Coins: 15,850
Exchanges: 1,179
Market Cap: $3.695T 0.6%
24h Vol: $405.843B
Gas: 18.44 GWEI
Go Ad-free
Coverage
TABLE OF CONTENTS

Master Guide To Crypto Security: Crypto Wallets, Smart Contracts, DeFi, And NFTs

4.8
| by
Valerioshi X
|
Edited by
Vera Lim
-

This article was updated in November 2024 by Loke Choon Khei.

In this crypto guide, we will go through the various potential security exploits and attacks, what to look out for and how to avoid them. We hope that by the end of this guide, gone will be days where you share your seed phrases with fake customer support! Attacks in crypto have become more sophisticated as the crypto space matures, more funds are at stake than ever before.

And if there's one space online where experts congregate, it's Crypto Twitter. So we thought we'd gather the best expert takes from X (Twitter) and share them with you here. 

We will cover how to stay safe while using:

  • Crypto wallets
  • Smart contracts
  • DeFi 
  • NFTs
  • Crypto Twitter

While this guide will be tailored towards crypto activity on Ethereum and its Layer 2s, the security practices are still highly relevant in other Layer 1 chains such as Solana. Ready? Let's review some tweets from known experts in the cryptoverse.

Chirp-chirp!

1. Cryptocurrency Wallets 

Understanding Custody With Jump Crypto

Let's start off with something basic: understanding the concept of custody. 

Custody concerns the question of how to keep your crypto assets safe. Every crypto asset is tied to a private key. And anyone with access to your private key also has access to your crypto assets. 

Who has custody, though? 

That depends on how much security risk and responsibility you're willing to tolerate. Many beginners opt to keep their crypto assets on an exchange, at least at first. But then, users who leave their digital assets on a centralized crypto exchange can become susceptible to other risks. They include paused withdrawals, exchange downtime, and hacks, or even worse, the exchange may turn insolvent, resulting in customers being unable to withdraw their assets, as seen in the FTX collapse.

© regularguy.eth | Unsplash

Self-custody is the next level of security, but it comes with its own risks. These risks include unknowingly handing out your seed phrase or sending funds to the wrong address. Other custody solutions are available, like multi-sigs and even institutional custody services. However, the latter is a centralized service. 

Phishing Attacks With Korpi

You are susceptible to phishing attacks regardless of your level of experience! Phishing attacks occur when a bad actor dupes you into taking an action that compromises your crypto assets, like clicking a link or opening an email. But for a phishing attack to be successful, these bad actors need your approval.

Approval is a concept that’s central to blockchains. Without approvals, you can’t interact with smart contracts. And without your approval, no protocol can access your tokens. But what can you do if they do have your approval? Protocols and bad actors can gain access to your crypto assets until approval is revoked.

The crazy part? It doesn’t matter if you’re using a cold wallet or not! Once you’ve given the approval, if no limit has been imposed, those with access will have it indefinitely

Let’s take a look at MetaMask as an example. When MetaMask pops up with an approval request, you can…

  1. Review the address.

  2. Save trusted addresses and assign nicknames.

Check Approvals on MetaMask
© Korpi | Twitter
  1. Check the collection you’re approving under the “Data” tab.

Ethereum Token Approval© Korpi | Twitter
  1. Revoke unnecessary approvals. (For Ethereum users, you can do so on Etherscan here.) You can use Revoke.cash to revoke unnecessary approvals on other Ethereum Layer 2s such as Optimism and Base.

It’s a bit different when it comes to NFTs, but we’ll cover that a little later.

MetaMask Approval Hygiene With CryptoCat

Would you give your wallet out to strangers in real life, and trust them to take whatever amount they want without imposing any limits? That’s essentially what you’re doing with default approvals. So here’s how to protect yourself from approval issues.

  1. Know what it is you’re approving. Click on “Edit permissions”, and check the data manually. Some things you should keep an eye out for: The age of the contract, the contract owner, and where the funds came from.

2. Know the amount you’re approving. Next to “Permission Request”, click “Edit” and input a custom spend limit. That way, even if the protocol gets hacked, it can never access more than the amount you approved.

3. Know that approvals are tied to a specific token. This means that only specific tokens that have been approved are at risk.

Know that infinite approvals are your default… but they shouldn’t be. They grant unlimited approval for the contract to access your token. The third image shows what an infinite approval looks like:

MetaMask Hygiene Approval
© CryptoCat | Twitter

If you see that string of f’s at the end, this indicates that you’re approving an unlimited spend limit that’s been requested by the protocol. To change that, simply edit the “Permission request”, and enter your desired spend limit.

Alternative Crypto Wallet: Rabby

Built by the Debank team with the needs of DeFi users in mind, Rabby wallet was launched in 2022. Rabby wallet has many additional security features, making it an attractive alternative to the tried and true MetaMask wallet.

Built-In Approvals List

Instead of revoking approvals for the Ethereum network on Etherscan, Rabby users can access their approvals list across multiple chains all in one location, built into the wallet.

Rabby Built in Approvals List
crypto security update 2

Anti-Phishing Safeguards

When visiting and connecting to decentralized applications (dApps), Rabby will provide several key information when you prompt a wallet connection:

  • Website listing data

  • Site popularity (on a scale from low, medium and high)

  • Rabby verification status

A non-phishing official link should be listed, popular and better still, verified by the Rabby team.

Rabby Anti-Phishing Safeguards

Detailed Transaction Simulations

Transaction simulations on Rabby clearly present the simulated outcome for you to ensure that the transaction is not unfavorable/malicious. More importantly, the key security feature lies in the bottom of the transaction simulation. Rabby will flag out whether you have previously interacted with a particular smart contract, this helps to tell you when more attention and care is required.

Rabby Transaction Simulations

2. Smart Contracts

Smart contract exploits are executed at the protocol level. In this section, we go over what to look for in a smart contract audit, how to read smart contracts, and how to use Etherscan. 

Smart Contract Audits With Thirdweb

Smart contracts are susceptible to hacks for two reasons:

  1. They contain valuable assets

  1. Smart contract code is open source, so it’s viewable by anyone, including hackers.

Smart contracts that launch with vulnerabilities can get drained of all crypto assets. They also run the risk of ruining a developer's good reputation. The purpose of a smart contract audit is to prevent security breaches. Moreover, audits ensure that the code functions as intended.

As a user, it’s good to know how smart contract audits are performed. 

Here’s what a smart contract audit entails in 3 easy steps:

  1. Understanding the use case is a crucial first step. So Step 1 asks the question, “What is the smart contract meant to do?” 

  2. Once we determine the smart contract’s intent, we review the contract manually. Does the contract act within the purview of its intended use case? In other words, the audit aims to identify any unintended behavior.

  3. In the last stage, we run automatic verification tools to identify potential vulnerabilities. We achieve this by exhausting the contract and running it through in its entirety. That way, we minimize any potential nasty surprises. 

If you’re a bit apprehensive about using a protocol, you can always request an audit from the @0xMacroDAO team. Also, note that protocols whose data have been reviewed are generally considered much safer than those that have not. Lastly, if the protocol team is running a bounty program, such programs also help increase the safety of a protocol considerably. 

On a separate note, here’s what you can do as a first line of defence. You can perform this security check easily. Simply find the page on CoinGecko for the relevant token or protocol you’re exploring. Then, under the Overview section, you’ll see a “Security” tab. 

© CoinGecko

Clicking on it reveals detailed audit reports and security scores given by different smart contract auditing companies. That should help you determine relatively quickly whether a protocol or token is safe to interact with. Talk about a fast and easy way to review the security risks of a protocol!

Related: 11 Best Smart Contract Auditing Companies

Mastering Etherscan With @CroissantEth

© Etherscan 

You should know by now that learning how to read Etherscan can give you a massive advantage over those who don’t. Here are some powerful actions you can take with Etherscan.

  1. The most obvious way to use Etherscan is to track crypto wallets. All you’ve got to do is input the wallet address in the search field, and you’ve got access to the blockchain data tied to their wallet, including transaction history. This can give you an idea of whether an address is legit or malicious.

  2. Since blockchains leave a trail, you can trace a smart contract, all the way to the source. This is crucial when it comes to reviewing and verifying whether a contract is legit or potentially malicious. 

© @croissant.eth | Twitter

  1. Etherscan has powerful filters. You can even filter specific transactions by address. This will save you time in the long run when reviewing for safety.

© @croissant.eth | Twitter

  1. You can also explore specific wallets in-depth, including browsing their analytics and comments (i.e., ENS chat). Sometimes, even simply reviewing the transaction history might reveal that something is off (e.g., a history of token burns). 

© @croissant.eth | Twitter

  1. You can read smart contracts via Etherscan too, and learn how to search for specific smart contracts, which is also a time saver. (Let’s be honest: Nobody wants to spend oodles of time reviewing safety procedures.) 

If you’re capable of reading Solidity, a couple of other things you can do as an advanced user:

© Etherscan

  • You can change the smart contract URL from “etherscan.io” to “etherscan.deth.net” (as shown in the image above), but without altering the rest of the search query, so include everything from “/address/” onward. Doing so reveals the actual code of the smart contract you’re looking at. 

  • You can decode the input data. Just visit a tx page that contains a note. Under the input data, click on “View as UTF-8”. You can leave your own notes in case you find any issues, or you can read the info on contract deployments here as well, which might be helpful before you choose to engage with the smart contract.

Practice using Etherscan and explore a few smart contracts and addresses on your own. Eventually, you’ll get the hang of it and gain fluency! 

3. DeFi

DeFi Security Basics With Quantstamp 

DeFi moves fast, sometimes at the expense of security. Coding and logic errors can open up paths for potential exploits, which draws malicious actors in from all corners of DeFi. Understanding these conditions can help you avoid them should proper security measures be followed.

The same principle applies to composability, which is a double-edged sword. Composability is the ability of dApps and DAOs to be able to communicate and work with each other. The most common analogy used to describe composability is with lego blocks. 

Sure, there are clear benefits to stacking protocols on top of protocols on top of protocols. But multiple protocols interacting with each other also open up many more opportunities for exploits. 

Price manipulation is also a reoccurring issue. Since smart contracts have to interact with oracles to gain access to accurate off-chain data, any compromise here can lead to massive consequences.

This issue can be further compounded once flash loans are involved, since they can result in a considerable amount of liquidity shifting in a single block, with leverage. Flash loans let anyone borrow any amount of assets without requiring the borrower to put up any liquidity—as long as the sum total is returned within the same block. 

But even if you can tell that a protocol has undergone an audit, it isn’t necessarily 100% safe. That’s because the developers are responsible for reviewing the audit results and implementing the recommended changes, something that they may not always do. Moreover, every time the code is updated, new potential exploits are introduced. 

Therefore, it’s important for you to understand the challenges that developers are facing on their end so that you can better navigate the space without stepping into quicksand. 

9 Attack Patterns in DeFi With @puntium

Let’s go through the 9 common attack patterns in DeFi that serious crypto users should familiarize themselves with.

  1. Oracles. Oracles provide real-life data to blockchains, so it's essential that they relay accurate information. Since blockchains depend on oracles for real-life pricing, an attacker can look for a weakness to exploit, and then manipulate the prices they report. Afterwards, the attacker can take advantage of this false price mismatch to trade for profit. 

  2. Flash loan attacks. But if an Oracle attacker were to take out a flash loan, things could get much worse very quickly. 

© Arget | Unsplash

Flash loan attacks work like this. An attacker borrows a large amount of a specific token without putting up any collateral. The attacker then manipulates the price on an exchange, after which they dump the token on another exchange, profiting immensely. This all happens within a single block.

  1. Governance attacks. An attacker could purchase enough governance tokens and manipulate an entire protocol and skew a crucial vote their way. 

  2. Front running. Poorly designed protocols may provide opportunities for an exploit between the time a transaction is submitted and the time it’s executed. 

  3. Admin keys. Private keys to the protocol wallet can be compromised—just like with any wallet—if adequate safety measures are not taken.

  4. Insecure frontends. Websites linked to a protocol’s smart contract, acting as the graphical user interface for users, can be attacked and compromised.

  5. Social engineering. Malicious actors can pretend to be team members on Discord, X (Twitter), or some other platform, and trick users into sharing private info or engaging with a malicious contract.

  6. Social account takeovers. A prominent crypto user’s Twitter account might get hacked, and before you know it, it’s promoting false info (e.g., sending followers to interact with a wallet drainer). 

  7. Layer 1 attacks. No matter how secure a protocol is, if it lives on a non-secure Layer 1, then it has the possibility of being compromised. 

As you can probably tell, new attack vectors are being discovered all the time. 

4. NFTs

Keeping Safe from NFT Scams with @DCLBlogger 

Scams aren’t confined to the DeFi space. Many types of NFT scams are always being exploited. These include…

  • Discord DMs, like free limited-time mints, or someone offering help

  • Dodgy brand emails (e.g., “Hey, click here and log into your OpenSea account!”, also known as phishing)

  • Paid ad scams on Google

  • Fake NFT sellers

  • Crypto exchange hacks

  • Fake airdrops

  • Influencers promoting rug projects

  • NFT sellers selling 100% copied projects with zero value

  • SIM swapping and email hack, circumventing 2FA mobile verification

  • Youtube channel hack and fake giveaway streams

  • Someone requesting money to invest for you

  • Fake mints that drain your wallet

So what can you do to protect yourself from all these scams? Here are a few tips:

  • If something feels off, it probably is. Avoid it. (Better safe than sorry!)

  • Verify that it is indeed a friend who is messaging you, and not some bozo scammer who copied your friend’s ID. (Check your message history.)

  • Don’t store your private keys on any digital device. (No screenshots, no Word docs, nada.) 

  • Use a hardware wallet to store your most valuable crypto assets. For daily trading, use a separate wallet.

On Securing Your NFTs With @punk6529

Sometimes we forget that our NFTs are also tokens, so when we buy, trade, or sell them, they don’t actually change location. What actually happens is this: On the blockchain, the ledger registry is simply updated to denote who the new owner is. The actual NFT data is stored on a server, whether that server is centralized (e.g., AWS) or decentralized (e.g., Arweave).

Your public key acts like your email address, whereas your private key is like your password. (So don’t share it!) You can think of your seed phrase as your password recovery method.

If someone gets access to your private keys and/or seed phrase and passphrase, it’s game over. So how do you protect yourself? 

punk6529’s general rule: If you plan to spend $500 or less on NFTs, just use a soft wallet like MetaMask. However, if you’re planning to invest $1000 or more, use a hardware wallet. In the millions? Use Gnosis Safe, a multi-sig wallet. 

Generally, when we talk about wallet safety, we’re actually discussing these two things, with somewhat opposing goals: Resiliency (i.e., how to ensure you don’t lose access to your private keys) and Security (i.e., how to ensure no one else gains access to your private keys). Every experienced crypto user should know that the trick is in balancing these two concepts.

Fake Airdrops on Crypto Twitter

Social engineering is one of the prime attack vectors used in cyber security attacks. In this section we want to stress the importance of identifying these attacks and how you can and should avoid them. Specifically, we will go through how to identify fake airdrop scams on Crypto Twitter (now called X), the social media platform where most crypto users get their news and information from.

Crypto scammers often exploit airdrops as a tactic to deceive users, because users are vulnerable when claiming airdrops. Users must be cautious as claiming an official airdrop typically requires a user to:

  • Go to a newly launched website/tokens claim link (New XXX project foundation)

  • Interact with a new smart contract (Because the token is new)

  • Interact with a new token (assuming the airdropped token is newly minted)

These will all be factors exploited by scammers who try to trick you to go to their website and approve their new but malicious smart contract.

Common Tactics

Posing as Official Twitter Accounts

Scammers will often pose as the official account, commenting under official posts to trick users into clicking their fake airdrop claims link. Look out for misspelled names for instance, @ElgenLayer spelled with an l vs. @EigenLayer which is the official account. Always check the user profile of these posts to ensure it is indeed the correct poster.

Projects may also include footers at the end of their X posts to combat scams. 

crypto security update 5

Look out for these Tweet thread footers and ignore any comments/announcements that come after the footer.

Airdrop Checker Twitter Advertisements/emails

Another common tactic is through Twitter advertisements (and even emails should attackers get a hold of them through data breaches). You may receive ads that claim that you have received XX amount of token and that the token's claim window is fast closing, thereby rushing you to quickly interact with their website. 

These bogus websites may have an “airdrop checker” that will indicate that you are eligible regardless of what wallet address you entered. They may then also prompt you to connect your wallet to proceed, even signing a few “approvals” before you can use their airdrop checker. These approvals usually grant the fake website access to your wallet, after which they’ll drain its contents. Note that most official airdrop checkers do not even need you to connect your wallet, only provide your wallet address. If an airdrop checker pushes for you to connect your wallet, it is a red flag that usually indicates that an airdrop checker is bogus.

Final Thoughts on Crypto Security

In closing this guide, we wanted to share some practical tips for crypto users from CoinGecko co-founder Bobby Ong. Whether you’re a casual user, a degen, or an experienced investor, it’s always a good idea to review these best practices. Let’s go.

  • Never reuse passwords. How many of us use the same password for multiple accounts? Sure, it’s convenient, but if a hacker can figure out your password for one account, then multiple accounts are compromised.

  • Use a password manager. Use a decent password manager, and you'll never have to remember any of your passwords. Bonus: You also get to maximize your password security. It’s a no-brainer. 

  • 2FA it all. Enabling two-factor authentication (2FA) across your devices makes it that much harder for anyone to break in. One advantage of 2FA is that you can enable notifications to let you know when someone’s attempting to sign into any of your accounts. 

  • Use a cold wallet. Trezor and Ledger are solid options. However, know that although using a hardware wallet will afford you maximum security, it does come at the cost of convenience. Therefore, store your most valuable digital assets into your hard wallet. But do consider keeping a separate digital wallet if you interact with web3 daily. 

  • Don’t doxx yourself. This one’s one of my favorites. If you’ve got money, don’t make yourself a target. Because your crypto wallet address is pseudonymous, anyone can trace your entire transaction history. That’s why it’s important not to doxx yourself. And if you do, make sure it’s tied to a wallet that isn’t all that interesting to prying eyes. 

There are many more points Bobby shares. But like we said, crypto security is a vast and fast-moving topic, one that’s always evolving because hackers are just as creative as we are. That’s why it’s imperative that we keep up with and review best practices. 

Still, if you want to dig into all 16 of Bobby’s crypto security tips, check out this comprehensive guide we wrote so you can HODL in peace. 

Enjoy!

CoinGecko's Content Editorial Guidelines
CoinGecko’s content aims to demystify the crypto industry. While certain posts you see may be sponsored, we strive to uphold the highest standards of editorial quality and integrity, and do not publish any content that has not been vetted by our editors.
Learn more
Want to be the first to know about upcoming airdrops?
Subscribe to the CoinGecko Daily Newsletter!
Join 600,000+ crypto enthusiasts, traders, and degens in getting the latest crypto news, articles, videos, and reports by subscribing to our FREE newsletter.
Tell us how much you like this article!
Vote count: 4
Valerioshi X
Valerioshi X
Valerioshi is the 4th president of X+, one of the most exclusive communities in web3, for holders who hold 10 or more DeGods. Along with the burn team, he led the CryptoPunk burning campaign for DeGods, successfully raising more than US$100,000 in under 30 hours. He runs Degen Reports, and is host of The Degen Hour as well as the X+ Sigma Lounge, both weekly Twitter spaces. Follow the author on Twitter @valerioshi_

More Articles

Select Currency
Suggested Currencies
USD
US Dollar
IDR
Indonesian Rupiah
TWD
New Taiwan Dollar
EUR
Euro
KRW
South Korean Won
JPY
Japanese Yen
RUB
Russian Ruble
CNY
Chinese Yuan
Fiat Currencies
AED
United Arab Emirates Dirham
ARS
Argentine Peso
AUD
Australian Dollar
BDT
Bangladeshi Taka
BHD
Bahraini Dinar
BMD
Bermudian Dollar
BRL
Brazil Real
CAD
Canadian Dollar
CHF
Swiss Franc
CLP
Chilean Peso
CZK
Czech Koruna
DKK
Danish Krone
GBP
British Pound Sterling
GEL
Georgian Lari
HKD
Hong Kong Dollar
HUF
Hungarian Forint
ILS
Israeli New Shekel
INR
Indian Rupee
KWD
Kuwaiti Dinar
LKR
Sri Lankan Rupee
MMK
Burmese Kyat
MXN
Mexican Peso
MYR
Malaysian Ringgit
NGN
Nigerian Naira
NOK
Norwegian Krone
NZD
New Zealand Dollar
PHP
Philippine Peso
PKR
Pakistani Rupee
PLN
Polish Zloty
SAR
Saudi Riyal
SEK
Swedish Krona
SGD
Singapore Dollar
THB
Thai Baht
TRY
Turkish Lira
UAH
Ukrainian hryvnia
VEF
Venezuelan bolívar fuerte
VND
Vietnamese đồng
ZAR
South African Rand
XDR
IMF Special Drawing Rights
Cryptocurrencies
BTC
Bitcoin
ETH
Ether
LTC
Litecoin
BCH
Bitcoin Cash
BNB
Binance Coin
EOS
EOS
XRP
XRP
XLM
Lumens
LINK
Chainlink
DOT
Polkadot
YFI
Yearn.finance
Bitcoin Units
BITS
Bits
SATS
Satoshi
Commodities
XAG
Silver - Troy Ounce
XAU
Gold - Troy Ounce
Select Language
Popular Languages
EN
English
RU
Русский
DE
Deutsch
PL
język polski
ES
Español
VI
Tiếng việt
FR
Français
PT
Português
All Languages
AR
العربية
BG
български
CS
čeština
DA
dansk
EL
Ελληνικά
FI
suomen kieli
HE
עִבְרִית
HI
हिंदी
HR
hrvatski
HU
Magyar nyelv
ID
Bahasa Indonesia
IT
Italiano
JA
日本語
KO
한국어
LT
lietuvių kalba
NL
Nederlands
NO
norsk
RO
Limba română
SK
slovenský jazyk
SL
slovenski jezik
SV
Svenska
TH
ภาษาไทย
TR
Türkçe
UK
украї́нська мо́ва
ZH
简体中文
ZH-TW
繁體中文
Log in
By continuing, you agree to CoinGecko Terms of Service and acknowledge you’ve read our Privacy Policy
or
Forgot your password?
Didn't receive confirmation instructions?
Resend confirmation instructions
Sign up
By continuing, you agree to CoinGecko Terms of Service and acknowledge you’ve read our Privacy Policy
or
Password must contain at least 8 characters including 1 uppercase letter, 1 lowercase letter, 1 number, and 1 special character
Didn't receive confirmation instructions?
Resend confirmation instructions
Forgot your password?
You will receive an email with instructions on how to reset your password in a few minutes.
Resend confirmation instructions
You will receive an email with instructions for how to confirm your email address in a few minutes.
Get the CoinGecko app.
Scan this QR code to download the app now App QR Code Or check it out in the app stores
coingecko
Continue in app
Track prices in real-time
Open App