DISCLAIMER

This guide can’t guarantee anything and isn’t written from the perspective of a “crypto or cybersecurity expert.”

It’s the culmination of continuous learning from multiple sources and personal experience.

For example, I myself was scammed through FOMO and greed very early (fake livestream scam and fake MEV bot scam) coming into this space so I took the time to seriously learn, setup, and understand security.

Don’t be the person who is forced to learn about security because you lost everything or a painfully large amount.

HACK OR USER ERROR?

All types of wallet/token/NFT “hacks” or compromises broadly fall into one of two categories:

1. Abuse of previously granted token approvals.

2. Private key/seed phrase compromise (usually on a hot wallet).

TOKEN APPROVALS

Token approvals are essentially a permission for a smart contract to access and move a specific type or amount of a token from your wallet.

For example:

1. Giving OpenSea permission to move your NFT so you can sell it.
2. Giving Uniswap permission to your tokens so you can make a swap. \
   \
   If you want some additional background reading on token approvals, you can read this thread here.

For some precontext, basically everything on the Ethereum network, EXCEPT for ETH is a ERC-20 token.

One of the properties of ERC-20 tokens is the ability to grant approval permissions to other smart contracts.

These approvals are required at some point if you ever want to do core DeFi interactions like swap or bridge tokens.

NFTs respectively are ERC-721 and 1155 tokens; their approval mechanics work similar to ERC-20s but for NFT marketplaces.

The initial token approval prompt from MetaMask (MM) gives you several pieces of info but the most relevant are:

• the token you’re giving approval for

• the website you’re interacting with

• the smart contract you’re interacting with

• the ability to edit the token permission amount

Under the full details dropdown we see an additional piece of info: the approve function.

All ERC-20 tokens must have certain characteristics and properties as outlined by the ERC-20 standard.

One of these is the ability for smart contracts to move tokens based on the approved amount.

The danger in these approvals is if you give grant tokens permissions to a malicious smart contract you could have your assets stolen/drained.

UNLIMITED VS CUSTOM LIMIT APPROVALS (ERC-20 TOKENS)

Many DeFi apps will prompt for unlimited approval of the ERC20 token by default.

This is to improve user experience as it is more convenient as it does not require potential future approvals thus saving on time and gas fees.

WHY THIS MATTERS?

Allowing an approval for an unlimited amount of tokens potentially puts your funds at risk.

Manually editing the token approval to a specific amount sets the max amount of tokens that approved dApp can move until another approval is signed for a larger amount.

This limits your downside risk if that smart contract is exploited. If there is an exploit in a dApp you have granted unlimited approvals for, then you are at risk of losing all of those approved tokens from the wallet that holds those assets and granted that approval.

See the Multichain WETH (WETH is a ERC-20 token wrapper of ETH) exploit as an example.

This commonly used bridge was exploited by abusing past unlimited token permissions to take funds from users.

An example (using the Zerion wallet) of changing from the default Unlimited approvals to manual approvals.

NFT APPROVALS

“setApprovalForAll” for NFTs

This is a commonly used, but potentially dangerous approval generally granted to trusted NFT marketplaces when you want to sell your NFT.

This allows the NFT to be transferable by a marketplace’s smart contract. Thus, when you sell an NFT to a buyer, that marketplace’s smart contract can move the NFT automatically to the buyer.

This approval grants access for all NFT tokens from a specific collection/contract address.

This can also be used by malicious websites/contracts to steal your NFTs.

EXAMPLE OF MALICIOUS ACTOR ABUSING “SETAPPROVALFORALL”

The classic ‘wallet drain’ for a FOMO free mint situation goes like this:

User goes to a malicious website that they believe is legitimate.

When they connect their wallet to a website, the website is only able to see the contents of the wallet.

However, they use this to scan the wallet for highest value NFTs and prompt a ‘set approval for all’ from MM for the contract address for this NFT.

User thinks they are minting but they are actually giving the malicious contract approval to move those tokens.

Scammer then steals tokens and liquidates them into open OS or Blur bids before item is marked as stolen.

SIGNATURES VS APPROVALS

Approvals REQUIRE gas, as they are processing a transaction.

Signatures are gasless and are used often to sign into dApps to prove you control that respective wallet.

Signatures are generally lower risk actions but can still be used to exploit approvals previously given for trusted sites like OpenSea.

It’s also possible (for ERC-20s) to have your approvals modified with a gasless signature due to permit functions being semi recently introduced on ETH.

This can be seen if you use a DEX like 1inch.

A Reading of this in more detail here.

TOKEN APPROVALS TAKEAWAYS

Be cautious of whenever you’re giving approvals for anything, make sure you know what tokens you’re giving approval for and to what smart contract (utilize etherscan.)

Limit your risk to approvals:

1. Utilize multiple wallets (approvals are wallet specific) – don’t sign approvals for your vault/high value wallet.
2. Ideally reduce or completely avoid granting unlimited approvals for ERC-20s.
3. Check and revoke approvals periodically via etherscan or revoke.cash.

Revoke.cash is a website that lets you easily revoke various token approvals.

HARDWARE/COLD WALLETS

Hot wallets are connected to the internet through your computer or phone. Keys/wallet credentials are stored online or locally in your browser.

Cold wallets are hardware devices where the key is generated and stored PURELY offline and physically near you.

Seeing as how a ledger is ~$120, if you have $1000+ in crypto assets you should probably buy and set up a Ledger. You can connect (not import) your ledger wallets into your MM to have the same functionality as another hot wallet while maintaining a level of safety.

Ledger and Trezor are the most popular. I like Ledger as it’s the most compatible with browser wallets (similar to Rabby and MM).

BEST PRACTICES WHEN BUYING A LEDGER

Always buy from official manufacturer website, DON’T buy on Ebay or Amazon = potentially compromised / preloaded malware.

Make sure packaging is sealed when you receive item.

When you set up the ledger for the first time it will generate a seed phrase.

ONLY ever write the seed down on PHYSICAL paper, or a steel plate at a future date so that your seed phrase is fire and waterproof.

NEVER take a picture or type the seed into ANY form of keyboard (phone included) this = digitizing the seed and your “cold” wallet is now a unsecure “hot” wallet.

The crypto isn’t exactly stored on the hardware wallet but “within” the wallet generated by the seed phrase.

The seed phrase (12-24 words) is EVERYTHING, it must be protected/secured at all costs.

It gives full control/access to ALL of the wallets generated under that seed phrase.

The seed is not device specific, you can “import” it into another hardware wallet as a backup if needed.

If seed is lost/destroyed and the original hardware wallet is lost/destroyed/locked out = losing access to ALL of your assets PERMANENTLY.

There are various levels of seed level storage such as, splitting into multiple parts, adding physical distance between parts, storing it in unobvious places (a soup can at bottom of freezer, underground somewhere on your property, etc.)

Minimally you should have at least 2-3 copies with one being on steel to protect against water and fire.

A “private key” is like a seed phrase but only for 1 specific wallet. It is generally used to import hot wallets into a new MM account or in automation tools like trading bots.

THE 25TH WORD - LEDGER

In addition to the original 24 word seed, Ledger has an optional additional security feature.

The Passphrase is an advanced feature that adds a 25th word of your choosing of max 100 characters to your recovery phrase.

Using a Passphrase will cause an entirely different set of addresses to be created which cannot be accessed via the 24-word recovery phrase alone.

Aside of adding another layer, the Passphrase grants you plausible deniability when under duress.

If using a Passphrase, it’s key to store it securely or remember it perfectly, character for character and case sensitive.

This is the only and final defense to the “$5 wrench attack” situations where you are threatened physically.

WHY GO THROUGH ALL THIS FRICTION TO SET UP A HARDWARE WALLET?

Hot wallets store the private keys in a location that is connected to the Internet.

It is deceptively easy to be tricked, deceived, and manipulated into revealing these credentials via the Internet.

Having a cold wallet means that a scammer would physically need to find and take your ledger or seed to have access to those wallets and the assets within them.

Seed compromised = all hot wallets and assets within are at risk, even those that haven’t interacted with the malicious site/contract.

COMMON WAYS IN THE PAST PEOPLE HAVE BEEN “HACKED”

Common ways in the past people have been “hacked”(seed phrase compromise) via hot wallets.

1. Tricked into downloading malware via job offer PDFs, “beta testing” games, running macros via google sheets, imitation of legitimate sites and services.

2. Interacting with malicious contracts: FOMO minting from a mimic site, interacting with contract from unknown airdropped/received NFTs.

3. Inserting or sending keys & seed to “customer support” or a related program/form.

EXAMPLES AND BREAKDOWN OF HIGH PROFILE ‘HACKS’

Kevin Rose: Went to go mint a collection (art block), signed a signature txn (gasless) thinking he was just logging into the mint site.

But Seaport (new OpenSea marketplace contract) allows you to create custom orders that you can then accept with just a signature.

Since Kevin had already granted approvals for his assets to the OpenSea contract, the hacker tricked him into signing a signature that fulfilled a custom order to sell all of Kevin’s expensive NFTs for free/~$1 to the hacker.

Key takeaways:

Signatures can also be abused if they take advantage of previously granted approvals, even if that approval was granted to a trusted source

Don’t sign OpenSea (OS) approvals on websites other than OS, don’t interact with contracts or website if you have a “grail/main vault” wallet, send it to an intermediary wallet and then interact

NFT_GOD: used the import account (opposed to the add hardware wallet) option of MetaMask and typed his seed phrase in MetaMask when setting up his ledger.

This effectively turned his cold wallet into a hot wallet– remember the previous golden rule of never digitizing your seed phrase.

He then apparently downloaded a fake OBS (recording software) called ODS which was being promoted as an ad at the top of Google search.

This was malware so it stole the seed phrase then stealing all of the assets in his hot wallets and thus also his cold wallets.

Key takeaway:

NEVER ‘digitize’ your seed phrase in anyway = typing it into any form of keyboard (phone as well) or taking a photo (auto backup to cloud services has also compromised people.)

Disclaimer：

1. This article is reprinted from [Insightful Insiders], Forward the Original Title‘How To Never Get Rugged In Crypto Again’, All copyrights belong to the original author [INSIGHTFUL]. If there are objections to this reprint, please contact the Gate Learn team, and they will handle it promptly.

2. Liability Disclaimer: The views and opinions expressed in this article are solely those of the author and do not constitute any investment advice.

3. Translations of the article into other languages are done by the Gate Learn team. Unless mentioned, copying, distributing, or plagiarizing the translated articles is prohibited.