Master Guide To Crypto Security: Crypto Wallets, Smart Contracts, DeFi, And NFTs

Long gone are the days of normies sharing their seed phrase with fake customer support. (One can only hope!) Crypto users have smartened up since, but that doesn't mean scammers are going away anytime soon. Yes, a recent lieu of hacks and scams has been proliferating the crypto market. Yet, it’s always a good time to discuss crypto security. 

And if there's one space online where experts congregate, it's Crypto Twitter. So we thought we'd gather the best expert takes from Twitter and share them with you here. 

In this guide, we cover how to stay safe while using…

• Crypto wallets
• Smart contracts
• DeFi 
• NFTs

Ready? Let's review some tweets from known experts in the cryptoverse.

Chirp-chirp!

1. Cryptocurrency Wallets 

Understanding Custody with Jump Crypto

Let's start off with something basic: understanding the concept of custody. 

Custody concerns the question of how to keep your crypto assets safe. Every crypto asset is tied to a private key. And anyone with access to your private key also has access to your crypto assets. 

Who has custody, though? 

That depends on how much security risk and responsibility you're willing to tolerate. Many normies opt to keep their crypto assets on an exchange, at least at first. But then, users who leave their digital assets on a crypto exchange can become susceptible to other risks. They include paused withdrawals, exchange downtime, and hacks. 

© regularguy.eth | Unsplash

Self-custody is the next level of security, but it comes with its own risks. These risks include unknowingly handing out your seed phrase or sending funds to the wrong address. Other custody solutions are available, like multi-sigs and even institutional custody services. However, the latter is a centralized service. 

Phishing Attacks with Korpi

Normies and experienced investors alike are susceptible to phishing attacks. Phishing attacks occur when a bad actor dupes you into taking an action that compromises your crypto assets, like clicking a link or opening an email. But for a phishing attack to be successful, these bad actors need your approval.

Approval is a concept that’s central to blockchains. Without approvals, you can’t interact with smart contracts. And without your approval, no protocol can access your tokens. But what can you do if they do have your approval? Protocols and bad actors can gain access to your crypto assets until approval is revoked. 

The crazy part? It doesn’t matter if you’re using a cold wallet or not! Once you’ve given the approval, if no limit has been imposed, those with access will have it indefinitely. 

Let’s take a look at MetaMask as an example. When MetaMask pops up with an approval request, you can…

© Korpi | Twitter

1. Review the address.

2. Save trusted addresses and assign nicknames.

© Korpi | Twitter

3. Check the collection you’re approving under the “Data” tab.

© Korpi | Twitter

4. Revoke unnecessary approvals. (You can do so on Etherscan here.)

It’s a bit different when it comes to NFTs, but we’ll cover that a little later.

MetaMask Approval Hygiene with CryptoCat

Would you give your wallet out to strangers in real life, and trust them to take whatever amount they want without imposing any limits? That’s essentially what you’re doing with default approvals. So here’s how to protect yourself from approval issues.

1. Know what it is you’re approving. Click on “Edit permissions”, and check the data manually. Some things you should keep an eye out for: The age of the contract, the contract owner, and where the funds came from.

© CryptoCat | Twitter

2. Know the amount you’re approving. Next to “Permission Request”, click “Edit” and input a custom spend limit. That way, even if the protocol gets hacked, it can never access more than the amount you approved.

3. Know that approvals are tied to a specific token. This means that only specific tokens that have been approved are at risk.

© CryptoCat | Twitter

Know that infinite approvals are your default… but they shouldn’t be. They grant unlimited approval for the contract to access your token. This is what an infinite approval looks like:

© CryptoCat | Twitter

If you see that string of f’s at the end, this indicates that you’re approving an unlimited spend limit that’s been requested by the protocol. To change that, simply edit the “Permission request”, and enter your desired spend limit.

2. Smart Contracts

Smart contract exploits are executed at the protocol level. In this section, we go over what to look for in a smart contract audit, how to read smart contracts, and how to use Etherscan. 

Smart Contract Audits with thirdweb

Smart contracts are susceptible to hacks for two reasons:

1. They contain valuable assets

1. Smart contract code is open source, so it’s viewable by anyone, including hackers.

Smart contracts that launch with vulnerabilities can get drained of all crypto assets. They also run the risk of ruining a developer's good reputation. The purpose of a smart contract audit is to prevent security breaches. Moreover, audits ensure that the code functions as intended.

As a user, it’s good to know how smart contract audits are performed. 

Here’s what a smart contract audit entails in 3 easy steps:

1. Understanding the use case is a crucial first step. So Step 1 asks the question, “What is the smart contract meant to do?” 

2. Once we determine the smart contract’s intent, we review the contract manually. Does the contract act within the purview of its intended use case? In other words, the audit aims to identify any unintended behavior.

3. In the last stage, we run automatic verification tools to identify potential vulnerabilities. We achieve this by exhausting the contract and running it through in its entirety. That way, we minimize any potential nasty surprises. 

If you’re a bit apprehensive about using a protocol, you can always request an audit from the @0xMacroDAO team. Also, note that protocols whose data have been reviewed are generally considered much safer than those that have not. Lastly, if the protocol team is running a bounty program, such programs also help increase the safety of a protocol considerably. 

On a separate note, here’s what you can do as a first line of defence. You can perform this security check easily. Simply find the page on CoinGecko for the relevant token or protocol you’re exploring. Then, under the Overview section, you’ll see a “Security” tab. 

© CoinGecko

Clicking on it reveals detailed audit reports and security scores given by different smart contract auditing companies. That should help you determine relatively quickly whether a protocol or token is safe to interact with. Talk about a fast and easy way to review the security risks of a protocol!

Related: 11 Best Smart Contract Auditing Companies

Mastering Etherscan with @CroissantEth

© Etherscan 

You should know by now that learning how to read Etherscan can give you a massive advantage over those who don’t. Here are some powerful actions you can take with Etherscan.

1. The most obvious way to use Etherscan is to track crypto wallets. All you’ve got to do is input the wallet address in the search field, and you’ve got access to the blockchain data tied to their wallet, including transaction history. This can give you an idea of whether an address is legit or malicious.

2. Since blockchains leave a trail, you can trace a smart contract, all the way to the source. This is crucial when it comes to reviewing and verifying whether a contract is legit or potentially malicious. 

© @croissant.eth | Twitter

3. Etherscan has powerful filters. You can even filter specific tx transactions by address. This will save you time in the long run when reviewing for safety.

© @croissant.eth | Twitter

4. You can also explore specific wallets in-depth, including browsing their analytics and comments (i.e., ENS chat). Sometimes, even simply reviewing the transaction history might reveal that something is off (e.g., a history of token burns). 

© @croissant.eth | Twitter

5. You can read smart contracts via Etherscan too, and learn how to search for specific smart contracts, which is also a time saver. (Let’s be honest: Nobody wants to spend oodles of time reviewing safety procedures.) 

If you’re capable of reading Solidity, a couple of other things you can do as an advanced user:

© Etherscan

• You can change the smart contract URL from “etherscan.io” to “etherscan.deth.net” (as shown in the image above), but without altering the rest of the search query, so include everything from “/address/” onward. Doing so reveals the actual code of the smart contract you’re looking at. 

• You can decode the input data. Just visit a tx page that contains a note. Under the input data, click on “View as UTF-8”. You can leave your own notes in case you find any issues, or you can read the info on contract deployments here as well, which might be helpful before you choose to engage with the smart contract.

Practice using Etherscan and explore a few smart contracts and addresses on your own. Eventually, you’ll get the hang of it and gain fluency! 

3. DeFi

DeFi Security Basics with Quantstamp 

DeFi moves fast, sometimes at the expense of security. Coding and logic errors can open up paths for potential exploits, which draws malicious actors in from all corners of DeFi. Understanding these conditions can help you avoid them should proper security measures be followed.

The same principle applies to composability, which is a double-edged sword. Composability is the ability of dApps and DAOs to be able to communicate and work with each other. The most common analogy used to describe composability is with lego blocks. 

Sure, there are clear benefits to stacking protocols on top of protocols on top of protocols. But multiple protocols interacting with each other also open up many more opportunities for exploits. 

Price manipulation is also a reoccurring issue. Since smart contracts have to interact with oracles to gain access to accurate off-chain data, any compromise here can lead to massive consequences.

This issue can be further compounded once flash loans are involved, since they can result in a considerable amount of liquidity shifting in a single block, with leverage. Flash loans let anyone borrow any amount of assets without requiring the borrower to put up any liquidity—as long as the sum total is returned within the same block. 

But even if you can tell that a protocol has undergone an audit, it isn’t necessarily 100% safe. That’s because the developers are responsible for reviewing the audit results and implementing the recommended changes, something that they may not always do. Moreover, every time the code is updated, new potential exploits are introduced. 

Therefore, it’s important for you to understand the challenges that developers are facing on their end so that you can better navigate the space without stepping into quicksand. 

9 Attack Patterns in DeFi with @puntium

Let’s go through the 9 common attack patterns in DeFi that serious crypto users should familiarize themselves with.

1. Oracles. Oracles provide real-life data to blockchains, so it's essential that they relay accurate information. Since blockchains depend on oracles for real-life pricing, an attacker can look for a weakness to exploit, and then manipulate the prices they report. Afterwards, the attacker can take advantage of this false price mismatch to trade for profit. 

2. Flash loan attacks. But if an Oracle attacker were to take out a flash loan, things could get much worse very quickly. 

© Arget | Unsplash

Flash loan attacks work like this. An attacker borrows a large amount of a specific token without putting up any collateral. The attacker then manipulates the price on an exchange, after which they dump the token on another exchange, profiting immensely. This all happens within a single block.

3. Governance attacks. An attacker could purchase enough governance tokens and manipulate an entire protocol and skew a crucial vote their way. 

4. Front running. Poorly designed protocols may provide opportunities for an exploit between the time a transaction is submitted and the time it’s executed. 

5. Admin keys. Private keys to the protocol wallet can be compromised—just like with any wallet—if adequate safety measures are not taken.

6. Insecure frontends. Websites linked to a protocol’s smart contract, acting as the graphical user interface for users, can be attacked and compromised.

7. Social engineering. Malicious actors can pretend to be team members on Discord, Twitter, or some other platform, and trick users into sharing private info or engaging with a malicious contract.

8. Social account takeovers. A prominent crypto user’s Twitter account might get hacked, and before you know it, it’s promoting false info (e.g., sending followers to interact with a wallet drainer). 

9. Layer 1 attacks. No matter how secure a protocol is, if it lives on a non-secure Layer 1, then it has the possibility of being compromised. 

As you can probably tell, new attack vectors are being discovered all the time. 

4. NFTs

Keeping Safe from NFT Scams with @DCLBlogger 

Scams aren’t confined to the DeFi space. Many types of NFT scams are always being exploited. These include…

• Discord DMs, like free limited-time mints, or someone offering help

• Dodgy brand emails (e.g., “Hey, click here and log into your OpenSea account!”, also known as phishing)

• Paid ad scams on Google

• Fake NFT sellers

• Crypto exchange hacks

• Fake airdrops

• Influencers promoting rug projects

• NFT sellers selling 100% copied projects with zero value

• SIM swapping and email hack, circumventing 2FA mobile verification

• Youtube channel hack and fake giveaway streams

• Phishing emails from the Ledger email database hack

• Someone requesting money to invest for you

• Fake mints that drain your wallet

So what can you do to protect yourself from all these scams? Here are a few tips:

• If something feels off, it probably is. Avoid it. (Better safe than sorry!)

• Verify that it is indeed a friend who is messaging you, and not some bozo scammer who copied your friend’s ID. (Check your message history.)

• Don’t store your private keys on any digital device. (No screenshots, no Word docs, nada.) 

• Use a hard wallet to store your most valuable crypto assets. For daily trading, use a separate wallet.

On Securing your NFTs with @punk6529

Sometimes we forget that our NFTs are also tokens, so when we buy, trade, or sell them, they don’t actually change location. What actually happens is this: On the blockchain, the ledger registry is simply updated to denote who the new owner is. The actual NFT data is stored on a server, whether that server is centralized (e.g., AWS) or decentralized (e.g., Arweave).

Your public key acts like your email address, whereas your private key is like your password. (So don’t share it!) You can think of your seed phrase as your password recovery method.

If someone gets access to your private keys and/or seed phrase and passphrase, it’s game over. So how do you protect yourself? 

punk6529’s general rule: If you plan to spend $500 or less on NFTs, just use a soft wallet like MetaMask. However, if you’re planning to invest $1000 or more, use a hardware wallet. In the millions? Use Gnosis Safe, a multi-sig wallet. 

Generally, when we talk about wallet safety, we’re actually discussing these two things, with somewhat opposing goals: Resiliency (i.e., how to ensure you don’t lose access to your private keys) and Security (i.e., how to ensure no one else gains access to your private keys). Every experienced crypto user should know that the trick is in balancing these two concepts.

Final Thoughts on Crypto Security

In closing this guide, we wanted to share some practical tips for crypto users from CoinGecko co-founder Bobby Ong. Whether you’re a normie, a degen, or an experienced investor, it’s always a good idea to review these best practices. Let’s go.

Crypto is a very dangerous and adversarial place. If you are not careful, you risk having your valuable cryptocurrencies stolen from you.

I've compiled a thread on some security best practices that you can follow to stay safe. Read on below 👇👇

— Bobby Ong (@bobbyong) June 13, 2021

• Never reuse passwords. How many of us use the same password for multiple accounts? Sure, it’s convenient, but if a hacker can figure out your password for one account, then multiple accounts are compromised.

• Use a password manager. Use a decent password manager, and you'll never have to remember any of your passwords. Bonus: You also get to maximize your password security. It’s a no-brainer. 

• 2FA it all. Enabling two-factor authentication (2FA) across your devices makes it that much harder for anyone to break in. One advantage of 2FA is that you can enable notifications to let you know when someone’s attempting to sign into any of your accounts. 

• Use a cold wallet. Trezor and Ledger are solid options. However, know that although using a hardware wallet will afford you maximum security, it does come at the cost of convenience. Therefore, store your most valuable digital assets into your hard wallet. But do consider keeping a separate digital wallet if you interact with web3 daily. 

• Don’t doxx yourself. This one’s one of my favorites. If you’ve got money, don’t make yourself a target. Because your crypto wallet address is pseudonymous, anyone can trace your entire transaction history. That’s why it’s important not to doxx yourself. And if you do, make sure it’s tied to a wallet that isn’t all that interesting to prying eyes. 

There are many more points Bobby shares. But like we said, crypto security is a vast and fast-moving topic, one that’s always evolving because hackers are just as creative as we are. That’s why it’s imperative that we keep up with and review best practices. 

Still, if you want to dig into all 16 of Bobby’s crypto security tips, check out this comprehensive guide we wrote so you can HODL in peace. 

Enjoy!

CoinGecko's Content Editorial Guidelines

CoinGecko’s content aims to demystify the crypto industry. While certain posts you see may be sponsored, we strive to uphold the highest standards of editorial quality and integrity, and do not publish any content that has not been vetted by our editors.

Learn more

Valerioshi X

Valerioshi is the 4th president of X+, one of the most exclusive communities in web3, for holders who hold 10 or more DeGods. Along with the burn team, he led the CryptoPunk burning campaign for DeGods, successfully raising more than US$100,000 in under 30 hours. He runs Degen Reports, and is host of The Degen Hour as well as the X+ Sigma Lounge, both weekly Twitter spaces. Follow the author on Twitter @valerioshi_