? Still no.
• But what if I meet someone who says they’re a dev with MetaMask? Definitely no.
• But what if [anything]? Still no.
• You pretty much only ever need a seed phrase for when you’re recovering your wallet. For example, if you buy a new computer and want to get your usual wallet onto your new machine. And, in this case, you have hopefully removed MetaMask from your old one!
• Even in that example, you’re only using the seed phrase yourself — not sharing it with anyone. Once you share that seed phrase, you are working with a compromised wallet and you should consider all of your crypto assets wiped out and gone. The only thing you can do at this point is to make a new wallet ASAP and transfer everything to it. And, since we’re talking about seed phrases, that means moving all assets from all wallets under the account.
• Seed phrases vs. private keys: So, just to make the above clearer, a seed phrase allows access to all accounts / wallets created under it. If you have 10 wallet addresses / accounts created by your MetaMask install, then the seed phrase would allow you to recover all 10. A private key, on the other hand, would be specific to each wallet address. So, in the example here, there would be 10 different private keys if you had 10 different accounts. If you have a seed phrase, you can generate as many accounts (and therefore private keys) as you like under it, and they’ll always be the same each time you begin with that seed phrase. If you have a private key, you cannot get a seed phrase from it, but you’ll have full control over the individual wallet address related to that private key.
• This article from MetaMask does a more in-depth dive into seed phrases, passwords, and private keys.
• BTW, write down and store your seed phrase securely!

Crypto Wallet Seed Phrase Storage

• Write down your seed phrase and keep it somewhere safe/secure.
• Don’t store your seed phrase electronically.

Shill DMs are Evil

• All direct messages (DMs) you get touting an NFT set or crypto opportunities are 100% absolute crap — rugs, pump & dumps, and outright malicious scams. Delete these immediately. No one is trying to give you alpha on something. If an opportunity was that great, people would be too busy buying versus telling others about it.
• Discord and Twitter are particularly rife with these, though I’d be just as suspicious anywhere else.

Don’t Do Anything with Your Wallet While Screen Sharing

• When I first got into crypto, I knew a guy who wound up on a chat with someone he believed was a MetaMask customer service rep. The person convinced him to navigate around on his wallet software and, at the time, I think there was a vulnerability in MetaMask where it would show a QR code representing the private key (or some such thing — I can’t recall the specifics). But either way, the private key was exposed, even if only for a second. And apparently the malicious person screen-grabbed it and gained access to that wallet — and naturally cleaned it out in seconds. That guy lost a TON of money there, a life savings, to be frank. He was absolutely devastated.
• The point is, just don’t do anything sensitive while screen sharing. Assume the other person could be saving the whole session to video, and so anything on screen for even a tiny flash of time could be captured and used against you.
• And, really, not to sound super paranoid, but… Cover your computer’s video camera when it’s not in use.

Move Assets if You’ve Been Compromised

• If your wallet has been compromised (which you often unfortunately find out about too late), you need to act as quickly as possible. And much here would depend on the nature of the compromise. For the purposes of these bullets, let’s assume that your seed phrase was exposed somehow and that you now need to move everything:
• If you’re using an exchange (like Coinbase or Binance), then you should contact the exchange asap and lock down your account.
• But you’re more than likely using MetaMask and/or possible a cold wallet here. So step one should be to salvage any crypto and/or digital assets that you can.
• For crypto, this means sending it to a new wallet address. And that means setting up a completely new wallet with a completely different seed phrase — not just a new account under your existing seed phrase. This can be tricky because you’ll have to work with two different wallets to make this work — your compromised one and your new one. So, you’ll need to do a bit of uninstalling and reinstalling to juggle back and forth. On your MetaMask screen, be sure to look under the “Assets” tab, as you may have more than just ETH in there (e.g., I have some ETH, WETH, and some LINK in mine).
• For digital assets like NFTs, that’s going to mean transferring all NFTs out to another wallet. This can be time consuming and costly, of course, so you’ll want to start with your most valuable digital assets and work downward.
• Note however that if could be that an individual wallet was compromised, and not the entire seed phrase (which would compromise all associated accounts / wallets). Scroll down to “Review Revoke Sites” for more info on this case.

Don’t Sign Wallet Transactions Unless You Trust the Site

• Your private key (see above) is what’s used to sign transactions, and private keys pertain to individual accounts / wallet addresses. So, if you sign something you should not, the worse thing that can happen is that you’ll lose everything within that wallet address. Any other addresses within your wallet would not be affected (so long as you did not divulge your seed phrase).
• This is a rather complicated topic, yet it’s also important. I’m not suggesting that every NFT buyer has to fully understand everything about signatures, as it can get technical quickly. However, at least familiarizing yourself with some of the main types and red flags can go a long way as a start. Here’s a favorite thread from Twitter user @0xQuit on this. I recommend you read it — perhaps once to start, and then again later as you become more familiar with many of the terms used therein. And here’s a nice video about signature exploits. (That’s from a dev who contributes to the Boring Security DAO — a recommended Twitter account to follow for web3 security awareness.)
• In general, though: Simply do not sign any transactions unless you trust the site you’re connected with. (In general, OpenSea is considered safe. It’s perhaps the most active site for me, signature-wise, and I’ve been okay on this front.)

Cold Wallets

• Trezor and Ledger are the best. As long as you get them all setup and commit to never using your seed phrase for anything (aside from restoring them, if needed), your private key used to sign things will be on the device itself and never available for anyone to steal. You’ll also have to manually click buttons on these devices to sign things.
• They’re a little more complicated to learn about and use, but the manufacturers have also made it as easy as possible.
• I recommend getting one once you start getting a few NFTs worth any serious money. For me, I have a handful worth at least 1 ETH, and so I keep them in my cold wallet. I tend to leave the cheaper stuff in MetaMask wallets, as it’s just a little more convenient that way (for me).
• Whatever you do (and I do recommend using cold wallets), be sure to ONLY ever buy from the manufacturer. Trezor is at https://trezor.io/ (my own favorite), and Ledger is at https://www.ledger.com/. It’s just not worth any risk (in my view) of buying from any other source than directly from the manufacturer.
• After all, you may well start out in crypto with a few hundred dollars of purchased ETH, but if you get lucky, you could grow your crypto portfolio into a sizeable valuation in time.

Burner Wallets

• There are so many best practices that NFT buyers talk about — such as doing one’s own research before buying and maybe analyzing how many holders an NFT drop has before buying (usually the more the better), but sometimes you may want to move quickly, even if you haven’t done all of your homework.
• In these cases, burner wallets are a great tool.
• Minting NFTs with a burner wallet (i.e., a new account / new wallet address in your MetaMask software) offers you a way to isolate most of the risk that comes with such activity. It’s like saying “Well, I’m not 100% certain that XYZ NFT is legit, but there seems to be some buzz around it and I’m going to go ahead and connect with their site and mint, and we’ll see from there.” If you wind up signing something you should not, or minting something you shouldn’t, pretty much the worst thing that could happen is that you’d lose everything sitting inside that individual wallet.
• Granted, assuming that we’re talking about a new account / new wallet under your main MetaMask, it needs to be noted that the same precautions would apply about seed phrases. Your seed phrase allows access to EVERY wallet address in your MetaMask account. So that’s more of a global rule. But on an individual account level, you can make as many burner wallets as you like under your main MetaMask account, and you’ll generally isolate any damage to those specific accounts if anything goes wrong (aside from a seed phrase compromise).

Multi-Sig Wallets

• For groups, consider multi-sig wallets, which require multiple signatures (from multiple users) before executing transactions— which can be more secure for various circumstances. I don’t have any personal recommendations here other than to note that I’ve had clients who used Gnosis with success.

Use Multiple Wallets

• I realize that a lot of people probably use ONE wallet for all important NFTs for a reason — which is that they like to see them all together on OpenSea. But security-wise, it’s better to spread things out a bit .As the old saying goes, don’t put your all of your eggs in one basket.
• Multiple wallets under one seed phrase: My intro to MetaMask article discusses how to setup multiple accounts. Again, as long as your seed phrase remains secure, then each account within a MetaMask install would be secure and isolated as well. Thus, if a single private key got compromised within your MetaMask account, you could easily mark it as compromised and use the others (and indeed the malicious party could not steal from your other accounts). (Although, still, if I had a wallet get compromised, I’d probably switch to an entirely different seed phrase install at some point.)
• Multiple wallets under separate seed phrases: You could also setup entirely separate accounts, with distinct seed phrases. One easy way to do this without having to keep recovering your wallets from seed phrases would be to simply use a few different browsers. For example, install Brave, Chrome, and Edge, and then use three different installs of MetaMask, which would get you three separate seed phrases and unlimited addresses/private keys under them all.

Big Exchanges Are Basically Good, IMHO

• Especially for beginners. I really like the big exchanges like Coinbase for various reasons (some below) and recommend them as a starting point. They’re all pretty good at onboarding people into crypto, as well.
• They have massive security measures in place, more than any beginner could do on their own, and they easily let you buy crypto to begin with.
• As transparent as the blockchain is, the big exchanges (like Coinbase) provide a bit more privacy because, once your ETH is sitting on an exchange, the public audit trail pretty much ends. I’m surprised more people don’t appreciate that little perk.
• A lot of advanced crypto people do not like the big exchanges for various reasons. And I get that (esp. w/ respect to lower fees for various things like trading). But you can easily send your crypto out to wherever you like from these exchanges if/when you want to do some advanced crypto stuff with your funds.
• Criminals hate the big exchanges, of course, as do those who are looking to avoid paying taxes. But for normal people, those KYC (know your customer) and AML (anti-money-laundering) regs are actually great for the crypto and web3 space, in my view. And hey, as long as you’re not doing anything illegal, the probability that your crypto would be seized, or something like that, is very small.
• That all said, you do need to understand that with big exchanges, you do not have seed phrases or private keys. As such you are not in full control 24/7 of your funds as you are if you keep your ETH in MetaMask (or, better yet, in a cold wallet). It’s more like having money in a bank, which has its pros (arguably more security in some ways, easy to obtain actual cash from) and cons (non-flexibility, limits, banking hours, etc).

Be Careful, Just in General

• When your MetaMask wallet pops up with anything — sign requests or confirmations — take time to read and understand what it’s asking. I’ve included links to some explanations, above, about signature types.
• For confirmations (for spending ETH), make sure to review the gas fee. If it’s high, consider waiting or not buying at that time. If it’s way, way too high, look closer as there could be some other error present.
• When sending ETH to others, double-check that you’ve got the address correct. Remember that there’s no getting ETH back once you’ve sent it (unless maybe you know the recipient and that person agrees to send it back).
• When sending your ETH address to others, double check that you’ve got your wallet address correct.
• When sending ETH, feel free to do a little test run first. For example, if you’re sending yourself or someone else like $1,000 in ETH, maybe send $1 first, just to see that the ETH went through as it should. And then, only when you see that it worked (and sometimes if the recipient confirms), send the rest. This is quite common. I recall someone posting a screen-grab from Etherscan, just last year, showing Vitalik Buterin doing this very thing.

Review Revoke Sites

• Revoke.cash → https://revoke.cash/
• Etherscan Token Approval Checker → https://etherscan.io/tokenapprovalchecker
• These sites can help let you know if you have signed anything that you perhaps should not have. These sites can’t get back any stolen assets, but they can (1) show you any potential vulnerabilities (for example if you’re unsure whether or not you signed a transaction that you should not have), and (2) allow you to undo various permissions/allowances that you may have granted. Revoke, in particular, has more in the way of explanation on its about and FAQ pages.

Don’t Interact with Various Airdropped NFTs

• Airdropped NFTs — NFTs that show up in your wallet that you did not purchase — are almost always total BS.
• If you’re an OpenSea user (most common marketplace where you’d be looking at your wallet), view your wallet and simply hide anything you do not want to see.
• Do not interact with them (don’t attempt to burn them and don’t accept any offers on them).
• Do not investigate them (meaning, don’t go looking for whatever web site they may be associated with; indeed, this is usually exactly what they want you to do, and is a part of whatever scam they’re running). It’s a total waste of time, and also could be a malicious web site.
• Hide them and forget about them, even if it’s not what you might want (because no one likes a messy wallet).

Report Thefts to the Authorities

• If someone steals your crypto and/or NFTs, report it to the authorities. People can and will get caught, even years later. (Here’s a case about an arrest that came five years after a crime of $3.6 billion in Bitcoin.) So, report any thefts that happen. It may take years, but the government will get better at hunting down crypto-criminals for sure.

Stay Informed

• Knowledge is power. Get a Twitter account and follow people in the NFT space — especially devs and serious investors. These people are generally the most in-the-know about security and are the ones discussing whatever the latest scams are. Build up a healthy diversity here. (You can follow at @SwiggaJuice on Twitter, though I’ve never been a giant Twitter person — too verbose, I guess, lol. But if you look at those I follow, there will be a lot of devs there.)

Careful Who You Follow!

• When it comes to big influencers, make sure you’re following the actual person you intend to! The NFT space is hugely focused on influencers, perhaps more than anyplace else I can think of online when it comes to real-world consequences. Some personalities are so influential that one small tweet can sell out a 10k generative set, raising millions of dollars in minutes. So obviously for every influencer out there, there are likely dozens of lookalike accounts (some also with tens of thousands of followers) intended to fool people. And that, frens, is how people often get suckered into buying into counterfeit sets, rugs, and other scam sets.

Okay, Let’s Be Done!

With all of the above, I still feel as though I’ve only scratched the surface. But I didn’t want to write a novella here. So, let’s cap it off. And besides, if you’ve taken in even a bit of value here, then you’re surely better off and hopefully would have a sense of overall direction security-wise in web3. Keep learning, and feel free to comment here if I’ve left off anything important! (Which I’m sure I probably did!).

ps: Don’t feel bad if you get scammed or do something that you later come to think of as embarrassing. I’ve done tons of things like that, and so has everyone else. Learning is a process!

Jim Dee is a prolific writer, developer, and multi-media creator from Portland. You can find him, his businesses, his books, and more at JPD3.com. Thanks for reading! Cat image here courtesy of Midjourney AI.