Discover more from The Rollup
Master It Monday: How to Optimize Your Security In DeFi
Wallet safety, best practices, and making sure all your bases are covered when it comes to your crypto holdings
Take one step closer to sovereignty every single week, join the DeFi Slate community below:
DeFi Slate Fam:
Security is the most important aspect for all crypto users. Gains come after your security.
This sh*t honestly makes me paranoid.
You can never be secure enough in your practices and holdings of crypto, always try your best to keep moving up the ladder of security.
In todays piece we go over the best ways to create a secure, unfuckwithable system for your tokens.
NOT YOUR KEYS NOT YOUR COINS.
Happy monday fam gg.
🙏 Big Ups To Our Great Sponsor Aave: Earn Interest & Leverage Your Assets with Aave; a non-custodial money market protocol leading the #DeFi charge.
Master It Monday: How to Optimize Your Security In DeFi
Guest Post by DeFi Slate DAO Contributor CryptoCato
First things first.
No one's coming to save you. You cannot call Bitcoin. You cannot email Ethereum support. Blockchains are immutable and decentralized.
So, if you send your money to the wrong address, or mess something ele up your money is gone.
Just bear that mind.
Anyways, let’s start with the basics.
You should have some antivirus or antimalware software on your computer, and probably have a VPN as well. Checkout expressVPN or NordVPN. Leave it on all the time.
Now, probably the most important thing to note is to never give your seed phrase away, under any circumstances. To anyone. Ever. Period. If your grandma asks for it, she’s probably trying to steal your money.
Peep the photo for an example of a discord scam. That link there is trying to get your private key. Rule of thumb is that any unsolicited messages on telegram/discord are scammers, group admins will never ever DM you first. It’s fine to give your public address away (if registering for an airdrop for instance), but in case I’ve not made myself clear - DO NOT GIVE YOUR SEED PHRASE AWAY. If you ever need to enter it, make sure you are 100% confident that you absolutely need to (only the case to recover an account) and that you are not on any malicious website/platform.
If you have more than 4 figures of crypto. Buy one.
Ledger or Trezor are the most popular ones.
Hardware wallets store your private keys on a physical device with specialized firmware that prevents your private keys from being accessed. Your private keys never exist on your computer.
Ledger had a leak last year where a bunch of customer data got leaked: emails, physical addresses, passwords etc. So here is how you protect yourself properly…
Either buy one in person at a store with cash. Or, get a proton mail account (free) and order the wallet to a PO box or work address with fake information. The idea here is just that if your info gets leaked again, nothing can be traced back to you.
Each hardware wallet comes with a seed phrase which acts as a proxy for your private keys. Store this securely. Again, if you lose your ledger/password and don’t have your backup seed phrase, your money is gone forever. It’s up to you how you want to store this, just don’t be dumbass.
One idea is to write it down in two books in UV light and store in 2 different locations. You don’t need to take it that far, it’s just an example of how you can do it. Other options include metal fire resistant plates so if you house burns down you don’t lose your seed phrase. Hopefully it goes without saying that you should not store this digitally – especially not on something like google docs. Every so often you see someone get hacked and their metamask drained because they’ve been stupid enough to store all their passwords and seedphrases on a labeled google doc. Don’t even store it on an offline app on your computer.
Next, if you have more than 5/6 figures in crypto you should probably get a second computer which all your crypto related activity goes through. A Chromebook ($200 or so) will suffice for this. Don’t use windows because its security sucks. On this second computer don’t download anything, don’t visit any sus websites (like The Pirate Bay or BitTorrent). In fact, its best if you literally only visit bookmarked (I’ll come back to this later) websites that you need for crypto related activity. Don’t even use your emails.
Now, 2FA. You’ve probably used this, it’s pretty common nowadays and mandatory for most CEXs. Ideally, you buy a second cheap device (a cheap smart phone) and only use it for 2FA (not second hand). With this device, download the app, remove everything from the device and turn flight mode on. This is probably only necessary if you leave large amounts of funds on CEXs, so basically if you’re a trader. If you’re not trading, move your funds off the CEX into cold storage. Again, remember to store your backup 2FA code securely. Offline. Its also important to note that 2FA can be bypassed via something called sim swapping. It is merely an added layer of security. Good practise with any of this stuff is always to pretend that you’ve lost your password/phone/ledger and go through the process of getting back into your account.
Also, don’t use crappy exchanges – stick to Coinbase, Binance, FTX, ByBit and Deribit for options. I may be missing a few ones which are good, but those five should basically have all the pairs you want to trade. There’s a phrase “not your keys not your bitcoin. CEX’s are custodial, which means they own your bitcoin. You are trusting them. This is the antithesis of the crypto spirit. I understand that theyre much cheaper, you need them for fiat on ramps and to trade derivatives etc, but try and stay off them as much as possible. In anycase, if you do use them: use the tips I’ve mentioned about emails, passwords and 2FA. Some additional security messages include setting withdrawal limits, minimum wait time on settings changes and whitelisting withdrawal addresses.
A quick note on passwords and emails. Firstly, as I alluded to earlier – don’t be a dumbass and store all your passwords on your laptop. Especially not on an online account (dropbox, google docs etc), but not even on an offline note app or anything. If you get hacked its game over. Also, your passwords should be strong - use Passwordsgenerator.net and make one >15 characters long. You should also use separate Protonmail (free) for your sensitive accounts. I’d also recommend checking Haveibeenpwned.com to see if any of your previous accounts and passwords have been leaked before.
Bunch of rules of thumb here:
- Use your second laptop
- Keep it locked when not in use
Connect it to your hardware wallet: Run a “cold” wallet and a “hot” wallet. A hot wallet is one that you execute your swaps and stuff on and then send it all over to your cold wallet. Remember when your connect your hardware wallet to metamask it means you will need to confirm each tx from the hardware wallet itself (super annoying if travelling). Its pretty easy to setup
Just click connect hardware wallet at the bottom. If it doesn’t work you probably need to “allow contract data” on your ETH wallet on ledger. Sidenote: don’t worry if some tokens don’t show up on ledger live - check etherscan if your unsure.
- You should bookmark all the protocols and websites you regularly interact with, just to prevent going to the wrong malicious website. Scammers are geting more creative and sophisticated. For instance, I received a (scam) message the other day which said someone had logged into my Binance account from a new IP and linked me to a fake Binance website to log into my account from. I have no idea how they got my phone number. Just a reminder to always have your guard up.
- Also keep in mind that every website you visit can see your browser extensions – so they know you have metamask installed. I’ve never experienced or seen this, but I have heard that some websites will create popups over where your metamask is and try to get you to login or enter your seedphrase.
Now, some of you ballers may have 7+ figs in crypto, or have crypto on your company’s balance sheet. If this is you – you may want to look into multi-sig solutions. Multi-sig is short for multi-signature. It just means that it requires more than one signature for any transaction to be send. Couple of options for you on this front are Gnosis safe (I think a lot of DeFi protocols team/treasury wallets use this) for your ERC-20 tokens and Casa Keys for your bitcoin. Casa have numerous packages on offer ranging from $120 to $5k per year.
Finally, I’d like to circle back to what I said at the start.
Nobody is coming to save you.
This means you can’t just read this article, implement some of the stuff and be fine. I may have missed something. You need to go and DYOR and make sure you feel comfortable that your shit is on lock. I’d recommend reading a few accounts of people who have lost 6/7 figs to hacks and exploits – not only to learn from their mistakes but also because it gives you a kick up the ass
DYOR! Find ppl who have been hacked and learn from their mistakes.
👀 Sponsor Update: mStable provides an autonomous and non-custodial infrastructure for pegged-value crypto assets. Earn maximal APY on mUSD and mBTC by collecting fees generated on lending protocols!
It’s harvest season. Farm like a pro on mstable :)
⚠️ DISCLAIMER: Investing into cryptocurrency and DeFi platforms comes with inherent risk including technical risk, human error, platform failure and more. At certain points throughout this post, we might get commission for promoting certain projects, if this is the case we will always make sure it is clear. We are strictly an educational content platform, nothing we offer is financial advice. We are not professionals or licensed advisors.
Liked this post? Share with a friend :)
Subscribe to the DeFi Slate Newsletter & join thousands of other crypto enthusiasts:
🌐Check Us Out On Twitter!
🚀Join the community on Telegram Channel to get our free V.1. yield farming guide!
🎤Subscribe to our YouTube channel!
Last week in review:
Check out some previous interviews: