stelly.eth

Posted on May 04, 2022Read on Mirror.xyz

1, 2, 3 Blockchain: Security

Over the past few weeks, I’ve had an immensely increased awareness and interest in wallet security. A few attacks have even targeted a few of my wallets directly, along with a call from ‘Apple’, so I figured an article write-up would be good on this subject.

Layer 1 Framing the Issue Noted in previous articles, security within the cryptocurrency ecosystem is everything. This includes proper management of your private keys, remaining diligent when interacting with Web2 and Web3 applications, and understanding popular attack vectors. Most recently, a hacked Bored Ape Yacht Club Instagram account directed users to a ‘mint’ site for a nonexistent metaverse land airdrop, and upon signing a single transaction, an approximated $3M in NFTs were stolen. All hope is not lost. With proper accountability and diligence, users can take precautionary steps to ensure their assets are protected.

How do scams like this work? This video does an excellent job overviewing an apparently legitimate site, mint process, and underlying smart contract specifically designed to rob users blind.

The lessons learned?

  1. Never rush into any form of a cryptocurrency transaction, and use the maximum, “If it sounds too good to be true, it probably is.”
  2. Even self-evidently legitimate :https// sites can still operate Web3 back-end applications that contain malicious code
  3. A signed transaction that alters the state of the blockchain, even when utilizing a hardware wallet, is open to unseen attack vectors
  4. Spend the time to determine whether or not a site has been compromised. This includes checking official social media pages for project links, cross-referencing to Discord community posts, and investigating the underlying smart contract

Layer 2 Scams-as-a-Service & Other Attack Vectors For the small price of $29.99 - $149.00 (link is a reference to the article sighted for this statistic), anyone can purchase a series of tools that are packaged for the explicit purpose of duping users into forgoing rights over their assets. Interestingly enough, scammers even have their own YouTube channel showing how to implement and execute the scam. While many scams are based upon social engineering attack vectors, there have also been incidents of SMS-based 2FA swaps, iCloud exploits, and fungible/non-fungible token airdrop scams.

When veering into the broader cryptocurrency ecosystem, there are multiple steps users can take to protect themselves. These include:

  1. Utilize a secure email provider (personal) such as prontonmail or tutanota, and always ensure that trusted VPN services are in place (Mullvad/ProntonVPN)

  2. Simple, but extremely underutilized, is the creation and maintenance of multiple emails with strong yet differing passwords. a. Passwords should be 20+ characters in length, and contain multiple formats (caps, symbols, numbers, etc.) b. If you fail to login with a correct password, change all passwords immediately, starting with the most sensitive c. NEVER use the same password twice, especially for sites containing sensitive information (social media)

  3. Use trusted and multiple e-sims if phone numbers are required, and never link to crypto platforms

    a. Ask your cell phone provider to under no condition change your number/SIM card unless you yourself is physically present with two forms of identification at a specified location

    b. If Google Authenticator / Authy is available, utilize this over SMS-based 2FA

  4. Utilize multisig (gnosis-safe) or at least a hardware wallet while never storing private seed phrases digitally

  5. Store offline back-ups in a safe (not iCloud)

  6. Never do anything you do not personally understand – tedious, but will prevent installations of malware a. This includes Discord messages, email links, or Twitter DMs!

  7. Remain curious about different resources to aid your knowledge growth.

Layer 3 Wearing Sherlock’s Hat The world is NOT out to get you! Plenty of sites are specifically designed to provide users the tools they need to stay safe while interacting within the Web3 ecosystem. While there are bad actors, their effectiveness can be stumped through education, best practices, and enhanced levels of spatial awareness (in the ether and in real life). In every circumstance, it is best to approach life with a bit of curiosity, and these are tools that transform users into sophisticated investigators:

  1. Start with a manual analysis of blockchain transactions. This will allow users to use the blockchain to their advantage and understand the flow of transactions to and from an address.

    a. Tenderly.co b. Ethective.com c. Breadcrumbs.app d. Dune.xyz e. Nansen.ai f. Blocx.info

  2. Set data clusters of blockchain transactions. These tools can easily identify high-risk account activity. a. Amlbot b. Chainalysis

  3. Check addresses and contracts through the impersonator, unreky.net, or revoke.cash. This tool allows users to log in to decentralized applications (dApps) via impersonating Ethereum addresses (no private keys required!) a. Apoorvlathey.com/impersonator b. Side note: This tool, TutelaLabs, allows someone to help track funds BEHIND Tornado Cash (a popular mixing application)

  4. OSINT the investigation, otherwise known as attempting to source the truth from sources closer to the hacker.

  5. Extra: If you have a VR headset, there are open-sourced 3D blockchain visualization tools that are being developed.

ARWEAVE TX

X0WH2DXX-KCf20JhqrvCOyaSnNhWZL0efu0YSNz-ZFs

ETHEREUM ADDRESS

0x0103fAD7C742ec520d5782E9BDD7754ead70DdfE

CONTENT DIGEST

lbzDxkZjdmXgrVKEEOtr9J5OV0jPN-CjwDwEDqEZMxQ

Recommended Reading