Safety & Security in Web3

Safety & Security in Web3

Created
by
Tags
DocumentationHow-toTips
Featured
Property

Although Web3 is new and exciting there are some key things to keep an eye out for. As the web3 world is decentralized, that means there is great freedom but also the responsibility for assets falls to YOU and you alone. If you get scammed, there isn’t anyone who can just bail you out like there is in Web2 with credit card companies or fraud protection policies.

Here are some key tips to think about:

Never Share your seed phrase

When you first create your wallet you’ll get a 12 word phrase. This allows you to transfer your wallet to any new device (so it’s useful to keep safe). However, if someone who isn’t you gets it then they can steal EVERYTHING from your wallet. Keep yours secret and safe. If any website asks for it then it’s likely a scam site. You should only have to enter it if you’re intentionally importing your wallet onto a new device.

Be safe & careful & keep your valuables secure

Taking your time to check things as you go is important. The other part is where you store your assets. While a hardware wallet isn’t the first thing everyone buys, if you are serious about web3 and protecting your assets a hardware wallet of cold storage solution is worth considering. It provides an extra layer of physical failsafe against your assets being stolen (but isn’t guaranteed)

A good idea is to have a ‘burner’ wallet, one that is seperate from your main asset storage that you use to mint, buy and sell NFTs. If this wallet is compromised the blast radius and impact from that is a lot lower than your main wallet.

Only connect your wallet to sites you trust

When you’re in web3, because everything is done on your phone or browser, there will be a common pattern of connecting your wallet (likely a metamask) to sites. This allows your wallet to be used to mint (create an NFT on the blockchain) or to interact with special holder only parts of the site.

However, on malicious sites the act of ‘connecting’ might have hidden permissions you’re signing for. Every transaction in your wallet you need to ‘sign’ which means confirming the interaction with the blockchain through the UI. However, sometimes that ‘signing’ might not be exactly for what you think it is. When you connect your wallet to a site, make sure you trust the project (and have done research to verify it) as well as only navigate to the site through official links on their discord or twitter.

Never click on links in direct message

A common entry point to compromise your wallet or discord profile is through clicking on links. This might either take you to a fake site or allow some form of malware to execute. This might be something like a key logger tracking your ‘logging in’ to a fake version of the website or it might involve connecting your wallet to allow their site access to transaction on it.

When getting links or thinking about clicking on them, ensure you read it completely and that it looks like it’ll take you to a good site. If in doubt, don’t click it. If you really ‘need’ to click it open the link in a new incognito window (where your wallet and other accounts aren’t connected).

Be aware of social engineering attacks

A common attack vector for security breaches is with social engineering or philsing attacks. This is where the attacker either impersonates someone or asks you some specific questions with the intent of gaining information or access to your accounts.

They often use this as a way of ‘compromising’ an account and then using that to commit further malicious activity. Often in discord hacks, it’s started through a Mod’s account being comprimised.

Anything Free is always a scam

If someone is offering you something for free if you go to a site or if there is a secret mint for a project that is doing well. A site that offers you 2x your cryptocurrency if you send your $ to their site. Anything that seems like a great deal but something you need to ‘do right now’ is likely a scam or someone trying to extort you.

They are very good at making these things seem legitimate but always always double check it and see if you can find an official tweet or discord message to back up this too good to be true offer because 99% of the time it is a scam.

Mistakes happen, learn from them

As a lot of web3 feels like it moves so fast and there are moments when you need to take immediate action, that might lead to sloppy or poor decisions. That does happen, everyone is human, but if you get into good practices for protecting you and those around you you’ll survive and be here to enjoy the amazing parts web3 does have to offer!

Our team is happy to help and each of us has fallen into one of these traps at least once and we want to help others avoid it! If you have any questions about any of this, please reach out!