So you’ve decided to explore web3, dApps, and the fascinating world of degenerate gamblers and obstinate internet builders.
Or maybe you want to join in on the fun and experiment with new dApps, but you’re afraid of the numerous ways you’ve seen people lose money by falling for scams and malicious platforms. You’re not technologically savvy and believe you’ll be an easy target for the next scam.
Fortunately you have stumbled upon this article and I’m going to teach you the fundamentals of online security when using crypto, DeFi, and web3.
This article will walk you through the steps you should take to stay safe while learning and progressing on web3. I’ll assume you’re using Google Chrome and Metamask, which are currently the most popular tools.
Beginner’s Guide to Starting Your Own Bank
The benefit of web3 logistics is that you only have to set it once and never have to worry about it again. If you secure your accounts and funds, you will gain confidence to go further in this new space. So, let’s begin with the basics and how to secure everything.
1. Make Two-Factor Authentication available for all accounts.
If hacks occur on the centralized apps you use, 2FA, or Two Factor Authentication, will save you a lot of trouble. When you create a new account, go directly to settings and activate it. After going to “Settings,” here’s an example with a Twitter account:
It is critical that you do not use a phone number as a 2FA measure, as SIM card swapping is now common among hackers. Yes, cryptocurrency users are also targeted.
Instead, you can use a 2FA app to generate a code for each time slot and then log in after entering the code. Google Authenticator and Authy are the most popular 2FA apps.
The first step is to secure your CEX account, which is where you buy and sell crypto for fiat.
The next step is to secure your social and forum accounts where you discuss cryptocurrency to avoid being hacked and giving potential victims access, especially if you have a large audience.
Why Should You Protect Your Social Accounts?
Being hacked on social media can also disqualify you from projects in which you are interested. If your address is whitelisted to mint a project, for example, the hacker can change it and replace it with his.
Hacked social media accounts can also be purchased on the internet for pennies. Verified Twitter accounts with large followings are in high demand. Some specialized cryptocurrency websites will sell your server rank (which usually grants you privileges such as airdrops, token allocations, or being on a private sale).
Scammers or NFT projects typically buy verified Twitter accounts with the intention of rug pulling (vanishing with people’s coins after minting) or even cloning sites for successful projects. To cash out the money, the scammers will also need a fake account on a centralized exchange (CEX).
Social Media Scams Galore
To avoid falling into this trap, remember this simple rule: no one who has ever spoken to you will give you anything at random or select you to mint an exclusive project. No stranger with a large following will suddenly awaken and decide to slide into your DMs to inquire about “your trades.”
Even if you don’t have a large following, think about the social media platforms you use to discuss crypto at risk. The identity and evolution of the web3 are inextricably linked to web2 tools. You’ll want to protect them just as much as your coins once you realize how valuable they are.
2. Purchase a Hardware Wallet. Now.
Metamask is currently the most popular wallet, and it is sometimes the only option for connecting to new projects and dApps. If you’re new to web3, installing Metamask will most likely be your first step. Be wary of cloned extensions and check the official website to ensure you’re getting the real thing.
Most web3 users mistake Metamask for a wallet, when it is simply a browser extension that acts as an interface between dApps and your actual hardware wallet.
Whether you like the idea or not, you will need a hardware wallet at some point. The most popular hardware wallets are Trezor and Ledger, which can be used in conjunction with Metamask as an additional layer. When you confirm an action on Metamask, you must physically confirm it by pressing the device. No funds will be sent unless you physically press that button.
An Additional Layer of Defense
Even if you connect to a malicious site, as long as you don’t authorize anything with your hardware wallet, you’ll be fine. Without a hardware wallet, your Metamask could be compromised and begin to be remotely monitored by a hacker or a script.
Of course, these security measures will be rendered ineffective if you visit a suspicious website that you have never seen before. But don’t be concerned. We’re here to help you advance to the next level. But first, do we need to secure that hardware wallet?
3. 101 Mnemonic Phrases
To protect your cryptocurrency wallet, a private key will be used. This private key is kept in your hardware wallet and keeps track of all of your transactions. It is usually a 12 to 24 word mnemonic phrase.
In the event that the physical wallet is lost or destroyed, this private key allows the user to restore any existing wallet on any device. Furthermore, they are the weakest link in wallet management.
Safeguarding Your Private Key
Some cryptocurrency users’ wallets have been emptied without their knowledge. They never told anyone about their phrase. Until they realize they’re hosting it on their own…in the cloud or on their computer.
Your seed phrase should never be exposed to the internet, a keyboard, or any other previously connected electronic device.
You should not screenshot, print, or save your seed phrase anywhere, especially on your computer.
You should either write it down or memorize it and save it somewhere. Remember that anyone who finds this piece of paper can recover your wallet and transfer your funds. Nobody, not even your wife, should know where your seed phrase is stored.
If for some reason this piece of paper is destroyed, simply transfer your funds to a new wallet because relying solely on a device is, well, risky.
4. Avoiding Phishing by Not Clicking That Link
You will most likely be targeted by phishing emails and links because you have a cryptocurrency wallet. If you receive an email advising you to download the latest software for your cryptocurrency wallet as soon as possible, do not do so. Check the brand’s website first, followed by their blog or social accounts, to see if any updates have been announced.
To avoid phishing emails, create a new email address that you will only use for cryptocurrency, and never click on any link sent to you, especially any attached files. NEVER.
Files Attached
Email attachments may contain malware that will hack your computer and attempt to steal your funds. Of course, using a hardware wallet adds an extra layer of security, but there are numerous exploits available that you’ll learn about at the intermediate and advanced levels.
Don’t open any attachments sent to you by an unknown email, and don’t install anything with a.exe or.scr extension sent to you by a stranger.
Browsers and search engines
Another tip is to avoid using Google as a search engine. If you use Google as a search engine, clones and phishing sites will appear on the first page because scammers pay to be on the first page. You can configure any browser to use an alternative such as DuckDuckGo or Ecosia.
Clone sites exist because malicious actors are aware that cryptocurrency users’ funds are linked to a browser extension that is technically vulnerable to hacking. There were clones of bank websites before DeFi became popular.
Your Online Activity
Using alternative search engines not only improves the accuracy of results, but it also eliminates the vast majority of fraudulent websites. Separating your activities is the ultimate hack: One browser should be used for research and another for Metamask only.
Link Favorites
Finding the official Twitter account for whatever dApp you’re looking for (OpenSea, LooksRare, etc.) and bookmarking the link is common practice. This was the first thing I discovered when I set up my Trezor for the first time.
Discord’s Private Messages should be disabled.
If you’re using Discord to follow some projects, disable private messages.
Scammers posing as administrators will ask for your seed phrase (a pretty obvious scam, but it still works) in order to “Connect your wallet,” or will send you clone sites or phishing links. Some even call themselves “Announcements” to fool you into thinking they’re a channel notification rather than a private message.
Establish Your Software
This should be standard procedure for everyone, but it is especially critical when entering web3. Hackers will take the shortest path by exploiting software flaws in your system. Updates include security patches as well as increased security.
There are software flaws everywhere, and the only way to detect them is after they have been exploited. As a result, if you receive a notification that a software update is available for the device on which you use a crypto-wallet, install it right away rather than wasting time worrying about how long it will take.
Intermediate: Web3 Navigation
You’re done once you’ve secured your funds, protected your social accounts, and ensured that a phishing link won’t wipe them out. It’s time to move on to the next level of verification, where you’ll learn how to verify third-party information.
5. Things to Avoid
Certain actions should be avoided when using cryptocurrency and dApps. These behaviors should also be avoided when using financial tools or communicating with authorities on web2. Many users are either unaware of this or unconcerned about the WiFi network they are using while performing sensitive tasks.
Being an active web3 user entails becoming aware of previously unknown threats and dangers. Your insurance company and bank can assist you if your credit card has been compromised. However, you will not be able to recover funds lost in a non-custodial crypto-wallet.
Avoiding sensitive actions on insecure networks and believing everything you see on the internet are the two most important things to avoid.
WiFi in public places
Airports, cafes, and even schools offer public hotspots to their visitors, and because they attract a large number of people, they are frequently targeted by malicious third parties looking for sensitive information.
WiFi networks that are available to the general public can be accessed by almost anyone. Your communications and data may be monitored and even altered. To gain even easier access to your data, some malicious actors set up fake public WiFi networks disguised as establishments.
Simply avoid sensitive actions like connecting to your bank account or logging into any app while using public WiFi, and don’t use cryptocurrency while using it.
Verify rather than trust.
Some Discord servers have been hacked in the past, announcing fake mintings or giveaways and causing users to lose money. Although some users recognized hacks right away due to differences in syntax and writing style from the founders, many others did not, resulting in them being scammed.
Check the project’s other social accounts if you see something unexpected or unusual that requires you to spend money or connect your wallet. Events are usually announced in advance, so check social media to see if any official announcements have been made and what people are saying.
6. Create a Throwaway Account in Metamask.
It’s common practice to use a disposable Metamask account when interacting with a dApp or a contract for the first time. This account is independent of your primary hardware wallet and will protect you if you interact with a malicious contract or actor.
But what if you want to get an airdrop based on your current holdings? You must use a wallet containing valuable NFTs or coins to claim it. This is the time to be cautious.
7. Etherscan Address Lookup
Etherscan is an excellent program and, in my opinion, the best block explorer available. When you’re about to sign your first dApp transaction, copy the address you’re about to interact with and search Etherscan for it. You’ll know right away if the address belongs to the project in which you’re trying to participate. Etherscan, for example, displayed this address when I was about to mint a Tubby Cat.
You can also check the address against those in the project’s documentation, on an NFT platform like OpenSea, or on the project’s Discord server. Looking at the creator’s on-chain activity teaches us a lot. What is the source of the funds? Are they related to rug pulls? Breadcrumbs can help you easily chart transactions during the research phase.
These investigation skills are not required to begin your web3 journey, but they are options for the future if you want to learn more about researching with explorers.
Including Reliable Addresses in Your Contact List
Add the address you want to interact with on a regular basis to your Metamask contact list once you’ve found it.
This saves you time while also preventing Metamask’s random rewriting hacks. When a hacker or bot notices that a user is about to transfer funds, they attempt to intercept it.
Assume you want to transfer some coins to another wallet or to a liquidity pool. When the script detects a transfer, it hacks your Metamask by replacing the copied address with a different one.
You’ll learn how to verify where Metamask gets its data later, but for now, creating a trusted contact list will suffice.
This task may take some time, but it will be completed if you complete it as soon as you receive the trusted address from Etherscan. Unless, of course, the trusted address changes, in which case a random address will be displayed. You’ll only need to confirm its legitimacy before proceeding.
8.Transactions on Reading
Another important skill to learn to stay safe on the internet is not to sign anything blindly. You must be aware of the actions that you are about to authorize. If you use your hardware wallet to sign any transaction that comes up, it will not save you.
You have the option to cancel a transaction; for example, if you click “Connect wallet” but the transaction data shows “Approve unlimited spending of funds,” that is most likely not a good sign.
Consider How Much Approval You’re Giving
For each transaction, you can change the spending permission. Never grant more permission than you intend to use. You can always change your mind later.
9. Confirming a Token Address
Because anyone can create a bogus token and distribute it through a decentralized exchange (DEX), the token address must be verified on Etherscan. Use Etherscan or another reputable site, such as Coinmarketcap, to find a token address.
Advanced: Contract Reading, Audits, and Revocation
Now that you know what you’re signing and are more acquainted with web3, it’s time to beef up your security.
This level can be attained by verifying tasks further and systematically revoking what you aren’t using. Smart contracts rule web3, and we’ll teach you everything you need to know about them.
10.Verification of Smart Contracts
The majority of your web3 activity consists of using your wallet to approve smart contracts. The vast majority of web3 vulnerabilities are discovered in smart contracts, which are then exploited.
Because web3 is mostly open source, exploits are quickly identified by the community. Users then revoke the contract while it is being patched.
It should be noted that there are no simple methods for determining a contract’s security level before an exploit occurs. As is customary, vulnerabilities emerge following an attack.
Although open source code and transactions allow the community to respond more quickly, there is one major drawback: anyone watching the exploit in progress may decide to replicate it as well. As a result, some codes are no longer open source and are instead audited by trusted third parties. Let’s take a look at how you can validate the contract with which you’re interacting.
Locate the Contract
An Ethereum address is associated with any smart contract, just like your wallet. If you use a hardware wallet, click it and wait for the Metamask pop-up to ask for permission. Copy and paste the address instead of accepting it.
Contract addresses can also be found on aggregators such as DeFiLlama.
Enter the contract’s address into Etherscan once you have it. We’ll look at the Uniswap contract in this example. Let’s double-check who we’re allowing to spend our MATIC with.
Start examining the Contract
In this case, the Uniswap contract is open source, which means that any vulnerabilities or malicious functions can be discovered by anyone. Even if you don’t understand the code, a quick internet search will reveal what you’re getting into.
If you’re feeling nerdy and want to dig into the code, look at the functions defined in the contract. What are we specifically looking for? Any procedure that:
Access to a specific token is granted.
We are not allowed to withdraw funds from a liquidity pool.
It appears to be a deposit, but it actually sends our tokens to a hacker’s wallet. Look for the ‘SpendWalletWETH’ function and what causes it (this is for WETH, but it could apply to any other token). If you’d rather die than read a single line of code, you can use DeFiSafety or any other third-party service that evaluates and publishes the risks associated with a project, dApp, or contract.
11. Metamask Data Verification
New methods of stealing assets emerge on a daily basis, and this one is possible even if you use a hardware wallet. The thief in this case targets owners of large amounts of cryptocurrency. The funds are stolen by intercepting a transaction and changing the address of the recipient. Remember how I suggested you make a contact list? That is the reason.
When you want to transfer funds between wallets and don’t read the transaction details before signing with your hardware wallet, the hacker injects a code that rewrites the transaction, changing not only the address, but also the amount, in order to drain the wallet in one move.
If you’re unfamiliar with the Metamask code base, the hack is easy to spot in the settings. Navigate to Chrome’s settings, then to “Extensions,” then to “Developer Mode.”
12. Denial of Permissions
To interact with dApps, you must first approve smart contract permissions. You’ve discovered that smart contracts allow you to change the amount you approve, and you’ll now develop a new wallet hygiene habit: Revocation of token approvals
Token approvals are a target for a variety of scammers and hackers who will exploit code flaws to drain funds (as Wormhole did). This is because the default approval level is usually set to “unlimited,” and users rarely change it. Make it a habit to go over your approvals on a monthly basis and discard those you don’t intend to use.
Denial Using Network Explorers
It is simple to keep track of your existing approvals. Simply go to the “Approval” tab in your network explorer, such as Etherscan, BSCScan, or Polygonscan.
Connect your wallet and revoke any token approvals you may have. Sites such as Revoke, Unrekt, and Approved Zone are also options.
Conclusion
To navigate web3 safely in its early stages, a change in habits is required. Users must exercise caution when navigating web3 in order to protect their funds because its use involves the transfer and manipulation of cryptocurrencies, as well as the irreversible nature of the transactions.
Participating in web3 projects and using DeFi tools can earn you a lot of money. A large sum of money, on the other hand, can be lost due to a single error.
Users create content in web2 and give ownership to a few centralized organizations that profit from it. Acquiring power, ownership, and wealth in web3 requires the ability to accept enormous responsibilities and accountability.
