Security

On this page...
• Overview
• Online Alias
• Phishing
• Hot / Cold Wallets
• Hardware Wallets
• Rug Pulls
• Wallet/Blockchain Notifications
• Contract Addresses
• Spam tokens / NFT's
• Wallet Permissions

•  Exchanges
• Guides 

It would be irresponsible not to acknowledge that there are a lot of people out to scam or defraud others in the web3 arena. In my opinion this is no different to everyday life. Web3 is relatively new and so it attracts the wrong kind of people trying to exploit it. I have personally been victim to rug pulls (more below on this) and so the best way to approach this is to share some knowledge and advice on ways you are at risk and how to avoid falling victim.

I am not a security expert, and the below is not an exhaustive list. Always keep vigilant and keep up to date with best practices.

You are solely responsible for what you invest in. I take no responsibility. This site is for information only.

Creating a separate identity for all your web3 activity separate you out from your personal online identity.

Why do this? The answer is not a pleasant one, robbery. If someone knows your wallet and who you are in the real world, they could threaten you to give up you word phrases and/or just out right get you to transfer you funds out. Remember that if you have a wallet address you the contents of what is in your wallet is openly available for anyone to view.

By separating your personal online accounts with a separate web3 alias you are making it more difficult (but not impossible) for someone to link your wallets to who you are through social media etc.

This one is personal preference, but I'd highly recommend it, and somewhat fun. Make up a new name, create a new email, twitter, discord, etc all associated with this new email.

Phishing has been around for many years. It's the act of sending fraudulent emails or messages purporting to be someone else or a business with the aim of getting access to sensitive information.

Web3 is no different. with the addition of trying to get access to your wallet in one way or another.

Best practices to avoid being a victim of phishing:

• Check the sender is from a source you know. This is a very basic first step as the sender field can be faked but it will weed out basic phishing attempts.
• If you follow any links sent to you always check that once the link is open in a browser that the domain name is correct. It's easy to create a false link that looks legitimate but when you click it send you to another website that's made to look the same as the one you are expecting. for example, if you received a link for this website click in the address bar and make sure it says "hereisweb3.com" that's the important bit. Bear in mind there are many different connotations of ".com" now. For instance sandbox.game is a legitimate site. If in doubt, double check. Go to the site directly and check or send the site an email from there legitimate website to ensure the email was sent in good faith.
• You can install anti-phishing toolbars for your browsers.
• Be weary of the content of messages. A genuine company is never going to ask you for username and password details directly in an email.
• Bookmark known good links. If you bookmark sites you use regularly that you know are good links. If you get an email or messages with a link in use the bookmark instead and navigate to the location through the site. You can be more certain this will be legitimate.
• Any sites that prompt for a wallet interaction immediately on opening, stop and question everything before signing or confirming a transaction. If it's one you visit regularly and know to be safe it shouldn't need a transaction to sign as you will have already signed.
• Triple check ALL transaction prompts from your wallet. If in doubt reject the transaction. If it is something you want to do you can always re-do the transaction. This may cost you more gas or missing a potential mint but better than having your whole wallet compromised. A way to get round this is to use hot/cold wallets. (Next subject...)

This is the idea of using one wallet to interact with the blockchain (the hot wallet) and a wallet that only interacts with your hot wallet (the cold wallet).

By doing this it is unlikely (but as always, not impossible) that the cold wallet will get compromised as the only interaction it has is with the hot wallet. If the hot wallet gets compromised, you will only lose what is in that (which should be nothing or only what you are waiting to transfer to the cold wallet). You can then just create a new hot wallet and disregard the one that has been compromised.

Let's use an NFT mint as an example. You would transfer funds to your hot wallet, go to the mint site and mint your NFT then immediately transfer any remaining funds and the NFT to your cold wallet for safe keeping.

There are some downfalls to this approach. It will cost gas to do these transfers so cost you more money. Some projects require a lot of interaction and/or verification of your wallet which means you have to confirm the wallet holding the NFT. If you move it out you lose the verification and will have to re-verify. A way around this is to have a wallet just for these projects. It can mean having a lot of wallets and you need to keep yourself organised by naming wallets and keeping track yourself. More work but more secure.

If you couple this hot/cold wallet approach with a hardware wallet you will add yet more security. Read below...

A hardware wallet is a physical device you have to connect to your computer to confirm transaction through your software wallet.

When you create a wallet using an app or browser extension (for example MetaMask) you are creating a software wallet. The private key is encrypted and stored in the software. You will rarely need to interact or even view this, but it's there. The fact it is stored on a computer and in software means it is vulnerable to attack and compromise.

A hardware wallet store the private key on the device itself. You create the wallet on the wallet and then add this to MetaMask but the private key never leaves the device. When you need to approve a transaction you have to connect your hardware wallet, unlock it with a pin and then verify the transaction.

This adds an extra layer of security as the private key not stored in software.

It adds an additional cost as you have to buy a hardware wallet. If you lose your wallet you can still restore it using the seed phrase in the same way as a software wallet but you will need to by a new one. And this hinges on how safe you keep your seed phrases.

It's worth noting that no assets are kept on the hardware wallet itself. Some will show your balances, but these are just last known interactions with the blockchain of your holdings with updated prices. Your assets are still on the blockchain. Just harder to compromise.

A rug pull is when a project claims to be a legitimate NFT project, has art, ,a roadmap, all the bells and whistles but once minting is over and they have enough funds to satisfy their greed they simply disappear with everyone money. Usually all accounts are closed and the website is removed also. You are left with a worthless NFT you paid good money for.

It will never be 100% possible to certain any project isnt going to rug. But here are some tips to try and spot one and keep your fund well away.

• Unknown and anonymous team - Do some background checks on all of the team members, have the artists got other works you can see online? Look through all of their online presence. Limited or no other online presence is a big question mark.
• Age of accounts - Check how long accounts have been open for by team members on all socials. Newly made accounts indicate they have been made as an alias so they can be dumped down the line.
• Check for bots on discord - High numbers of reported people in a but seeing the same few people replying/chatting in discord indicates a lot of bots may be present trying to make out there are more members than in reality.
• Delaying mint - Obviously this can happen for legitimate reasons but a professional team should stick to time frames set by themselves for the most part. Delaying a mint can indicate they don't think they will make enough money from the rug so they will try and hype the project up before mint date.
• Check for missing posts - If you see people being removed from discord or lots of replies with "this content no longer exists" it means comments have been removed by the team. Basically removing anything bad said or anyone indicting the project may be a rug. All legitimate teams allow criticism.
• Short timelines - This is to create a sense of urgency. If there's a very short period between start of project to mint it can indicate the team is there just to get in and out.
• Team avoiding questions - Question the team on their roadmap and see what their answers are. Legitimate teams will be happy to excited to answer these questions. Rug teams will be brief or just say they are "concentrating on the mint".

There are website dedicated to helping spot rug pulls. A notable one is RugDoc. Search for a project and it gives you information to consider before investing. There is a wealth of other information on the site also.

Register on 'scan' sites (See Scan Sites) and add your address to watchlists and you will receive and email any time a transaction takes place on any wallet you list. If you use one wallet on multiple chains you need to register it on each scan site to get a notification for that network.

This can be an early indication that something is going on you are not aware of and need to take action. You may also get a nice notification of an airdrop you weren't expecting too.

Just a quick note on contract addresses. When you add a token to your wallet, interact with a contract either through a web interface and/or direct through the contract always be certain you have the correct contract address. Go direct to the source if you have been sent links. Find links channels on discord from the official Discord server. Most project websites or Discord servers will have the contract address's they use.

One interaction with a bad contract can result in your wallet being compromised and potentially losing the contents.

Unfortunately, you have to get used to junk in your wallets, both tokens and NFT's. One day you will see your first one and may get excited you have a free NFT, DONT! While some of these airdrops may well be legitimate they always need checking out to be so. Interacting with a malicious token or NFT in any way on the blockchain can result in your wallet being compromised. This includes sending it to a burn address or a burn wallet.

You may also receive tokens and NFT's airdropped to your wallet trying to impersonate another legitimate one. These often have similar or copied artwork and are airdropped around the same time as the official one is. You can check these on market places by seeing if the collection has a blue tick (this should never be the only confirmation - Opensea has got this wrong in the past). The more secure way is to find the contract address of the asset and check this against the known good contract address for the project.

It's worth noting you can 'hide' these NFT's on marketplaces such as Opensea. As long as no wallet prompt comes up with a transaction from you to approve you should be ok. If in doubt live with it. The only safe way to 'rid' yourself of these tokens/NFT's would be to transfer all you know, good assets to a clean wallet, at your expenses. And then in time this wallet will get spammed too.

When you connect to a website you will connect and sign your wallet. This is then stored in your wallet so you dont have to keep signing a transaction each time you access the site, you just need to unlock your wallet This is by design. The issue with this can be either if the site gets compromised and you auto connect to it your wallet could be compromised too. You can disconnect sites from MetaMask and should get used to doing this on a regular basis to purge any sites you may no longer use.

A worse scenario is when you give permission to access certain assets. This is required when staking, for instance. You can set the amount the contract has access to, or it will be set as unlimited. Meaning that contract could in theory empty your wallet of that token/NFT. Connecting the site through MetaMask will not revoke these permission. Yu will need to use a third party application/site to do this and pay the associated gas fee. One site is ....

•  Exchanges
• Guides