This article was updated in November 2024 by Loke Choon Khei.
In this crypto guide, we will go through the various potential security exploits and attacks, what to look out for and how to avoid them. We hope that by the end of this guide, gone will be days where you share your seed phrases with fake customer support! Attacks in crypto have become more sophisticated as the crypto space matures, more funds are at stake than ever before.
And if there's one space online where experts congregate, it's Crypto Twitter. So we thought we'd gather the best expert takes from X (Twitter) and share them with you here.
We will cover how to stay safe while using:
- Crypto wallets
- Smart contracts
- DeFi
- NFTs
- Crypto Twitter
While this guide will be tailored towards crypto activity on Ethereum and its Layer 2s, the security practices are still highly relevant in other Layer 1 chains such as Solana. Ready? Let's review some tweets from known experts in the cryptoverse.
Chirp-chirp!
1. Cryptocurrency Wallets
Understanding Custody With Jump Crypto
Let's start off with something basic: understanding the concept of custody.
Custody concerns the question of how to keep your crypto assets safe. Every crypto asset is tied to a private key. And anyone with access to your private key also has access to your crypto assets.
Who has custody, though?
That depends on how much security risk and responsibility you're willing to tolerate. Many beginners opt to keep their crypto assets on an exchange, at least at first. But then, users who leave their digital assets on a centralized crypto exchange can become susceptible to other risks. They include paused withdrawals, exchange downtime, and hacks, or even worse, the exchange may turn insolvent, resulting in customers being unable to withdraw their assets, as seen in the FTX collapse.
Self-custody is the next level of security, but it comes with its own risks. These risks include unknowingly handing out your seed phrase or sending funds to the wrong address. Other custody solutions are available, like multi-sigs and even institutional custody services. However, the latter is a centralized service.
Phishing Attacks With Korpi
You are susceptible to phishing attacks regardless of your level of experience! Phishing attacks occur when a bad actor dupes you into taking an action that compromises your crypto assets, like clicking a link or opening an email. But for a phishing attack to be successful, these bad actors need your approval.
Approval is a concept that’s central to blockchains. Without approvals, you can’t interact with smart contracts. And without your approval, no protocol can access your tokens. But what can you do if they do have your approval? Protocols and bad actors can gain access to your crypto assets until approval is revoked.
The crazy part? It doesn’t matter if you’re using a cold wallet or not! Once you’ve given the approval, if no limit has been imposed, those with access will have it indefinitely.
Let’s take a look at MetaMask as an example. When MetaMask pops up with an approval request, you can…
-
Review the address.
-
Save trusted addresses and assign nicknames.
-
Check the collection you’re approving under the “Data” tab.
-
Revoke unnecessary approvals. (For Ethereum users, you can do so on Etherscan here.) You can use Revoke.cash to revoke unnecessary approvals on other Ethereum Layer 2s such as Optimism and Base.
It’s a bit different when it comes to NFTs, but we’ll cover that a little later.
MetaMask Approval Hygiene With CryptoCat
Would you give your wallet out to strangers in real life, and trust them to take whatever amount they want without imposing any limits? That’s essentially what you’re doing with default approvals. So here’s how to protect yourself from approval issues.
-
Know what it is you’re approving. Click on “Edit permissions”, and check the data manually. Some things you should keep an eye out for: The age of the contract, the contract owner, and where the funds came from.
2. Know the amount you’re approving. Next to “Permission Request”, click “Edit” and input a custom spend limit. That way, even if the protocol gets hacked, it can never access more than the amount you approved.
3. Know that approvals are tied to a specific token. This means that only specific tokens that have been approved are at risk.
Know that infinite approvals are your default… but they shouldn’t be. They grant unlimited approval for the contract to access your token. The third image shows what an infinite approval looks like:
If you see that string of f’s at the end, this indicates that you’re approving an unlimited spend limit that’s been requested by the protocol. To change that, simply edit the “Permission request”, and enter your desired spend limit.
Alternative Crypto Wallet: Rabby
Built by the Debank team with the needs of DeFi users in mind, Rabby wallet was launched in 2022. Rabby wallet has many additional security features, making it an attractive alternative to the tried and true MetaMask wallet.
Built-In Approvals List
Instead of revoking approvals for the Ethereum network on Etherscan, Rabby users can access their approvals list across multiple chains all in one location, built into the wallet.
Anti-Phishing Safeguards
When visiting and connecting to decentralized applications (dApps), Rabby will provide several key information when you prompt a wallet connection:
-
Website listing data
-
Site popularity (on a scale from low, medium and high)
-
Rabby verification status
A non-phishing official link should be listed, popular and better still, verified by the Rabby team.
Detailed Transaction Simulations
Transaction simulations on Rabby clearly present the simulated outcome for you to ensure that the transaction is not unfavorable/malicious. More importantly, the key security feature lies in the bottom of the transaction simulation. Rabby will flag out whether you have previously interacted with a particular smart contract, this helps to tell you when more attention and care is required.
2. Smart Contracts
Smart contract exploits are executed at the protocol level. In this section, we go over what to look for in a smart contract audit, how to read smart contracts, and how to use Etherscan.
Smart Contract Audits With Thirdweb
Smart contracts are susceptible to hacks for two reasons:
-
They contain valuable assets
-
Smart contract code is open source, so it’s viewable by anyone, including hackers.
Smart contracts that launch with vulnerabilities can get drained of all crypto assets. They also run the risk of ruining a developer's good reputation. The purpose of a smart contract audit is to prevent security breaches. Moreover, audits ensure that the code functions as intended.
As a user, it’s good to know how smart contract audits are performed.
Here’s what a smart contract audit entails in 3 easy steps:
-
Understanding the use case is a crucial first step. So Step 1 asks the question, “What is the smart contract meant to do?”
-
Once we determine the smart contract’s intent, we review the contract manually. Does the contract act within the purview of its intended use case? In other words, the audit aims to identify any unintended behavior.
-
In the last stage, we run automatic verification tools to identify potential vulnerabilities. We achieve this by exhausting the contract and running it through in its entirety. That way, we minimize any potential nasty surprises.
If you’re a bit apprehensive about using a protocol, you can always request an audit from the @0xMacroDAO team. Also, note that protocols whose data have been reviewed are generally considered much safer than those that have not. Lastly, if the protocol team is running a bounty program, such programs also help increase the safety of a protocol considerably.
On a separate note, here’s what you can do as a first line of defence. You can perform this security check easily. Simply find the page on CoinGecko for the relevant token or protocol you’re exploring. Then, under the Overview section, you’ll see a “Security” tab.
© CoinGecko
Clicking on it reveals detailed audit reports and security scores given by different smart contract auditing companies. That should help you determine relatively quickly whether a protocol or token is safe to interact with. Talk about a fast and easy way to review the security risks of a protocol!
Related: 11 Best Smart Contract Auditing Companies
Mastering Etherscan With @CroissantEth
© Etherscan
You should know by now that learning how to read Etherscan can give you a massive advantage over those who don’t. Here are some powerful actions you can take with Etherscan.
-
The most obvious way to use Etherscan is to track crypto wallets. All you’ve got to do is input the wallet address in the search field, and you’ve got access to the blockchain data tied to their wallet, including transaction history. This can give you an idea of whether an address is legit or malicious.
-
Since blockchains leave a trail, you can trace a smart contract, all the way to the source. This is crucial when it comes to reviewing and verifying whether a contract is legit or potentially malicious.
© @croissant.eth | Twitter
-
Etherscan has powerful filters. You can even filter specific transactions by address. This will save you time in the long run when reviewing for safety.
© @croissant.eth | Twitter
-
You can also explore specific wallets in-depth, including browsing their analytics and comments (i.e., ENS chat). Sometimes, even simply reviewing the transaction history might reveal that something is off (e.g., a history of token burns).
© @croissant.eth | Twitter
-
You can read smart contracts via Etherscan too, and learn how to search for specific smart contracts, which is also a time saver. (Let’s be honest: Nobody wants to spend oodles of time reviewing safety procedures.)
If you’re capable of reading Solidity, a couple of other things you can do as an advanced user:
© Etherscan
-
You can change the smart contract URL from “etherscan.io” to “etherscan.deth.net” (as shown in the image above), but without altering the rest of the search query, so include everything from “/address/” onward. Doing so reveals the actual code of the smart contract you’re looking at.
-
You can decode the input data. Just visit a tx page that contains a note. Under the input data, click on “View as UTF-8”. You can leave your own notes in case you find any issues, or you can read the info on contract deployments here as well, which might be helpful before you choose to engage with the smart contract.
Practice using Etherscan and explore a few smart contracts and addresses on your own. Eventually, you’ll get the hang of it and gain fluency!
3. DeFi
DeFi Security Basics With Quantstamp
DeFi moves fast, sometimes at the expense of security. Coding and logic errors can open up paths for potential exploits, which draws malicious actors in from all corners of DeFi. Understanding these conditions can help you avoid them should proper security measures be followed.
The same principle applies to composability, which is a double-edged sword. Composability is the ability of dApps and DAOs to be able to communicate and work with each other. The most common analogy used to describe composability is with lego blocks.
Sure, there are clear benefits to stacking protocols on top of protocols on top of protocols. But multiple protocols interacting with each other also open up many more opportunities for exploits.
Price manipulation is also a reoccurring issue. Since smart contracts have to interact with oracles to gain access to accurate off-chain data, any compromise here can lead to massive consequences.
This issue can be further compounded once flash loans are involved, since they can result in a considerable amount of liquidity shifting in a single block, with leverage. Flash loans let anyone borrow any amount of assets without requiring the borrower to put up any liquidity—as long as the sum total is returned within the same block.
But even if you can tell that a protocol has undergone an audit, it isn’t necessarily 100% safe. That’s because the developers are responsible for reviewing the audit results and implementing the recommended changes, something that they may not always do. Moreover, every time the code is updated, new potential exploits are introduced.
Therefore, it’s important for you to understand the challenges that developers are facing on their end so that you can better navigate the space without stepping into quicksand.
9 Attack Patterns in DeFi With @puntium
Let’s go through the 9 common attack patterns in DeFi that serious crypto users should familiarize themselves with.
-
Oracles. Oracles provide real-life data to blockchains, so it's essential that they relay accurate information. Since blockchains depend on oracles for real-life pricing, an attacker can look for a weakness to exploit, and then manipulate the prices they report. Afterwards, the attacker can take advantage of this false price mismatch to trade for profit.
-
Flash loan attacks. But if an Oracle attacker were to take out a flash loan, things could get much worse very quickly.
© Arget | Unsplash
Flash loan attacks work like this. An attacker borrows a large amount of a specific token without putting up any collateral. The attacker then manipulates the price on an exchange, after which they dump the token on another exchange, profiting immensely. This all happens within a single block.
-
Governance attacks. An attacker could purchase enough governance tokens and manipulate an entire protocol and skew a crucial vote their way.
-
Front running. Poorly designed protocols may provide opportunities for an exploit between the time a transaction is submitted and the time it’s executed.
-
Admin keys. Private keys to the protocol wallet can be compromised—just like with any wallet—if adequate safety measures are not taken.
-
Insecure frontends. Websites linked to a protocol’s smart contract, acting as the graphical user interface for users, can be attacked and compromised.
-
Social engineering. Malicious actors can pretend to be team members on Discord, X (Twitter), or some other platform, and trick users into sharing private info or engaging with a malicious contract.
-
Social account takeovers. A prominent crypto user’s Twitter account might get hacked, and before you know it, it’s promoting false info (e.g., sending followers to interact with a wallet drainer).
-
Layer 1 attacks. No matter how secure a protocol is, if it lives on a non-secure Layer 1, then it has the possibility of being compromised.
As you can probably tell, new attack vectors are being discovered all the time.
4. NFTs
Keeping Safe from NFT Scams with @DCLBlogger
Scams aren’t confined to the DeFi space. Many types of NFT scams are always being exploited. These include…
-
Discord DMs, like free limited-time mints, or someone offering help
-
Dodgy brand emails (e.g., “Hey, click here and log into your OpenSea account!”, also known as phishing)
-
Paid ad scams on Google
-
Fake NFT sellers
-
Crypto exchange hacks
-
Fake airdrops
-
Influencers promoting rug projects
-
NFT sellers selling 100% copied projects with zero value
-
SIM swapping and email hack, circumventing 2FA mobile verification
-
Youtube channel hack and fake giveaway streams
-
Someone requesting money to invest for you
-
Fake mints that drain your wallet
So what can you do to protect yourself from all these scams? Here are a few tips:
-
If something feels off, it probably is. Avoid it. (Better safe than sorry!)
-
Verify that it is indeed a friend who is messaging you, and not some bozo scammer who copied your friend’s ID. (Check your message history.)
-
Don’t store your private keys on any digital device. (No screenshots, no Word docs, nada.)
-
Use a hardware wallet to store your most valuable crypto assets. For daily trading, use a separate wallet.
On Securing Your NFTs With @punk6529
Sometimes we forget that our NFTs are also tokens, so when we buy, trade, or sell them, they don’t actually change location. What actually happens is this: On the blockchain, the ledger registry is simply updated to denote who the new owner is. The actual NFT data is stored on a server, whether that server is centralized (e.g., AWS) or decentralized (e.g., Arweave).
Your public key acts like your email address, whereas your private key is like your password. (So don’t share it!) You can think of your seed phrase as your password recovery method.
If someone gets access to your private keys and/or seed phrase and passphrase, it’s game over. So how do you protect yourself?
punk6529’s general rule: If you plan to spend $500 or less on NFTs, just use a soft wallet like MetaMask. However, if you’re planning to invest $1000 or more, use a hardware wallet. In the millions? Use Gnosis Safe, a multi-sig wallet.
Generally, when we talk about wallet safety, we’re actually discussing these two things, with somewhat opposing goals: Resiliency (i.e., how to ensure you don’t lose access to your private keys) and Security (i.e., how to ensure no one else gains access to your private keys). Every experienced crypto user should know that the trick is in balancing these two concepts.
Fake Airdrops on Crypto Twitter
Social engineering is one of the prime attack vectors used in cyber security attacks. In this section we want to stress the importance of identifying these attacks and how you can and should avoid them. Specifically, we will go through how to identify fake airdrop scams on Crypto Twitter (now called X), the social media platform where most crypto users get their news and information from.
Crypto scammers often exploit airdrops as a tactic to deceive users, because users are vulnerable when claiming airdrops. Users must be cautious as claiming an official airdrop typically requires a user to:
-
Go to a newly launched website/tokens claim link (New XXX project foundation)
-
Interact with a new smart contract (Because the token is new)
-
Interact with a new token (assuming the airdropped token is newly minted)
These will all be factors exploited by scammers who try to trick you to go to their website and approve their new but malicious smart contract.
Common Tactics
Posing as Official Twitter Accounts
Scammers will often pose as the official account, commenting under official posts to trick users into clicking their fake airdrop claims link. Look out for misspelled names for instance, @ElgenLayer spelled with an l vs. @EigenLayer which is the official account. Always check the user profile of these posts to ensure it is indeed the correct poster.
Projects may also include footers at the end of their X posts to combat scams.
Look out for these Tweet thread footers and ignore any comments/announcements that come after the footer.
Airdrop Checker Twitter Advertisements/emails
Another common tactic is through Twitter advertisements (and even emails should attackers get a hold of them through data breaches). You may receive ads that claim that you have received XX amount of token and that the token's claim window is fast closing, thereby rushing you to quickly interact with their website.
These bogus websites may have an “airdrop checker” that will indicate that you are eligible regardless of what wallet address you entered. They may then also prompt you to connect your wallet to proceed, even signing a few “approvals” before you can use their airdrop checker. These approvals usually grant the fake website access to your wallet, after which they’ll drain its contents. Note that most official airdrop checkers do not even need you to connect your wallet, only provide your wallet address. If an airdrop checker pushes for you to connect your wallet, it is a red flag that usually indicates that an airdrop checker is bogus.
Final Thoughts on Crypto Security
In closing this guide, we wanted to share some practical tips for crypto users from CoinGecko co-founder Bobby Ong. Whether you’re a casual user, a degen, or an experienced investor, it’s always a good idea to review these best practices. Let’s go.
Crypto is a very dangerous and adversarial place. If you are not careful, you risk having your valuable cryptocurrencies stolen from you.
— Bobby Ong (@bobbyong) June 13, 2021
I've compiled a thread on some security best practices that you can follow to stay safe. Read on below 👇👇
-
Never reuse passwords. How many of us use the same password for multiple accounts? Sure, it’s convenient, but if a hacker can figure out your password for one account, then multiple accounts are compromised.
-
Use a password manager. Use a decent password manager, and you'll never have to remember any of your passwords. Bonus: You also get to maximize your password security. It’s a no-brainer.
-
2FA it all. Enabling two-factor authentication (2FA) across your devices makes it that much harder for anyone to break in. One advantage of 2FA is that you can enable notifications to let you know when someone’s attempting to sign into any of your accounts.
-
Use a cold wallet. Trezor and Ledger are solid options. However, know that although using a hardware wallet will afford you maximum security, it does come at the cost of convenience. Therefore, store your most valuable digital assets into your hard wallet. But do consider keeping a separate digital wallet if you interact with web3 daily.
-
Don’t doxx yourself. This one’s one of my favorites. If you’ve got money, don’t make yourself a target. Because your crypto wallet address is pseudonymous, anyone can trace your entire transaction history. That’s why it’s important not to doxx yourself. And if you do, make sure it’s tied to a wallet that isn’t all that interesting to prying eyes.
There are many more points Bobby shares. But like we said, crypto security is a vast and fast-moving topic, one that’s always evolving because hackers are just as creative as we are. That’s why it’s imperative that we keep up with and review best practices.
Still, if you want to dig into all 16 of Bobby’s crypto security tips, check out this comprehensive guide we wrote so you can HODL in peace.
Enjoy!
Subscribe to the CoinGecko Daily Newsletter!