Ziyu: Today's topic officially begins. I am Ziyu, and I am also an old investor. Today we invited Wang Yishi, the core contributor of OneKey, and Chaoyue, the owner of Benmo Community. We should be very familiar with these two friends. To be honest, today's theme is a bit heartbreaking, which is not your keys not your coins. The main thing I want to talk to you about is how many times CeFi will explode before the holders are willing to use their own wallets. This is also a very painful lesson from this market turmoil.
In fact, regarding hardware wallets and the use of wallets, wallet platform entrepreneurs have spent some time educating users over the years, but it is far less profound than the education from the market. Everyone suddenly realized how important security is to us, which led to the recent hardware wallets being sold out. Today, we would like to ask the two guests to briefly share the CeFi explosion incidents over the years and the pitfalls you have stepped on.
Super Jun: Hello everyone, I am Super Jun. The biggest crash I have encountered since I entered the industry was Mt.Gox. At that time, Mt.Gox taught everyone a lesson. Everyone realized that decentralization is the right way, and storing coins in exchanges is a very risky thing. This incident triggered the coin withdrawal movement that year, and Sihai is now the main advocate of the coin withdrawal movement. But once a year or two has passed, the pain will be gradually forgotten by everyone, and the market will begin to think that exchanges are safe again. Until this time, FTX instantly awakened people's awareness of asset security.
Unfortunately, I have been on Twitter for quite a long time. I was active on Weibo before. I think the users on Twitter are still relatively young and have not experienced the CeFi crash. They don’t know the dangers. So every time I see some KOLs on Twitter, they will advise users to put their coins in the top exchanges, and it will be difficult to avoid the FTX incident. But how far are we from cold wallets and how difficult is it? In fact, it is very simple. My mother graduated from elementary school and she knows it. She doesn’t know what the word means, but she knows to copy the word down. It’s that simple. Why do coin holders find it difficult?
It is strange that some KOLs always say that hardware wallets are difficult and suggest that novices should not touch or use them. They probably do not understand the significance of hardware wallets and have not used them themselves, so they think that no one needs to use them. Many people even regard the Little Fox as a great security guarantee, which is a big misunderstanding and a big security risk.
In fact, it is not only big CeFi like Mt.Gox, but also many small CeFis. Some of them had their bosses arrested, some of them had their websites shut down for various reasons, and some people had their life savings in them. It is very painful for me to see this, but some people do not care, after all, it is a great pain for others to see their wealth reduced to zero. Therefore, the only person who really cares about the safety of your property is you, don't easily believe the advice that asks you to hand over your private key to CeFi.
Wang Yishi: Super Jun is indeed very OG. FTX crashed not for the first time, but countless times. Super Jun just said it, but it is useless to ask everyone to put the coins in their own wallets, even if he said it 100 times, until one day he was cut. This lesson is not awakening, but repentance.
People seem to have a natural resistance to the threshold of cold wallets, thinking that they can't get cold wallets, and then choose to hand over their coins to a platform that they think is reliable for safekeeping. Even if so many exchanges have collapsed, there are still users who think that this one has collapsed, can I change to another one? When we keep our assets, we must have such a psychological construction. If you choose to hand over your assets to others for safekeeping, then you must be prepared for the worst result, that is, he may be gone for various reasons, such as supervision, hacking, or self-theft, or he may be insolvent.
You have to be prepared. Can you accept this result? If you can't, you shouldn't do it. No matter how reliable and trustworthy he looks, when he falls, all your assumptions about him are invalid. In the past week, before FTX got into trouble, how many people thought that FTX was second only to Binance? Many people, including me, think so, because it really grew too fast, but who could have guessed what happened today?
Therefore, you really need to make a little effort in handling your own assets. This effort is like taking a step forward, and you will be able to put yourself in a relatively safe area.
There is no difference between many hardware wallets and the wallets you use. You just need to copy these 12 words. It is nothing more than copying the hot wallet on the APP and the hardware wallet on the hardware. They are all copied, there is no difference. So some KOLs have never used it and don’t understand it, and then they tell everyone that it is very dangerous and you should not use it and put it on the exchange. This behavior is really misleading.
There is also a saying that mnemonics are easy to lose, so you need to put them in Evernote. You are afraid that Evernote server will scan you, so you need to encrypt and compress them. But this kind of encryption is useless and can be easily cracked. Don't do this. There is still a long way to go to popularize security.
We need to make a clear idea that hardware wallets are the only way for you. No matter how much or how little assets you have, you cannot use its current value to measure how you should keep it. For example, I think these coins are only 100,000 yuan now, so I can just put them in Little Fox. But if your Little Fox computer is hacked, or the hard drive is stolen, or a Trojan virus copies your mnemonic phrase, you will completely lose the 100-fold opportunity.
You can compare hardware wallets, because there are really many on the market, you can choose according to your own ideas. Hardware wallets can be bought for only a few hundred yuan, which is just the price of a hot pot meal.
Super Jun: It’s actually just a DeFi transaction fee.
Wang Yishi: The use of hardware wallets is a one-way door. Once you step through this door, there is no way you can accept a world without hardware wallets.
DeFi big players can easily mine millions or even tens of millions of U, but they dare not let them operate on Little Fox. What if something goes wrong?
Risk control: The core of risk control is to avoid risks that you cannot afford, so a hardware wallet is a good solution. It is physically isolated and is the most thorough.
Ziyu: Wang Yishi just said that there are many hardware wallets on the market, and everyone can choose according to their own preferences. But one issue that users are very concerned about is that many of us are blank in this area. We don’t know how to screen safe wallets. First of all, if they want to trust this wallet, they need to overcome certain psychological barriers. So how to screen safe wallets and how to use wallets safely are questions that many people want to know.
Chaochaojun: Yishi has written a great article, you can just read his article. (See the link at the end of the article)
Wang Yishi: Let me briefly tell you how to choose a wallet. Generally speaking, wallets are divided into two categories, software and hardware. I think every user who comes in with Web3 is basically a user of Little Fox. Little Fox is indeed the ceiling of software wallets. Now there are about 30 million monthly active users worldwide, 30 million users. There are many hardware wallets, such as Ledger, Trezor, and OneKey. When you choose a wallet, I think the first thing to put is whether the wallet is open source. Why? Because the cost of doing evil with an open source wallet is much greater than that of a non-open source wallet. If the several wallets ABC that come in front of you look similar and have similar functions, you may not be able to pick any good or bad ones. At this time, you just need to see which one is more open source.
Open source is a very important indicator. If the wallet has something to hide, it will not dare to open source. If it is not open source, it can be upgraded at will and some private goods can be put in it. I don’t know if you remember the slope wallet that had an accident before. At that time, we had a very good investor friend who asked us how the slope wallet was made. Then I tried it at that time and thought the UI interaction was not bad. But who knew that it was exposed within two months that it directly transmitted the user’s private key to the server. Can you imagine this?
Therefore, if a wallet is not open source, it actually gives many companies or teams opportunities to do evil, and we cannot see them doing evil, which is very scary.
So which wallets are open source and open source thoroughly? Software wallets Trust wallet and Matemask. Hardware wallets OneKey and Trezor. For example, although Ledger is one of the most mainstream hardware wallets in the world, its hardware part is indeed not open source. I am not lying to you. You can go and see its code repository yourself. It is indeed not open source. Of course, Ledger has its own reasons for not being open source, and I will not comment on it.
So back to what I just said, how to choose a wallet, the first thing to see is whether it is open source, and the second is a matter of personal opinion. Generally speaking, it must have the currency you want to use, so the number of public chains it supports is also a very necessary factor.
In addition, there are some aspects of user experience, including support for multiple platforms. Some wallets are only plug-ins, some wallets are only on mobile phones, and some wallets are only hardware. So OneKey has a family bucket, so if you like convenience, you can choose OneKey. As an in-depth user, I find it very good to use.
Super Jun: Let me interject here. Some people may like to use an old Apple phone, download a wallet software, and then disconnect from the Internet to generate mnemonics and store them. Generally speaking, this is also a good way. The only thing to note is that you must download a wallet software that is made by a good team and does not have any loopholes. This is a prerequisite. It does not mean that the mnemonics generated by disconnecting from the Internet are completely risk-free. In fact, if the wallet does something malicious, it can record your mnemonics in advance and then calculate the order of your mnemonics. This is a risk point.
Daxiong wrote an article, which I personally think is quite well written. That is to say, we hope to go one step further, not only to convince you to buy a hardware wallet, but also to have a concept that allows everyone to truly and safely protect their assets. Even in the face of CeFi crashes or other things, it can be avoided.
I have also taught courses before, teaching people how to use hardware wallets. I feel that it is really difficult to convince someone, and many times it depends on one's own sudden realization. Evangelists may be more idealistic, because in the past, cold wallets meant Bitcoin wallets, Bitcoin offline wallets or Bitcoin wallets that do not touch the Internet. But now that we have Ethereum, this system is developing better and better, and more and more prosperous, so you will often interact on the chain. Many people subconsciously think that on-chain wallets must be more convenient than hard wallets or cold wallets, but more convenience means greater risks. So I require the Benmo community to use hardware wallets for DeFi, and I can only try my best to convince others, although it is difficult to convince.
Zi Yu: DeFi users have all experienced or witnessed assets being stolen due to signatures or authorization. Can hardware wallets prevent this?
Wang Yishi: No, let me clarify a concept with you. The only thing a hardware wallet does is to store your private key in the hardware and prevent it from being leaked in any form. Will the on-chain interactive authorization be stolen? All wallets, whether they are hardware or software, cannot be protected. Why? This is a flaw in Ethereum's design mechanism. How can we prevent it? For example, you can use some tools to cancel the authorization. OneKey has made a website called Revoke.gg, which detects all your authorizations, all authorizations on the EVM chain, and then directly revokes them, revoking the authorization with one click. Sometimes you can't remember what you authorized, and then you can cancel them all with one click. In fact, it helps users avoid risks. This is actually a very good feature.
Another thing is, some users asked me if I imported my Little Fox mnemonic into the hardware wallet, then does my wallet become a cold wallet? I would like to answer everyone: No. Why? Because your Little Fox mnemonic is generated on the software side. The wallet generated on the software side is actually a hot wallet. The generation process is only called a cold wallet if it is guaranteed to be offline and completed independently in the hardware.
If you complete it on the hot end, it is like you cook a meal at home and then take it to a restaurant to sell it. The environment in which the hot wallet is generated, including its random number generation method, is actually somewhat different from the cold wallet, especially in an environment like a browser plug-in, where there are many uncontrollable factors.
Many people install a plug-in, create a wallet, copy the mnemonic phrase, paste it into a local document, or fill it into a notebook software, and then fill it in, thinking that it is done. At this time, your mnemonic phrase is actually already in your computer's operating environment. At this time, you can't be sure. For example, if you install Sogou or Baidu, then congratulations, you are done. As long as you open the Internet access permission for Sogou and Baidu input methods, they will upload all the things on your clipboard. Even if he doesn't do it, he doesn't do it subjectively, can you guarantee that these people working in these companies who can read the backend service logs will not do it? You can't guarantee it.
So I said these are two points. The first point is whether hardware wallets can prevent this kind of Ethereum authorization attack? The answer is no, not only hardware wallets can't, but all wallets can't, but you can use tools such as Revoke.gg or Revoke.cash to clean up your authorization in time.
The second question is, if the mnemonics I created on the hot wallet are imported into the hardware wallet, is it still cold? No.
Super Jun: Let me add that the first point is that the wallet for storing coins and the DeFi wallet should be separated. This is the first principle.
The second principle is that it is best to fill in one address for one mine. You mine a mine and then use one address. Here, you have a great advantage if you use a hardware wallet. You can add an address at will in one second, because it can be the same set of mnemonics. Even if the address is risky, it will not be passed to other addresses, and then it will not be passed to other chains.
The third principle is that it is best to change your address. However, if your address does have some long-term on-chain relationships, such as lending relationships, this cannot be removed in a short period of time, so you can clean up the authorization status regularly. As for cleaning up the authorization, as Daxiong said just now, OneKey also has a URL that can automatically detect and clear it, which is quite convenient.
Another important thing is to try not to mine a mine where you don’t understand the interest. That is, you should know where the interest comes from for each mine you mine. There are always some high returns, but you don’t know where they come from. No one can explain clearly how FTX’s 5% comes from. Generally, when it is not clear, you yourself are the source of the interest. If you can do this, you can avoid more than 95% of the pitfalls.
Wang Yishi: I want to say something, based on what Super Jun said just now, that is, don’t think that this wallet is so complicated to use, and you have to isolate the address and cancel the authorization. Can I just put the coins there in a fool-proof way, and then I will never have any problems in normal interaction. I tell you that there is no such thing. If there is, where is it? It is placed in FTX. You have seen the results of FTX.
There are many things in this world, that is, many people say we need to solve the pain points, it is too difficult for users to keep their own accounts, we want to make NPC wallets, we want to do this and that. I tell you, in order to avoid this pain, all the shortcuts you take will be returned to you one day.
You say I don’t want to go to DeFi, it’s too complicated, I don’t want to hold my own private key, it’s too complicated, but I want to earn interest, I deposit my coins in FTX, because FTX looks good, then congratulations, now you have lost everything. If one day you really learn, the private key or mnemonic in my hand, this wallet is mine, then congratulations, you have truly entered Web3 from Web2.
Wang Yishi: For large amounts of assets, I only trust hardware wallets. Offline mobile phones cannot replace hardware wallets. Hardware wallets can be friends with time. The top exchanges change too quickly over time.
Chaojiejun: In this industry, there is no such thing as a big company that cannot fail.
Ziyu: After all, a hardware wallet is an electronic product. What if it is damaged? If it is not damaged, what if the company that owns the hardware wallet goes bankrupt?
Wang Yishi: It doesn't matter if the company goes bankrupt. If the wallet is broken, it's broken. You can restore it by transferring it to another wallet. It's normal for the company to go bankrupt. It's good to have a 10% chance of success in starting a business, right? There is a data that says that the average survival time of startups around the world is two and a half years. Just think about how many companies go bankrupt in one or two years. This goes back to what we said at the beginning, why do you put your assets in a hardware wallet where you control your private key? It's because the form of mnemonics or private keys is universal.
For example, you think that ledger is very good and it will not go bankrupt. The actual result is that even if it goes bankrupt, it doesn’t matter. You can import its private key to OneKey. It doesn’t matter if OneKey has problems, because there will be TwoKey and ThreeKey later. There is still a way. It is not like an exchange. If it goes bankrupt, it will really go bankrupt, and your coins will be gone and you can’t get them back.
Zi Yu: That is our theme today, Not Your Keys, Not Your Coins.
Super Jun: Because I think of one thing in particular, I think it should be emphasized that mnemonics cannot be put on the Internet, because now as far as I know, there are several companies that specialize in this business. They may be like the Indiana Jones in the past, looking for treasure maps. They are a professional combat team, and then they specifically look through the mnemonics on the Internet and the mnemonics information stored in personal computers. Their search ability is quite strong. They search for similar mnemonics everywhere on the Internet every day, and they can automatically identify them. Your personal computer is also frequently hacked to obtain your mnemonics.
Wang Yishi: I tell everyone to be careful when using network storage. On Github repositories, there are n machines scanning various private keys every day. I know that many people accidentally uploaded their private keys to Github, and they disappeared the next second. It's very fast, and they are not manual, but automated.
Therefore, you must be careful when using those online storages. Don't be smart and save the mnemonic phrase to a local TXT file or some other file, encrypt it with compression software, and then set a password, such as your birthday.
Super Jun: I still recommend the mnemonic phrase. OneKey has recently released a titanium plate for the mnemonic phrase.
I think it is a relatively good way, but it involves a lot of content to talk about, such as when you go through security check, or where to put the board, and how to back it up, there are many things to talk about.
Zi Yu: We can discuss mnemonics in another issue.
Wang Yishi: Don’t put the mnemonic phrases online. We will talk about the issue of mnemonic phrase preservation next time.
Ziyu: Today's discussion was originally expected to be 30 minutes, but we talked for 70 minutes. Thank you very much to Mr. Wang Yishi and Mr. Chaoyue for sharing, and thank you OneKey for providing such a good product to everyone. I hope that all the audience present today will not appear in a certain CeFi thunderstorm in the future, so that we can all live in the currency circle for a long time and safely. Remember the key point we talked about today: Not Your Keys Not Your Coins.
Wang Yishi: Guide to Safe Internet Access https://yishi.io/guide-to-safe-access-internet/