Over the last few years, the NFT ecosystem has gained a lot of public awareness. As a result, we have seen growth in the number of users, transactions, market cap, and volume. You can visit the analytics page on our website to take a look at these numbers for yourself. Furthermore, this interest has fueled demand for NFTs with collectors now looking more so now than ever to purchase blue-chip projects.
This success in the ecosystem has also come with its disadvantages, thereby attracting scammers, phishers, and hackers into the market.
In a spreadsheet compiled by blockchain security and data analytics company PeckShield Inc, it was revealed that around 254 NFTs worth a total of $1.7 million were stolen during an apparent phishing attack on OpenSea. A similar report stated that a Discord attack resulted in the loss of11Bored Ape Yacht Club and Mutant Ape Yacht Club tokens valued at $1.66 million. These numbers are becoming worrisome for NFT collectors and investors, it is of utmost importance to ensure the safety of your assets.
Hackers are definitely targeting collectors through Discord and Telegram, and it's highly likely they're looking for other vulnerable channels since this is such a valuable marketplace. With interest in NFT technology growing, players in the ecosystem (investors and collectors) must stay updated with the best security practices to keep their assets safe.
This article is aimed at providing suitable tips to help you secure your wallet, protect you against phishing/hacks and safeguard your NFT assets.
Where are your NFTs stored?
There is a lot of confusion about how NFTs are stored. Your NFTs are not stored on your cold wallet, PC, or even your hot wallet. Your NFT is a token that is on the Ethereum blockchain; a copy that is being held by the 2400+ nodes of the network running globally (if you want to learn more about Ethereum Nodes, click here). It is nice to have your NFT backed up by a fully decentralized system working to validate the ecosystem (validating transactions over the network). So, when you perform a transaction (buying or selling) all that is happening is the database changing the entry for which address the NFT is owned by (ETH blockchain - database).
Where are your JPG, GIF, Music
Your NFT has a URI [Uniform Resource Identifier] that points to where the JPG is located. Most of the time these are located on decentralized storage like IPFS or Arweave. In Web2 you can see information storage like AWS, which is a centralized storage service.
The difference between IPFS/Arweave with AWS is that anyone can join your computer to IPFS and decide to also store any particular IPFS object (including your JPG) rather than having all the info centralized in a storage HUB.
Wallet
A wallet is a piece of software that contains a set of private keys that allow you to make transactions, whether it is a cold wallet/hardware wallet or a software wallet/hot wallet.
Software wallet/hot wallet: A hot wallet is a software on a general-purpose device that will allow you to connect with web3 or receive assets with only a “click”.
Hardware Wallet/cold wallet: A cold wallet is software on a dedicated hardware device that will allow you to connect with web3 or receive assets. The main difference with the cold wallet is that the seed phrase never touches the internet and if you want to make a transaction you will need to approve it physically (physical bottoms or on a touch screen). There are some good examples of hard wallets that you can look to buy: Trezor or a Ledger.
Once you download/buy your wallet of preference, there are some main functions that might poop up your eyes.
First of all your hot wallet/cold wallet will require you to create a password. This password will give you access to your wallet. It is only a password specific to your wallet on the specific device.
There is nothing wrong with sharing your public address. Your public address is like your email address of Web3, anyone can send you any NFT by having your address.
There are some new vectors of attack, recently, some hackers have been sending NFTs to people and at the time they interact with the NFT (sending it to another wallet or selling it) the hacker steals everything, it is important to not interact with NFTs that you are not familiar with. The way it works is that the NFT contractor tries to use a rogue signing or approval, they can also be used to get your IP.
Another way around is through phishing emails. These emails want you to connect your wallet to the fake website so they can steal your assets, never click on links you have not made contact with before, and always double-check the website name. Perhaps, these are the only ways currently available for hackers to attack you by just having your public address or your email. You will be okay by just ignoring them.
So, what you want to keep safe is your private key. Your private key is like the password for access to your public address. What the private key allows you to do is:
- Move your NFTs out of your address.
- Sign contracts proving you have the private key of that address (kind of validating that you own the public address).
The big difference between your public address and the private key is that you must never show/send your private key to anyone. They could easily import your private key into their wallets and drain all your assets.
Once the private key is saved and the public address concept is clear, let's move on to the seed phrase. A seed phrase is a set of 12, 18, 24, or more words. Your seed phrase is useful to recover your wallet. In case you lose your private key you can recreate it through your seed phrase. Like your private key, you should never share your seed phrase with nobody and never store it on a digital storage service or device (dropbox, box, drive, iCloud, photo, notes on your phone, photocopy). Ideally, you should put your seed phrase in a physical thing like writing it down on paper. Some people use a steel object to store their seed phrase to be more fire-resistant.
There are some ways to add extra layers of security to your wallet, like adding a passphrase. A passphrase is a series of characters or words that when you combine it with your seed phrase creates a new wallet on your wallet. For example, I could create a new wallet on my wallet with:
- Seed phrase + “NFTGo”
- Seed phrase + any number
- Seed phrase + any letter
- Seed phrase + any phrase
Each example could create a new wallet with different private keys with their corresponding public address. It is worth mentioning that there is not a “wrong'' passphrase, I mean, you will not get some type of error message, what will happen is that you will only get a different set of private keys that works well but you will not have your NFTs in that wallet. The passphrase feature is only available on cold wallets.
Adding a second layer of security
Buying a cold wallet is a nice step ahead in terms of security. The two most popular hardware wallets are Trezor and Ledger. Both are great for security but they have different strengths and weaknesses.
Additionally, you can always double-check which websites are connected to your wallet. Here are the two main websites to revoke permissions: revoke.cash and etherscan.
Security Tips
Always download web3 apps or wallets from official websites.
One of the major causes of crypto/NFT hacks is that users visit unofficial sources, which a lot of times are scammers waiting for users to interact with the website (which always looks like the official website). Do not download web3 apps from Google Play as the app downloaded might not be from the original source. Some of the tips to follow to verify the official website:
- Pay attention to the address bar, only interact with https:// website and not http:// with the "s" standing for security and indicating that the website uses encryption to transfer data, protecting it from hackers.
- Check the domain name, one of the favorite tricks of hackers is to create a lookalike version of the same website with a little difference (which can only be noticeable when double-checked) in the domain name. For example, a website domain name of https://wobble.com can be changed to https://w0oble.com with 0 replacing o. Always double-check every alphabet of the domain name.
- Watch out for poor grammar, a lot of times fake sites are hurriedly done and have excess spelling, punctuation, capitalization, and grammar mistakes. Avoid websites like this.
Only interact with official channels, Twitter accounts, and links.
As mentioned above, the only trusted source should be official websites, official Twitter accounts, official discord, etc. Always confirm that you are interacting on the official channel and not a lookalike channel. Some of the ways to verify this are:
- Check account activities.
- Check account followers.
- Check account history.
- Check the comment and engagement.
Do not share your login credentials or private keys with anyone.
As the popular crypto saying goes, "not your keys, not your coins" the moment your private key, phrase, or recovery seed gets shared, that particular account no longer belongs to you. The best practice is to secure your keys safely from a 2nd party.
Verify NFT before purchase.
Due diligence is always important in this ecosystem. Check the reputation of the teams involved in the projects, organic interaction in their community, and what people are saying about the project before proceeding to purchase or mint an NFT.
Use multiple wallets when minting an NFT.
Burner wallets are secondary wallets created for the sole purpose of minting an NFT. These wallets are created and funded with the exact amount needed to mint with the gas fee. When the mint is done, the NFT minted is sent to another wallet which serves the purpose of storing your NFTs. This will reduce the risk of using your main wallet to interact with a vulnerable smart contract or website. It's worthy to note that several wallets can be created to serve as burner wallets, and the moment you notice a vulnerability, discard the burner wallet immediately.
Beware of clicking links from strange accounts.
One of the methods hackers gain access to accounts and wallets is by sending a web link through a strange discord account or cold mail you through emails promising you a giveaway or whitelist access. Always restrict your telegram, discord, and email from receiving messages from strangers and unofficial addresses, also report and ban any user sending your links through DMs acting as a moderator or official of the group.
Always review your token approvals & revoke unused ones
As we interact with different protocols and links every day, giving them access and permission-based on the information on the smart contract. It is very important to review and revoke access and permission given from time to time. This https://revoke.cash/ could help with revoking access.
Read and verify the transaction smart contract details before proceeding.
Always make sure you read the permission details in the smart contracts before confirming the transaction. A lot of hackers hide their acts in smart contracts, giving them permission and unwarranted access to funds in your wallet. Read carefully and confirm that the smart contract details are not a threat or vulnerability.
Check the news from time to time to know when there is a new vulnerability detected in crypto apps.
With new hacks detected daily, it is important to stay up to date with the latest information and news on vulnerability, threats, and hacks.
With the increased interest in the NFT market, bad actors are also lurking around to steal valuable pieces and funds from collectors and investors using methods that could have been avoided if proper security practices and tips were taken. Always make sure you protect your valuable assets, wallets, and funds from these bad actors.
All Comments