The sad reality is that there is no shortage of ways to lose money in crypto from the hacks to the rug pulls to the scams and more. Though the good news is that there are lots of things users can do to protect themselves from attackers and in today’s piece I’ll run through a few wallet-related tips and provide some resources at the end to learn more.

sassal.eth 🦇🔊🐼 @sassal0x

The amount of people I see playing cowboy with large sums of crypto by storing it in a Meta[redacted] wallet is mind-blowing. Seriously, get a hardware wallet - don't wait until something bad happens to do it.

November 15th 2021

28 Retweets379 Likes

I stand by what I said in my tweet above - you are absolutely crazy if you have any material amount of crypto sitting in a naked hot wallet such as MetaMask. This is because it is incredibly easy for an attacker to gain access to these funds if they were to compromise your computer in some way. The easiest defense against an attack like this is a hardware wallet such as a GridPlus Lattice1 or a Ledger Nano because your private key lives on the physical device and users are required to sign their transactions by pushing a physical button instead of simply signing via a naked MetaMask wallet.

Of course, a hardware wallet isn’t fool-proof and users can still easily be tricked into signing a transaction that they didn’t intend to - this is known as a “man-in-the-middle attack”. Essentially what happens is that an attacker’s malware waits for a user to do a normal transaction using their hardware wallet (via MetaMask) and then injects a malicious transaction in place of the normal one. This malicious transaction is the one that is sent to the hardware wallet and most users will simply physically click to sign the transaction without checking the contents - leading to the user unknowingly signing a malicious transaction even though they did it via a hardware wallet. Users can defend against this by checking the transaction data that they are signing but most hardware wallets don’t have a screen large enough to show all the data in a human-readable way (the Lattice1 does though).

Another thing that many users get tricked into doing is entering their seed/secret phrase into a phishing website which is the absolute worst thing one can do. This is because those 12 or 24 words give the attacker access to all of the wallets associated with them allowing them to drain them all before the user even has time to think. It’s critical that a seed/secret phrase be stored physically and never saved to a text file on a computer or anything like that otherwise having a hardware wallet becomes completely pointless as it can’t protect you against a compromised seed phrase.

There is also the concept of a ‘smart contract wallet’ that allows for many additional controls to be put in place to protect users. Argent’s mobile app is probably the most well-known and it comes with a host of features such as social recovery, whitelisting of addresses, biometric locking of the wallet and more. Smart contract wallets are still in their infancy and haven’t really taken off yet due to high gas costs (it costs $100’s of dollars to create one on layer 1). Though, with Argent’s upcoming integrations with zkSync, StarkWare and other layer 2 networks, these costs are going to come down considerably so we should definitely see more adoption here.

There are many more ways that users can protect themselves against attackers but I’ll digress for today’s piece. If you want to learn more, you can check out MyCrypto’s simple guide to protecting yourself here or go even deeper with their very long-form guide here. As with everything security-related, it’s an ongoing battle and users must remain vigilante at all times to ensure that their funds are protected adequately.

Have a great day everyone,
Anthony Sassano

Enjoyed today’s piece? I send out a fresh one every week day - be sure to subscribe to receive it in your inbox!

Join the Daily Gwei Ecosystem

• Twitter

• YouTube

• Discord

All information presented above is for educational purposes only and should not be taken as investment advice.