On-chain Security Discussion

According to data from SlowMist, the financial losses caused by hacking incidents in the crypto world in 2022 exceeded $3.5 billion US dollars, A total of 275 hacking incidents have occurred this year.

Due to that, MDEX will hold a special on-chian security knowledge discussion (part 1) in order to raise the awareness of crypo assets among the users.

1. What are Mnemonic Phrase / Private Key, and how to keep them safe?

In another incident on Levyathan, the encryption index protocol on the BSC chain reports that a hacker minted 100,000,000,000,000,000,000,000 LEV tokens, causing the price of LEV to fall to zero, and lost about $1.5 million. The official attributed the cause of the accident to the leakage of the developer’s private key, and such incidents never ends.

So today, we will teach everyone how to keep mnemonic phases and private keys in a safer place. The private key is composed of 64 hexadecimal characters. The generation method of the private key is completely random. This number has exceeded the number of atoms in the universe, so it is impossible to use the “brute force cracking” method on the private keys one by one, so as long as we do not share the private key, it is basically very safe.

The mnemonic is another manifestation of the private key of the wallet account. The purpose is to simplify the complex private key and help users remember it a easier way. A wallet has only one corresponding mnemonic. The mnemonic and the private key of the wallet address are interoperable and convertible. It is just a simple form of the private key of the blockchain digital wallet. Due to its clear text nature, it is not recommended to save it electronically, but to write it down on a physical medium.

Once the mnemonic phrase and private key are lost, the assets will never be able to be retrieved, so be sure to make a good backup of the two. The safest method for mnemonic words and private keys is to save them by handwriting (offline), and it is better not to save them online.

Do not save mnemonic words or private keys in WeChat, memos, or mailboxes.

Do not save mnemonic words or private keys in computer folders, netdisks, or flash drives.

Do not take screenshots or photos to save mnemonic phrases or private keys.

Do not use email, WeChat, or QQ to send mnemonic words or private keys.

Do not share your mnemonic phrase or private key with others.

Do not use an Apple ID provided by others.

Do not import seed phrases or private keys to unknown third-party websites.

Do not copy and paste your wallet mnemonic or private key.

2. How do hackers steal funds from your wallet?

Pretending to be a customer service agent to get your private key
The attackers disguise themselves as customer service agents in the community, and try to solve problems users encounter. During this process, they will ask users for their private key to steal the funds eventually.

-Scan malicious QR codes to steal

The attacker sends the user the pre-prepared malicious QR code and encourages the user to scan the QR code in order to test the transfer for a small amount. During this time, authorization is required (in fact, this is the authorization of your USDT);

-Online or Cloud account stolen

Most people save mnemonic phrases or private keys by taking screenshots, pictures, or copying and pasting it to save in the Cloud. However, transmitting or storing it through email, QQ, WeChat, netdisk, memos, etc. will give attackers a chance to steal them.

-The hot wallet server was attacked

Many blockchain applications use hot wallets to store a large number of digital assets. However, issues such as a lack of security reinforcement, a lack of security awareness, failed maintenance, and so on have resulted in the hot wallet server being hacked, resulting in the theft of digital assets, and the hot wallet server has even been used as a springboard for other wallet attacks.

-The private key was stolen by someone around you

There is an old saying: “You can’t defend a thief that is living in your house.” It means you should never share your private key/mnemonic with anyone around you.

-Phishing or clickbait

The attacker clones a well-known project that is hard to distinguish; once users enter its mnemonic phrases or private keys, the assets will get stolen.

- Malicious application

Hackers will add applications to the Google Play Store, once users download them through a phishing link, that might be the start of your information being stolen.

-Attacks through public Wi-Fi

In public areas with heavy traffic, such as train stations, airports, hotels, etc., the Wi-Fi network is unsafe. Some are even malicious, created by hackers, connecting this type of Wi-Fi might leave your information or private key/mnemonic phrase in jeopardy when transmitting with it.

3. What is “DApp over-authorization”? How to deal with the problem of DApp over-authorization?

The reason for this incident is that Multichain had a problem checking the legitimacy of the Token passed in by the user. It failed to account for all underlving tokens have implemented the permit function, resulting in the WETH of users who had previously authorized WETH to the AnyswapV4Router contract. Transfer to an address maliciously constructed by the attacker.

When users interact with DApps that involve digital assets, they need to authorize first. To avoid repeative authorization, DApp developers typically set the tokens’ authorization in smart contracts to maximum by default. However, if the smart contract or the contract administrator fails, the user’s assets are vulnerable. Therefore, we should reserve assets in special asset accounts and trading accounts, where, asset accounts are only for token transfer and asset storage, and it is best to isolate them from dapps on the chain without interaction or transactions, and transaction accounts are generally used for interactive operations such as swaps, stakes, and signatures on the chain. For interactive actions involving signatures, you must be extra careful when interacting with any Dapps to avoid being deceived.

Suggestion 1: hange to a wallet once authorization on a DAPP is done.

Suggestion 2: Clear [DAPP Authorization] in time

4. Token can have the same name, how to avoid buying fake tokens?

(1) Check the unique token contract address on the project’s official website or ask the community administrator for it.

(2) Check the project’s official social media accounts to see if tokens have been issued.

(3) Don’t be greedy. Counterfeit projects often scam users with gimmicks such as incentives, OTC transactions, low-cost exchanges, and decentralized exchange transactions;

(4) Counterfeit tokens often have the same or similar names as the legitimate project, but with a small number of token holders, a low transaction volume, and a high degree of concentration of tokens, which are very easy to identify;

5.How to recognize and avoid phishing messages and emails, as well as how to avoid fake DAPPs

(1) Check the sender address and confirm it with the community administrator or the official website.

(2) Be extra aware of the clickbait.

6. How to prevent airdropped tokens from unknown sources?

When receiving an unknown airdrop, please double-check the project’s legibility. Do not authorize access to any unknown website to avoid any possible risks.

Here are a few ways to avoid airdrop scams:

1, Do not consider the airdrops that require a donation. If the project looks promising and only requires a small amount of gas, research about it and make your decision.

2, Do not share your information on unreliable platforms.

3, A platform that requires you to import wallets needs to be extra cautious. In a decentralized world, the private key is the only owner of the wallet. If the private key is accidentally leaked, there is no way to retrieve your funds.

4.Create a special wallet for airdrops! Even if it gets stolen, you don’t feel bad.

7. How to avoid the rug pull project?

2. Do not rely on the project’s slogan to validate it.

3. For the promotional content related to the project, double check.

4. Make good use of the official website and blockchain browsers.

5. Avoid sharing your private key and allowing too many wallet authorizations.

6. Do not click on unknown links, update your APP through legit channels.

7.Be wary of self-proclaimed platform customer service or other fraudulent buy-high transaction.

Finally, I would like to thank Slowmist for providing the above content. For more details, please refer to https://github.com/slowmist/Blockchain-dark-forest-selfguard-handbook/blob/main/README_CN.md

If you master these, you can master the security of your crypto assets.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store