Cryptocurrency

CRYPTO WALLET SECURITY

A Comprehensive Guide To Protecting Your Wallet From Hacks

Dorcas Wokocha
October 25, 2023
10
min read

INTRODUCTION

"You are your own bank."

If you have spent any time in the cryptocurrency and Decentralized Finance ecosystem, you are likely already acquainted with the phrase above. This simple yet profound expression encapsulates the excitement and responsibility that come from having complete control over your digital assets on the blockchain.

One core promise of decentralisation is to enable individuals to complete custody and control of their digital assets without the interference of middlemen and third-party agents. This promise gave rise to the development of crypto wallets which allow users to have full ownership of their private keys and their wallets. 

Today, self-custodial wallets are widely popular among crypto-savvy individuals, serving as personal "banks" for crypto and NFTs and for facilitating transactions. Crypto wallets are permissionless and do not require KYC procedures to set up, making it easier for more individuals to onboard the crypto and DeFi space.

However, as the DeFi landscape continues to evolve, new challenges emerge. The rise of DeFi brings about the risk of wallet hacks, exploits and other security vulnerabilities.

Cybercriminals have developed various tactics to breach individual wallets and drain funds therein, making such attacks increasingly frequent.  From DeFi protocols to individual wallets, all have experienced a form of cyber threat or another leading to significant loss of assets. 

Recent Case Studies 

In 2023 alone, we've witnessed a series of protocol and wallet hacks that underscore the pressing need for robust wallet security.

One notable incident involved the exploitation of a smart contract bug within the stablecoin-swap protocol Platypus, resulting in a significant loss of approximately $2.2 million.

Defillama, a reliable DeFi data aggregator, estimates a staggering cumulative loss of over $7.21 billion due to hacks in the past seven years. Alarmingly, these statistics do not encompass funds exploited from individual wallets.

Sadly, even prominent figures are not spared by attackers.  A stark example is the recent incident where hackers targeted tech billionaire Mark Cuban, successfully draining his Metamask wallet of $870,000.

These incidents highlight the harsh reality of wallet hacks. In the world of blockchain, where transactions are irreversible, once assets are lost to hackers, they are gone for good.

Therefore, it's imperative to understand how to fortify your wallet against potential threats and proactively prevent hacks and other malicious attempts.

This article aims to provide you with insights into the various methods hackers use to gain access to wallets, strategies for safeguarding your wallet, and guidance on recovering assets from a compromised wallet. 

UNDERSTANDING THE BASICS: TYPES OF WALLET

A blockchain wallet allows users to manage, store, send and receive digital assets such as Cryptos, NFTs etc. 

Additionally, these wallets provide a gateway to interact with DeFi applications, facilitating activities like token swapping and interaction with different blockchains. 

To navigate blockchain wallets and protect your digital assets, it's essential to develop a foundational understanding of the various types of wallets.

Having a basic understanding of the types of wallets is crucial as it aids your understanding of their respective risk factors which inevitably helps you mitigate and prevent them. 

There are two categories of wallets; Hot Wallet and Cold Wallet

Hot wallets are online wallets connected to the internet. While they are user-friendly, they are less secure because they are always exposed to the internet. This exposure makes them more vulnerable to attacks, especially as they are used for everyday transactions and interacting with smart contracts.

Cold wallets, on the other hand, refer to wallets that are entirely disconnected from the internet. They are offline wallets and are resistant to hacking, making them a more secure and safer option compared to hot wallets.

Based on these two categories,  there are three sub-categories of wallets. They are : 

  • Hardware wallets: 

They are physical USB-like devices that provide secure storage for assets. They can only be used when connected to a computer and are considered the safest kind of wallet. It falls under the cold wallet category. A few popular hardware wallets are; Ledger, Trezor, etc.

Assets stored in a hardware wallet are safe from hazards in the online world. 

  • Software wallets

These are the most popular types of wallets, and they come in various forms like mobile apps, browser extensions, and desktop apps. They are considered hot wallets because they are constantly connected to the internet, which puts them at risk of being hacked. They are often targeted by malware because users are required to 'connect wallet' to DeFi platforms before interacting with them. Some popular software wallets include Metamask, Trust Wallet, Zerion, Phantom, and more.

  • Paper wallets

This form of wallet is a piece of paper with the public and private keys of a wallet printed on it. It is a form of cold wallet used for storing cryptocurrency offline. Paper wallets are considered highly secure because they are not connected to the internet, making them immune to online hacking attempts. However, careful handling and storage are required to prevent physical loss or damage, as the information on the paper is the sole means to access the stored cryptocurrency.

The Role of Public and Private Keys in Wallet Security

It's crucial to understand that your assets are not stored directly in your wallet; they reside on the blockchain and access to these assets is granted through your private key. The primary purpose of a wallet is to safeguard the private key, which in turn unlocks your blockchain address where your assets are securely stored.

In some cases, the private key is tied to a seed phrase, which consists of 12-24 random words serving as your wallet login. Just like the private key, anyone with access to your seed phrase can also access your funds.

Note:

It's important to distinguish between a private key and a seed phrase. In a single wallet, an individual can create multiple accounts, and each of these accounts has its own unique private key. The private key is used to access a specific account. On the other hand, the seed phrase grants access to all accounts created within the wallet.

For instance, if you have five accounts within a single Metamask wallet, you possess just one seed phrase but five distinct private keys. This means that if a hacker gains access to a private key, they are limited to only the account associated with that specific private key, and they cannot access your other accounts within the same wallet. However, if a hacker acquires your seed phrase, they would gain access to all accounts within the wallet. So, it's essential to safeguard your seed phrase as it holds the keys to all your accounts.

The public key, on the other hand, generates the wallet address, which is an alphanumeric 24-character string shared with others when you intend to receive crypto. Think of it as akin to a bank account number or an email address.  It does not pose any risk when shared with others.

With your wallet address, anyone can send crypto and NFTs to your wallet. However, your private key and seed phrase are a different story; it grants absolute access to your wallet, and if it falls into the wrong hands, it can result in the theft of your assets.

Therefore, your private key and seed phrase are highly confidential and should remain accessible only to you. Think of them as the login details for your wallet – anyone with either of these can gain entry to your wallet.

With this understanding, it's clear that private keys and seed phrases are prime targets for hackers, hence, they have devised various methods to access them to compromise wallets. In other words, for a hacker to gain access to a wallet, it means that someone, knowingly or unknowingly, has granted access in some way. Let's explore some common ways in which this can occur.

COMMON SECURITY THREATS

1. Private Key Compromise:

The private key is, in essence, the key to your assets within your wallet, and its exposure can result in the loss of those assets. Unfortunately, individuals are sometimes deceived into revealing their private keys. Private key compromises occur when an unauthorized external party gains access to the private key, making private key breaches a leading cause of many wallet hacks.

These breaches can affect a wide range of individuals, including developers, large holders (whales), token deployers, and even regular users. To illustrate the impact of these compromises, consider the case of Rocketswap, a protocol on the Base blockchain, which incurred a significant loss of $869,000 due to a private key breach.

In the context of individual wallets, private key compromises can manifest as "bot-sweeping." A sweeper bot is a script used to automatically execute outgoing transactions on a blockchain address according to the hacker's instructions. 

It leads to unauthorized outgoing transactions and instant withdrawals, causing tokens to disappear into a mysterious address as soon as funds are deposited into the wallet.

Note that a hacker can only set up a sweeper bot if they have access to the wallet's seed phrase or private key and these bots can operate across all addresses associated with the compromised seed phrase.

2. Phishing Scams:

Source 

Phishing scams through malicious links and URLs, are the most common methods used to compromise wallet security. In this scheme, attackers impersonate legitimate entities, luring victims to click on deceptive links resembling authentic ones. These links redirect users to fraudulent websites, prompting them to connect their wallets to the imposter site and authorize token withdrawals. Concealed within these phishing links, however, are hideous pathways for malicious transactions.

Phishing scams can be remarkably deceptive, and even experienced protocols and traders have fallen victim to these schemes. 

For instance, a recent incident saw a crypto trader losing over $600k to a form of phishing scam known as "address poisoning". In this form of scam, the attacker targets an address with high net worth, closely observes the user's transaction habits and carefully crafts a fake address with the first and last characters matching a frequent recipient of the target. The intention is to deceive the target into depositing funds into the imposter address instead of the original, leading to significant financial loss. 

Similarly, scammers frequently circulate phishing links on platforms like Twitter, especially during the announcement of a new crypto airdrop. For instance, numerous individuals lost their Arbitrum airdrop allocations and other tokens in their wallets to hackers when they clicked on counterfeit claim websites that closely resembled the official Arbitrum site.

3. Approvals of Malicious Smart Contracts to Spend Tokens:

Before initiating any transaction, DeFi protocols and DApps typically require user authorization for their smart contracts. This authorization grants permission for token transfers and the ability to spend tokens stored in the wallet.

However, it's essential to exercise caution when dealing with these smart contracts, as some may harbour malicious intent and require infinite approvals. Granting a DApp unlimited access to your assets carries inherent risks.

If a protocol were to be compromised, this could potentially lead to the unauthorized spending of your funds, especially if you've granted infinite approval.

To illustrate, the hack of the BadgerDao protocol, which amounted to about $120,000,000, affected only individuals who had previously granted infinite approval to the protocol to spend tokens before the hack occurred.

Additionally, be cautious of a malicious "increase allowance"  as highlighted in the image below. These may appear during the transaction approval process, and by signing such transactions, you grant the protocol permission to withdraw funds from your wallet.

Source

4. Scam Tokens and Malicious Airdrops

Token deployers can create malicious tokens and distribute them to various addresses. This explains why mysterious tokens you never purchased may appear in your wallet.

Sometimes, these tokens are airdropped in large quantities. The intention is to entice the user into interacting with the token by attempting to convert it into fiat, a process that could result in compromising your wallet.

PROTECTING YOUR WALLET 

Embracing decentralization entails acknowledging the absence of a central authority to oversee your transactions, making it your sole responsibility to safeguard your assets. Understanding the importance of wallet protection is crucial, especially as transactions on the blockchain are irreversible. Retrieving stolen assets becomes nearly impossible once a hacker has spent them. Therefore, it is prudent to prioritize the prevention of hacks by developing robust security practices.

Here are practical measures to protect your wallet:

1.  Enable Two-Factor Authentication (2FA):

Implementing 2FA significantly enhances your wallet's security, creating additional barriers for potential hackers. You can strengthen your security by incorporating biometrics and generating strong passcodes for your wallet. An even more robust approach to 2FA involves installing security extensions designed to identify phishing links and high-risk contracts.

These security extensions serve a vital purpose: before engaging with any smart contract, they send push notifications or prompts. If a contract is detected as malicious, the extension will issue a warning. To proceed with transactions, you must approve them through these authentication apps. Pocket Universe and Wallet Guard are reliable 2FA extensions to explore.

2. Use of Multisignature (Multisig) Wallets:

Multisig wallets operate by necessitating multiple signatures for transaction validation instead of a single signature. In practical terms, this means that any transaction must receive approval from all designated signatories, adding a layer of security to the wallet.

This approach effectively eliminates the risks associated with a single point of failure that arise when relying solely on one private key. Considering the enhanced security they offer, it's worth contemplating the use of a Multisig wallet. Rabby Wallet is a typical example of a Multisig wallet.

3. Revoking Smart Contract Allowance:

Revoking the allowance of a smart contract is an essential step to ensure that an application no longer retains the ability to access or move assets within your wallets. This practice is pivotal to safeguarding the privacy and security of digital assets.

When a protocol has permission to spend your tokens, it exposes your wallet to potential vulnerabilities, particularly in cases where the protocol becomes compromised by a hack. Therefore, it is important to make a habit of routinely revoking permissions granted to smart contracts.

Thankfully, there are excellent tools available for this purpose. DApps such as Revoke.cash and De.fi, can be employed to review all the permissions your wallet has enabled on different blockchains and guide you through the process of revoking them.

4. Revoke Infinite Token Approval:

In addition to granting permission for smart contracts to interact with your wallet, there's another important approval to consider – the approval of a specific amount to be spent.

Often, DApps automatically generate an infinite approval amount, which is frequently overlooked by users. This essentially means that you're authorizing the DApp to have unlimited access to spend from your wallet. This poses a significant risk.

Before carrying out any DeFi transaction such as token swapping or bridging, specify the exact amount of tokens you want the protocol to spend. Never be in a hurry and forget to adjust the number of tokens. This way, the protocol does not have access to spend more than intended in case of future compromise.

For added security, you can still use Revoke.cash to review and revoke any infinite allowances you must have granted in the past. Also, consider disconnecting your wallet from all active DApps after an interaction to further enhance your safety.

5. Monitor Account Activity:

Active traders often face the complexity of managing multiple wallets for specific interactions. In this scenario, it's possible to become overly focused on one wallet, inadvertently neglecting the security of others.

One solution is to import all your wallets into a secure monitoring platform like Zerion.io. Zerion offers a real-time overview of all your wallets, providing instant notifications for each transaction across your entire portfolio.

This approach simplifies the process of keeping an eye on your assets, ensuring you can promptly identify any anomalies as soon as they occur.

6. Avoid Disclosing Secret Phrases and Private Keys:

Remember, as a fundamental rule, if someone requests your seed phrase or private key, their intentions are likely malicious, and sharing could lead to theft of assets. Therefore, it is paramount never to disclose your seed phrase or private key to anyone.

7. Securely Store Seed Phrase and Private Key:

It is important to note that the loss of the private key and seed phrase inevitably means the permanent loss of your tokens since you can not access your wallet in the event of losing your devices. Therefore, it's vital to meticulously document your seed phrase and securely store it out of reach from others. It's worth noting that relying on digital backups, such as cloud storage or Google Drive folders, carries significant risks, as a potential hacker could access your seed phrase by accessing your email through decoding your password and login information. The Interpol and other law enforcement refers to this hacking technique as a "Brute-Force attack".

When it comes to determining where to store your seed phrase, the choice is yours, but it's imperative to ensure that you have an offline backup in place to mitigate the risk of permanent loss of assets.

8. Diversifying Portfolio 

As we've established, hardware wallets provide a safer option for protecting your assets. An intelligent strategy for portfolio diversification may involve securing substantial funds in an offline hardware wallet where they remain safe, while owning a separate software wallet for day-to-day transactions, thus keeping your primary capital securely offline.

The point is to never have all your assets in one software wallet. So you can choose to diversify by storing the majority of your assets in a hardware wallet while setting up a software wallet for daily online  interactions 

By adopting this approach, you can minimise the impact of a compromise on your software wallet. In the event of a compromise, you are not completely drained as genetically speaking, "all your eggs were not in one basket." 

9. Verifying Links:

As a rule of thumb, refrain from clicking on any unverified links. Before engaging in transactions within a DApp, always ensure you visit the official project website to obtain the legitimate link.

By consistently adhering to these practices, you not only shield your wallet from potential threats but also maintain its security and improve health health.

As a practice, you can regularly visit De.fi to assess your wallet health.

ASSET RECOVERY

Is there any hope for a compromised wallet? Unfortunately, blockchain transactions are inherently irreversible, and once a hack has occurred, it cannot be undone. Therefore, the chances of getting back assets hijacked by a hacker are slim.

In most cases, a compromised wallet may still have some tokens safely locked in staking pools, especially if the owner is a yield farmer.

In such cases, Metamask recommends using flashbots to retrieve assets, or a victim may consider employing the services of white-hat personnel. These professionals are reputable for conducting on-chain investigations and recovering assets using flashbots.

Their mode of operation is quite technical and they have proven to recover stolen assets from hackers and also to withdraw locked funds from compromised wallets.

To get started with their assistance, you can fill out a form to request their paid services via the link below: 

flashbots-whitehat-notionform

It's important to note that while these experts employ strategies to outsmart hackers and bot sweepers, achieving 100% asset recovery is not always guaranteed.

SUMMARY & CONCLUSION

Wallet hacks present significant security challenges in the realm of DeFi. These attacks can target both protocols and individual wallets, but individuals can take steps to protect their assets.

The primary method by which attackers gain access to funds in a wallet is through the acquisition of the private key. It is therefore of utmost importance to securely store your private key and seed phrase, never sharing them with anyone.

In general, practising routine wallet maintenance, such as revoking spending permissions and contracts, disabling scam tokens, disconnecting wallets from active websites, and enabling 2FA, can enhance the security of your wallet and reduce risks.

Individuals should educate themselves about the various wallet types and their associated risks to make informed decisions. As discussed, software wallets are more vulnerable to attacks due to their constant internet exposure. Therefore, individuals with substantial holdings may consider diversifying their portfolio by using hardware wallets for asset storage and software wallets for day-to-day transactions.

While there are white-hat professionals who can assist in recovering assets from compromised wallets, the adage "prevention is better than cure" holds. It's wise to invest more effort in protecting your wallet than facing the challenges of asset recovery, as complete asset recovery is not guaranteed.

Lastly, active crypto and DeFi enthusiasts should familiarize themselves with the various tactics employed by hackers to carry out attacks. This knowledge will help you remain vigilant and identify potential threats as they arise.

Share this post