The ultimate guide to web3 wallet security
The rapid pace of technological advancements in web3, while being drivers of growth for the pace, has also made it a magnet for cybercriminals seeking to exploit the wealth it generates, introducing new and emerging security challenges. Cyber attackers are becoming increasingly sophisticated, creating new vectors for exploitation. These threats target a broad spectrum of the crypto ecosystem, including individual wallets, centralized and decentralized exchanges, smart contracts, and the underlying network infrastructure.
The financial implications of these security challenges are staggering. According to a report by Chainalysis, over $24 billion worth of cryptocurrency transactions were flagged for illicit activities in 2023, representing 0.34% of all transaction volume. While this figure is provisional and expected to rise as more illicit addresses are uncovered, it highlights the magnitude of the threat facing the cryptocurrency market. The decentralized finance (DeFi) sector, in particular, has been hit hard, with more than $7 billion USD in total losses attributed to hacks, according to DefiLlama. Notably, Beosin’s 2023 Global Web3 Security Statistics & AML Analysis reported 191 major attacks resulting in approximately $1.397 billion in losses and 267 rug pulls accounting for around $388 million in losses.
Amid these challenges, the role of web3 wallets grows in importance, as they are the first line of defense against threats. Yet, according to data from Trezor, fewer than 2% of the estimated 420 million global cryptocurrency users currently employ self-custody solutions. This highlights the acute need to promote an awareness on the importance of continuous vigilance and the adoption of robust web3 wallet security measures, to enhance the protection of one’s digital assets.
What is a web3 wallet
Web3 wallets, beyond serving as storage solutions for digital assets such as BTC, ETH and NFTs, are also integral for interacting with blockchain-based services such as decentralized applications (dApps).
Seed Phrase
A seed phrase, also known as a recovery phrase or mnemonic phrase, is a series of words generated by your wallet. This phrase serves as a master key to all of your cryptocurrency assets and wallet addresses. The seed phrase is typically 12, 18, or 24 words long and must be kept secret and safe, because if someone else obtains your seed phrase, they can gain full control over your assets.
Private Keys
A private key is a secure alphanumeric code that allows users to access and manage their cryptocurrency. It is used to sign transactions, proving ownership of the blockchain address from which the transaction is made. Private keys must be kept secret; revealing them to others would allow them to make use of the associated cryptocurrencies.
Public Keys
Derived from the private key, the public key serves as the address to which others can send you cryptocurrency. Think of it as your bank account number in the blockchain network. It can be shared with others to receive funds, but unlike a private key, it does not allow control over the assets.
Types of threats on web3 wallets
Phishing attacks
Phishing remains one of the most prevalent threats, evolving from simple fraudulent emails to sophisticated clones of reputable websites and platforms. Attackers create indistinguishable replicas of trusted sites or initiate contact through social media, impersonating influential figures to lure users into revealing their private keys or wallet information. Awareness and verification of the authenticity of websites and social media messages are fundamental to guarding against phishing.
DDoS (Distributed Denial of Service) attacks
DoS attacks, aimed at disrupting the normal operations of a targeted server, service, or network with excessive requests, preventing legitimate users access to wallets or services. These attacks are “distributed” because they come from many different sources simultaneously, making them difficult to stop and mitigate. While not directly stealing funds, these attacks can create vulnerabilities or force users into unsafe environments where other types of attacks can be more effective.
Risky token approvals
Token approvals on Web3 platforms can unknowingly grant malicious actors access to your assets. Fraudulent platforms, or even reputable ones that have been compromised, can exploit these permissions to drain wallets. Users must scrutinize the contracts they interact with, ensuring they understand the permissions they are granting.
Social engineering
Social engineering attacks rely on manipulating individuals into breaking security procedures. From the old adage “don’t trust, verify” to elaborate schemes where attackers pose as customer support or trusted community members, social engineering preys on trust and lack of diligence. Always performing your due diligence (DYOR) is a critical defense.
Password-stealing malware
Spread through malicious links, often disguised as NFT airdrops or critical security updates, password-stealing malware seeks to capture wallet credentials. Regularly updating security software and scrutinizing the legitimacy of unsolicited offers are key preventive measures.
Fake apps
Fake applications are designed to resemble legitimate applications. These scams aim to steal wallet information or trick users into making transactions under false pretenses. Always verify the legitimacy of any app before interaction with a wallet is essential, and only download the Flipster app from official channels.
Profile impersonations
Social media profiles impersonate legitimate services, businesses, or individuals. Cybercriminals often hijack social media accounts of reputable projects or individuals to post links to malicious websites. Always cross-reference information through official channels before taking action with your wallet based on a social media post.
How to select a web3 wallet
Choosing the right wallet is a decision that should be tailored to your individual needs and expertise. The ideal web3 wallet setup often involves a combination of different wallet types, each serving a distinct purpose. Balance your requirements to ensure that even in the face of a threat, your assets are not entirely compromised.
Hot wallets
Hot wallets are digital wallets that operate connected to the Internet, offering easy access to cryptocurrencies for transactions and trading. They can be software-based, such as mobile apps or desktop programs, or web-based services offered by exchanges. They store private keys on a device or, for web wallets, on servers of the service provider, enabling quick transactions.
Benefits:
Ease of use: Hot wallets are designed for convenience, with user-friendly interfaces suitable for everyday transactions.
Instant access: They facilitate immediate trading and use of cryptocurrency without the need to transfer funds from offline storage.
Drawbacks:
Security risks: The internet connectivity of hot wallets exposes them to potential cyberattacks, phishing schemes, and unauthorized access.
Dependence on third parties: For web-based hot wallets, there’s often reliance on the wallet provider’s security measures and operational reliability.
Cold wallets
Cold wallets are digital wallets that store cryptocurrency offline, safeguarding them from online hacking threats. They are often hardware-based, resembling USB drives, though paper wallets (printouts containing a cryptocurrency address and its private key) are also considered cold storage.
These wallets store private keys in a secure physical device that only connects to the internet when necessary, minimizing exposure to hackers. Transactions from a cold wallet require physically connecting the device to a computer or scanning the paper wallet’s QR code, signing the transaction offline, and then broadcasting it online, ensuring the private key never leaves the device.
Benefits:
Enhanced security: By keeping private keys offline, cold wallets are virtually immune to online hacking attempts, malware, and other cybersecurity threats.
Ownership and control: Users retain full control over their assets without relying on third-party services for security.
Drawbacks:
Cost: Hardware wallets can be expensive, making them less accessible for casual users or those with a limited amount of cryptocurrency.
Convenience: Accessing funds can be cumbersome, requiring the physical device and, at times, a more complex transaction process.
Custodial Wallets
Custodial wallets are managed by a third party, such as a cryptocurrency exchange, that keeps the private keys on behalf of the user. This setup simplifies the user experience by handling security, backup, and recovery.
When you deposit cryptocurrency into a custodial wallet, the control over those funds technically shifts to the provider. The provider is responsible for safeguarding the private keys and offers features like account recovery in case of lost access details.
Benefits:
User-friendly: Especially appealing to newcomers, these wallets require minimal knowledge of cryptocurrency storage and security practices.
Recovery options: Users can recover their accounts if they forget their passwords, unlike non-custodial wallets where losing a private key can mean losing access to funds permanently.
Drawbacks:
Control and trust: Users must trust the provider to secure their funds and act in their interest, potentially raising concerns about mismanagement or breaches.
Regulatory and operational risks: Custodial wallets are subject to regulatory changes and operational risks, including the potential for the service to be discontinued.
How to secure your web3 wallet
As the space is still nascent, users must remain educated and cautious, and adopt a safety-first approach rather than to be led by greed, to keep their wallet secure. If you detect suspicious clues, do not engage. When in doubt, seek assistance from Flipster support.
Enable Two-Factor Authentication (2FA)
Implementing 2FA adds an additional layer of protection if your password is compromised. This practice, often overlooked for its simplicity, can deter unauthorized access to your wallet’s digital assets by attackers. As some wallets make 2FA optional, ensure that 2FA is activated for all transactions and related accounts, where available, to reinforce your wallet’s security.
Use multiple wallets
Distributing your crypto assets across several wallets can effectively minimize the impact of a security breach. Consider using ‘burner’ wallets for high-risk transactions, such as airdrops or NFT mints, to separate your primary holdings from direct exposure. This strategy mitigates the risk of significant losses and also confuses potential attackers by dispersing your on-chain activity data.
Safeguard your passwords and seed phrase
The secure storage of your wallet’s seed phrase is critical for access to your assets. Do not share your wallet’s private keys with anyone. Opt for metal backups for durability against physical damage or use password managers for encrypted storage solutions. Alternatively, write it down on paper and store them in a secure location. Regardless of the method, the principle remains the same: your seed phrase should be stored securely, accessible only to you. In the event that you lose your private keys, ensure you have stored your seed phrase securely to recover your wallet and digital assets.
Use web3 security solutions
As the web3 space develops, so do the security solutions. Research and make use of web3 security solutions that offer risk identification and mitigation features, for real-time defense against emerging threats, securing your assets from newly discovered vulnerabilities.
Avoid clicking unverified links
Avoid engaging with unofficial or suspicious links, especially those promising unrealistic returns. Scammers often exploit the fear of missing out (FOMO) to lure victims into clicking malicious links, utilizing the guise of limited-time offers to instigate urgency. The rule of thumb is simple: if it looks suspicious, it probably is.
They often resort to using recognizable brand names, impersonating influential figures and companies, to abuse the trust and authority wielded by them. For clues, look out for inaccuracies, such as misspellings, incomplete descriptions, low-res images, and more, as indicators of reputability.
Only use legitimate dApps
Before engaging with decentralized applications (dApps), conduct thorough research to confirm their legitimacy and adherence to security best practices, such as whether they conduct smart contract audits. Other ways to verify this include inspecting URLs for typos, employing VPNs for secure connections, and reviewing the dApp’s public reputation can help safeguard your wallet from vulnerabilities within third-party applications.
Research and take the time to investigate if a dApp has a good reputation and follows security best practices like smart contract code audits, to ensure your wallet wont get compromised due to bugs in their product. Some of the ways to do so include inspecting the url for spelling typos, use a VPN to prevent unauthorized access to your assets especially if on public networks, and review publicly available data and news about the dApp.
Avoid using public wifi
When conducting crypto-related activity using your wallet, avoid using public wifi. If you really need to, use VPN. Public wifi networks are notoriously insecure, offering a fertile ground for intercepting digital communications. Use a VPN to encrypt your connection if it’s necessary to use public wi-fi, ensuring that your wallet interactions remain confidential and secure from prying eyes.
Check token approvals
Exercise caution when granting token approvals from your wallet. Unauthorized approvals are a common vector for attacks, allowing malicious entities access to your assets. Conduct diligent research to gain a thorough understanding of what each approval request entails, and revoke any suspicious permissions promptly to maintain control over your wallet holdings.
Flipster’s security measures
Flipster has implemented and developed several security measures to protect users assets, and continues to work hard to tackle security challenges as the industry evolves. These comprehensive security measures exemplify Flipster’s unwavering commitment to maintaining a highly secure environment for our users’ assets and data.
At Flipster, safeguarding user funds and data is of utmost importance. We have implemented advanced security protocols and measures, including:
- Security governance: We adhere to international security frameworks and standards, guiding our operations with a strong emphasis on security.
- Secure application design: Our platform is meticulously designed with security in mind, incorporating security-by-design principles and rigorous secure coding practices.
- Wallet and key management: Funds are securely stored in distinct hot and cold wallets. Our cold wallets are fortified with multi-layer security measures and a segregation of duties approach for enhanced protection. Similarly, our hot wallets undergo stringent technical and physical security measures, with customer keys inaccessible to system administrators.
- Sensitive data encryption: All customer data is encrypted to provide an additional layer of security, safeguarding sensitive information from unauthorized access.
- Enforcing strict access controls: Access to critical components, particularly customer keys within hot wallets, is strictly controlled, further enhancing our security posture.
- KYC (Know Your Customer) and AML (Anti-Money Laundering) Compliance: We adhere to stringent KYC and AML regulations, requiring comprehensive verification of user identities and ongoing monitoring to prevent illicit activities.
Flipster adopts a proactive approach to mitigate hacking attempts and other security threats by:
- Implementing Preventive Measures: We deploy preventive measures across the platform to proactively mitigate potential threats before they materialize.
- Continuous Monitoring and Vigilance: Our systems undergo continuous monitoring, enabling us to promptly detect and respond to any security anomalies or attempted breaches.
- Regular Security Audits and Monitoring: We conduct frequent security audits, including routine penetration testing, and maintain 24/7 real-time security event monitoring. These efforts are complemented by industry-leading security solutions.
- 24/7 Distributed Denial-of-Service (DDoS) and Web Attack Detection and Prevention: Our platform is equipped with robust capabilities to detect and prevent DDoS and web attacks around the clock, ensuring continuous protection against evolving threats.