All types of wallet/token/NFT hacks fall into two categories:
- Abuse of previously owned token approval.
- Private key/seed compromise.
Token Approvals:
Token approvals are essentially a permission for smart contract to access and move specific type or amount of a token from your wallet. Like giving permission to OpenSea or Uniswap to move your NFTs so you can see them.
In detail, on Ethereum network, everything except ETH is ERC-20 token. NFTs are are mostly ERC-721 and 1155 tokens respectively. Their approval mechanics work similar to ERC-20s but for NFT marketplaces.
If you are not careful about that, you might just give grant tokens permission to a malicious smart contract to get your assets stolen.
Many DeFi apps will prompt for unlimited approval of ETC20 token by default. This is to improve user experience, and it is more convenient as it does not require potential future approvals thus saving on time and gas fees.
So limiting this for max amount of tokens will fix the problem.
NFT Approvals:
NFT marketplaces will ask for that kind of approval, thus when you sell and NFT to a buyer, that marketplace’s smart contract can move the NFT automatically to the buyer. This sounds cool, but can also be used by malicious websites/contracts to steal your NFTs.
Example: When you are about to mint an NFT, from a website which looks totally legitimate, in the background their contract searches for your wallet and chooses the highest value NFT and asks for permission to take it, and when you think you are minting, you are giving away your NFT.
Limit your risk to approvals:
- Use multiple wallets, do not sign approvals from your high value wallet.
- Ideally reduce or completely avoid granting unlimited apprivals for ERC-20s.
- Check and revoke approvals periodically via Etherscan or Revoke.
Hardware Wallets:
Hot wallets are connected to the internet thtough your computer or phone so the keys stored online.
Cold wallets are hardware devices where the key is generated and stored offline.
So it is a lot safer to use hardware wallet, I would suggest Coldcard mk4 for #btc, and trezor for #eth
There are some stuff to look for:
- Buy hardware wallet only from official manufacturer website. No ebay/ no amazon…
- Make sure the packaging is sealed.
- First time you set it up, it will generate a seed phrase.
- ONLY write that seed on physical paper or a steel plate so it will be fire and waterproof.
- Never digitilize it meaning never take picture of it, never write it on any kind of keyboard.
- This seed phrase you got when you set up is EVERYTHING. Do not forget that, and not spesific to your device, you can use that with any device.
- If you loose it, you will loose everything.
- Ledger / Trezor and Coldcard has the ability to add 25th word. Which sets a different address which cannot be access via the 24-word recovery phase alone, so you will be the only one who can know the word.
How People Got Hacked?
- Tricked into downloading malware via PDFs, beta testing games, running some macros via google sheets or phishing websites.
- Interacting with malicious contracts: FOMO minting from a mimic website, as explained above.
- Insering or giving away the seed to customer support or something similar.
Takeaways:
- Don’t trust, always verify. Make sure the contract address and website you are interacting with is legitimate.
- Periodically check and revoke your token approvals via revoke and etherscan.
- You can take advantage of Pocket Universe and Wallet Guard as the last line of defense.
- Choose custom approval limits over the default unlimited approval option.
- Hedge your risk by utilizing multiple wallets.
- Utilize cold wallet and hot wallets for their purpose.
Misc Stuff:
- Always use 2FA. Authy is great app, you can use Yubikey for the next level. Never use SMS as 2FA tho.
- Use password manager. Then you can use all different 20 mixed characters passwords for all websites. Most people use Bitwarden, but I would suggest pass or KeepassXC.
- You can check have I been pwned for data breaches.
- Assume everyone online is liar or compromised.
- Instead of using Gmail, Hotmail etc.. Use better ones like Tuta or the best, you can host your mail.
- Never use public Wi-Fi, there can always be fake hotspot, or MIM attack.
- If you need to use a Wi-Fi, use VPN, because any network can be hacked. For VPN I would suggest Mullvad, or even better host your own VPN.
The point is assume that everything you have in a how wallet is already compromised or can be at any point, so act accordingly.