Crypto Winter Survival Guide: Using Your Wallet Safely

Original source:  @BenWAGMI, Co-Founder of GoPlus Security

BlockBeats Note: On November 12, FTX reported in its Telegram community that its wallet had changed, and later claimed that it had been hacked. The theft of FTX assets has raised concerns about the security of assets in the crypto community. Users need to rethink how to manage their assets in a safer way and how to use encrypted wallets in a safer way. To that end, BlockBeats asked GoPlus Security co-founder @BenWAGMI  Arrange the popular science about web3 wallet on Twitter, the content is as follows:  

From FTX Since the thunderstorm, the news of the reserve funds of the major trading platforms has spread wildly, and the wave of currency withdrawals has intensified, and several small exchanges have collapsed in the follow-up. This should be the largest currency withdrawal movement in the history of the encryption circle. My funds in BitMEX have never been withdrawn (the safest trading platform in my mind), and cold wallets have been withdrawn recently. This kind of nuclear winter can only be nested in the basement, and does not want to be contaminated with any risks.   

Many newbies in the encryption circle have never used wallets, and they don’t know how wallets work. This post explains in detail how to use wallets to safely store assets from the usage and principles. As long as you read this post and strictly implement security methods, your assets will be in a relatively high security state.   

What is a private key public key

Key cryptography is the cornerstone of crypto. The essence of public key and private key is a pair of natural numbers. The private key is randomly and secretly generated by you and not revealed to anyone. The public key is calculated according to a certain cryptographic algorithm and can be displayed to others. The private key cannot be deduced reversely based on the public key. In the cryptocurrency, the public key is then subjected to a certain calculation to become an address for transfer.  

 

Electronic signature 

How does the public key and private key ensure the operation of cryptocurrency? Rely on electronic signatures. There is a message (for example, I want to transfer 1000 coins to someone), this message will get a signature after being signed by your private key, and broadcast to the blockchain, others can verify that this message is indeed true through your public key Signed by your private key, that's what you published. Therefore, whoever holds the private key holds the wallet.

 mnemonic 

Because the private key is a long string of very long numbers, it is basically not readable and memorable for human beings. The Bitcoin community has proposed several BIP proposals , replacing the private key with a set of human-readable words. In essence, these words are finally converted into natural number private keys, but they are more friendly to human eyes. The mnemonic has more functions, which are not listed here.   

 private key (or mnemonic)

< p style="text-align: left;">How to store it? Obviously, the core of blockchain storage assets is how to keep private keys or mnemonic words. If you lose the private key, your assets are gone. But this is often the hardest hit area for novice users to make fatal mistakes, because this process is anti-human. But you can't be safe and free without paying the price. Qualified custody of private keys is the first step in being responsible for your own assets.   

First thing to know first The point is that your coins are not in the shell of your wallet software/App, but under the address corresponding to the private key in the blockchain network you use. Your money is on the blockchain, and you can import the private key in another device, another wallet software, and use the same account.   

Then distinguish two concepts: Cold/hot wallets. The cold wallet is the private key that has never been connected to the Internet since it was generated. Because signature is a mathematical operation, the message to be signed can be passed to the cold wallet through non-network methods (such as QR code, Bluetooth), and then sent back after signing and then published on the Internet. The other is a hot wallet, such as a mobile App wallet, MetaMask, etc. The private key is stored in a networked device after it is generated.   

Let's see What are the problems when using these two wallets.   

There is no backup after the wallet is generated. Many novice users just ignore the wallet after generating the wallet without backup. Once your mobile phone/computer has a problem or is lost, the money will never be recovered, which is completely different from the trading platform. So be sure to back up your private key or mnemonic. Now most wallets should provide you with mnemonic words by default, and many of them also provide private keys, but it is not necessary, just back up the mnemonic words (easy to read, write and remember).

Safely back up the mnemonic The safest way to save it is to save it on a medium that is not connected to the Internet and is not easy to lose or damage, such as - copy On paper, or find a phone that you don't use and never connect to the phone to take a picture, etc. There are various methods, and there are even special iron plates that resist corrosion, fire, and flooding. I myself use BitpieWallet's Frozen Armor to store the mnemonic. I also have a backup in my head.   

< p style="text-align: left;">No matter what you choose, you only need to remember the core: not easy to lose, not easy to damage, inaccessible to others or unusable if touched. Which method is the safest for you depends on your environment and your asset class. You need to evaluate the advantages and disadvantages of various methods according to your actual situation, and which method should be used. Don't copy others. If others use paper, you use paper (mouse gnawed?), and when others use iron plate, you use iron plate (burglar in the house?).

This kind of mental laziness also brings risks. For example, some people will choose strong encryption and put the fragments on the cloud disk. This seems to be connected to the Internet, but it is actually safer than many people using paper. After all, some papers don’t know where they go in the end. Among the existing solutions provided by others, you can use whichever you think is the best. If you don't know how to evaluate for the time being, then write it on paper and put it in an iron box. Remember that this is a question that you will always need to think about dynamically.   

Notes for downloading wallets  ;

Be sure to download the wallet from the official website. Random searches on Baidu are basically fake wallets. Even if you search in the app market, you will come across counterfeit products or malicious wallets. The Apple App Store is the most strictly audited store, and it cannot be eliminated, let alone others. Whether it's a desktop plugin, an Android APK or an iOS program. The official website can be downloaded directly or jump to the store for you to download.   

There are too many options for hot wallets Yes, as long as it has a certain reputation and is open source, it can be used. In terms of security, there is not much difference in general, you just need to consider whether you like it or not. My own commonly used hot wallet:  Metamask , rainbow.me, Go Pocket .

Do not copy/paste mnemonic < /h3>

Many friends like to copy and paste imports when experiencing different hot wallets Guide, but the clipboard itself is a very serious way to leak private keys and mnemonics, which is basically a deadly act. This is why I am firmly opposed to wallets providing private keys (private keys are not like mnemonics that can be copied, and users can basically only copy them).   

The correct way is to take out You come with the mnemonic paper (or memorize it directly), and enter it accordingly (use the system input method as much as possible for the input method). The following is a report on clipboard monitoring for each platform, which can be achieved by others with a few lines of code. Don't copy and paste just because you're lazy.   

Security plug-in 

For users who use desktop plug-in wallets, you can install some security plug-ins Further improve the security of the transaction (currently, due to the limitation of technical architecture on the mobile terminal, it is not easy to realize this function, and it can only be provided by the wallet itself).   

Security plugin is not an enhanced fund storage It is safe, but provides security guarantees for the interaction between DeFi and Web3, such as blocking phishing websites, malicious contracts, malicious tokens, etc. The security plug-in does not have permission to access your other information, it will only check your transaction information before the transaction, and will warn you if there is a problem. I use FoxEye .

 cold wallet 

Cold wallets never let private keys touch the net , the signature is transmitted to the networked terminal in a non-Internet way, so it is safer to use than a hot wallet. But this does not mean that it is absolutely safe, there are some pitfalls that need to be reminded. There are also many cold wallets. I personally use:  iSafePal , Ledger.

Precautions for using the cold wallet:

Back up the mnemonic. You have to think about what to do if your cold wallet breaks. Both hot and cold have to be backed up. One is to be careful of supply chain attacks: buy from the order link provided on the official website. Don’t search directly on Taobao and JD.com, you don’t know if the wallet you bought is genuine or if someone else flashed a problematic firmware into it. It is best to flash the latest firmware from the official website after buying it.   

Another kind of supply chain attack is that some key hardware (such as the chip that manages the random number generator) is As users have no ability to screen out such attacks, they can only remind that there is no absolute security.   

The screen is very important: don't buy a cold wallet without a screen. The final signature of the cold wallet should be based on the information on the wallet hardware screen, because the display of the networked terminal may be tampered with.

For chains with smart contracts like Ethereum, many signatures are not simple transfers. The app terminal (and even the wallet hardware screen) of the cold wallet is very important for human-readable parsing of transaction information. Otherwise, everything will become a blind signing, and it is very scary to bite the bullet and sign.

Check firmware: When updating, check the hash of the firmware file.

Set a strong password: Some cold wallets require a password for each transaction, some are based on the session, some people think that the password is long and it is troublesome to enter What 123abc, but you need to consider what to do if you lose it twice and press it out for you. If you are really lazy and need a cold wallet for high-frequency trading, it is recommended to use a product with biometric identification.

Dark wallet function: Some cold wallets have a dark wallet function, a wallet on the surface, and a new wallet can be entered after entering a set of special passwords behind the scenes. Even different passwords will enter different wallets, that is, there is no concept of entering the wrong password because any password is correct, but the rest of the wallets are empty except for the one you set, and it is difficult for others to deceive them. This kind of friend who is suitable for the cunning rabbit and three caves can further improve safety.

Semi-custodial smart contract wallet 

There is also a special type of smart contract based wallet that is semi-custodial , part of your asset management and storage rights is guaranteed by others, thus eliminating the problem of you needing to record mnemonic words (keyless). To give two examples, one is to use an MPC or SSS wallet to divide your private key into two pieces, one is encrypted and placed on your Google Drive, and the other is placed on your own server. The second is the social recovery wallet. You designate several guardians. If your local EOA private key is lost, you can ask the guardians to designate a new EOA on the smart contract. I usually use this type of wallet ZenGo, argentHQ.

This kind of listening It seems cool, you don't need to record the mnemonic, it is also friendly to novices, and it is very in line with the keyless vision of blockchain mass adoption. But the actual new problem also came one after another: What should I do if the hosting service provider runs away? What if your guardian partner tricked you?   

If you want to experience this kind of wallet, you can try it, but like the hot and cold wallets above, you must understand the principles behind it and various tradeoffs before you can use it with confidence, otherwise you will jump into the pit. At this stage, I generally do not recommend that novices use this wallet directly. I think it is still immature, but I think it may become the first choice in the future.   

End

Okay, let’s write so much first, these wallet assets store Basic knowledge is enough to arm a novice user. But in fact, there are still many problems and details that cannot be expanded due to space limitations. I believe everyone's first feeling after reading it is: "The blockchain is too scary, I don't want to use it anymore."   

Yes, it is the easiest and most trouble-free to put it on an encrypted trading platform, but it is also very unsafe recently. We have to find the optimal solution. I think it is worthwhile to spend a little more effort when it comes to money. I have a small amount of funds because I forgot to keep it in FTX and I can’t withdraw it now. Fortunately, the amount is relatively small. Some friends also directly put millions of dollars in FTX, who to ask for reason?  

Welcome to join the official BlockBeats community:

Telegram Subscription Group: https://t.me/theblockbeats

Telegram Discussion Group: https://t.me/BlockBeats_App

Official Twitter Account: https://twitter.com/BlockBeatsAsia