NFT Self Defense: Staying Safe in Web3
John Ennis, Ecosystem Lead of Gnosis Safe, a multi-signature (multisig) wallet solution.
Rugs. Rugs everywhere
From BAYC, Cryptopunks, Meebits, NFT collections are gaining mainstream attention from brands to celebrities to everyday individuals, but not all this attention has been positive. NFT hacks, phishing scams, and YOLO signed rug pulls are plaguing the metaverse. The OpenSea phishing hack recently resulted in the theft of more than 250 NFTs worth USD 1.7m.
These NFT hacks are upsetting to see, but not entirely unpredictable given the security practices of many NFT collectors. Today, the NFT marketplace is not well equipped to deal with security threats, or as punk6259 explains: “... we have cars before seat belts”. There is much work to be done to improve security for NFT holders everywhere.
That said, people can still take preventative measures to mitigate security compromises. In response to punk6259, there are ‘seatbelts’ that can protect prized NFTs, but people have to take these matters into their own self-custodial hands.
Spotting a Rug
The first step of prevention for users is to keep their eyes peeled for potential signs of scams. Even the best can be fooled. Here’s how to recognize some common, dubious tactics:
- Malicious NFTs - Hackers will sometimes airdrop NFTs to user accounts as a trojan horse. Interacting with these malicious NFT airdrops will prompt the user to sign a message to gain access and drain the account.
- The FOMO-inducing shady URL - A cool new project comes up with a timer counting down on the purchase page, inducing serious FOMO. The second the user signs the transaction and makes that purchase, hackers would have obtained access to their wallets. Unknown to the user, the purchase page was linked to a scam URL.
- The classic email phishing scam - This is the oldest trick on the internet. Users get a legit-looking email from seemingly a platform or exchange they frequently use, with a malicious link embedded within that lures them to make a transaction. Or, it may even inject malware that scans for seed phrases stored in laptops. (Reminder: don’t store seed phrases on your laptop!)
- A central exchange or project gets ‘targeted’ - An NFT exchange or project that users engage with, gets attacked, or even worse, pretends to be hacked. In this scenario, user-owned tokens/JPEGs that have previously interacted with the project’s platform are vulnerable to a rug.
Vaulting up your grail NFTs with that extra bit of safety
Before vaulting up your NFTs, a good clean-up practice is to “revoke” token approvals and permissions from any sketchy platforms you may have accidentally used. You can do this through Etherscan’s token approval tool and Opensea’s accompanying tutorial.
Choosing an NFT Vault: Wallets for courses
Abstracting away your precious assets from your daily activities makes sense. You don’t go shopping with your entire bank account savings sitting in your pocket. Same way, you don’t go buying digital art with your entire art collection.
NFT users are ok to use a hot wallet like Metamask or Rainbow for quick NFT flips and interacting with contracts, but there should be a different level of safety for your high-value NFTs i.e your grail assets. So, in the event of a rug, the only collections that could be vulnerable are the small ones that sit in your hot wallet.
Hardware wallets are a definite step up, but still have the problem of one private key being a single point of failure. If that single private (seed phrase) is compromised or lost, your assets are gone.
To really protect yourself, you should consider moving to a multisig. With hardware wallets, you’re only as safe as your single seed phrase.
Multisig wallets to the rescue
The biggest difference between hot or cold wallets and multi-signature (multisig) wallets is the amount of private keys. With the latter, there are multiple keys needed, so even if one key is jeopardized, a users’ digital assets will still be safe.
The beauty of open source and permissionless multisigs is that individuals can have the same level of security as core Web3 projects and companies.
Ape into security
In a recent tweet - the previously mentioned NFT collector punk 6529 advocated for the security of NFTs using multi-sig. Today, Gnosis Safe and Argent multi-sig wallets have been created and combined, they store and secure over 450 Bored Apes, and 1240 Cryptopunks.
To go back to the ‘cars without seatbelts’ analogy, multisigs are seatbelts you need for self-defense. We just need every single car dealership to add support for them and every user to use them.
- NFT Traders, Beware of Social Engineering Hacks
- Here's How You Can Protect Yourself Against Phishing as Trezor is Attacked
- Axie Infinity’s Ronin Hack Exposes Risks of Proof-of-Stake and Centralization – Analysts
- Crypto Security in 2022: Prepare for More DeFi Hacks, Exchange Outages, and Noob Mistakes