Recently, OK users have had their assets stolen, and issues related to asset security have once again aroused heated discussions. Some users withdrew their tokens from the trading platform as soon as the news came out. After all, a gentleman does not stand under a dangerous wall.
From the development of this wave of market conditions, it can be clearly felt that the industry's major opportunities are mainly concentrated on the chain. The trading platforms are seriously involuted. With the collapse of the value investment system, it is extremely difficult for retail investors to make money on the trading platforms. The number of users turning to the chain is also gradually increasing. On the chain, the most important issue is the security of their own wallets.
Next, we will comprehensively understand how to protect the security of blockchain assets from several aspects, including wallet-related knowledge, theft cases, and knowledge on protecting private keys.
01 Wallet-related knowledge
Before ensuring the safety of your assets, you need to have a certain understanding of some basic knowledge about wallets in the industry, so that you can better understand how to protect your assets. The following is a brief introduction to several related concepts.
1. Symmetric encryption and asymmetric encryption
Before understanding the public (private) key, let's first briefly understand symmetric encryption and asymmetric encryption in cryptography. Symmetric encryption means that A can get B through a certain algorithm, and conversely, B can also be reversely decrypted to get A through the same algorithm. Here, the same algorithm is used for encryption and decryption; while asymmetric encryption means that A can get B through a certain algorithm, but B cannot be reversely decrypted to get B through the same algorithm. Here, different algorithms are required for encryption and decryption.
As shown in the figure, the difference between symmetric encryption and asymmetric encryption lies in whether the public key of the message recipient and the private key of the message recipient are the same key.
2. Public (private) key, mnemonic, address
Understanding symmetric encryption and asymmetric encryption can help you better understand some basic concepts related to wallets.
Key pair: In asymmetric encryption, there is a pair of key pairs, namely public key and private key. The public key is public and the private key is not public.
Public key: used to encrypt data. Data encrypted with the public key can only be decrypted using the private key.
Private key: The private key can generate the public key, which is used to decrypt data encrypted by the public key.
Address: Corresponding to the "public key". Since the public key is too long, there is an "address", which is generated by the public key.
Mnemonics: Corresponding to the "private key", because the private key is a randomly generated string, which is too long and difficult to remember, a set of human-readable words was born to replace the private key to help users remember the private key, usually 12 irregular phrases. (Private key = mnemonic)
Image source: On-chain transaction process
Electronic signature: A piece of information (you transfer 100 Ethereum to someone) needs to be signed by your private key and broadcast to the blockchain.
Signature verification: The receiver can verify through your public key that the message is indeed signed by your private key, that is, it was published by you, and the transaction record is on the chain. Therefore, whoever controls the private key controls the wallet.
To put it simply, the public key (address) is equivalent to your account, and the private key (mnemonic) is equivalent to your account + password (private key can generate public key).
Using a bank card as an analogy, public key = bank account, address = bank card number, password = bank card password, private key = bank card number + bank card password, mnemonic = private key = bank card number + bank card password, Keystore + password = private key
3. Storage of private key (mnemonic)
Your token is not stored in your wallet APP, but in the address corresponding to the private key in the blockchain network. As long as you have the private key, you can log in to all wallets through the private key (the wallet supports the chain where you have the token). The wallet is only a front-end for displaying account funds and does not save your private key.
If the private key is lost, it means that your assets will also be lost and cannot be retrieved through the wallet. When registering a wallet for the first time, the wallet page will generally remind users to pay attention to this. This is completely different from the QQ and WeChat we used before. If the password is lost, it can be retrieved through mobile phone verification, questions and friend verification. Of course, this is also the charm of blockchain decentralization. Your assets belong completely to you.
4. Wallet Types
Depending on whether the private key is exposed to the Internet, wallets can be divided into hot wallets and cold wallets, as shown in the figure above.
Hot wallet: client wallet, plug-in wallet, mobile APP.
It is easy to use and easy for novices to operate. The transaction transfer efficiency is relatively high, but the security is poor and it is easy to be stolen.
Cold wallet: hardware wallet.
It is highly secure and suitable for storing large amounts of assets. Complex creation and troublesome transfers, hardware damage or loss of private keys may result in the loss of digital assets.
From the above, we can know that the private key is everything, and all our measures to protect assets are actually to protect the private key, protect the private key, and protect the private key. (To prevent the private key from being lost and obtained by others)
02 Theft Case
Now that we understand the relevant concepts, let’s take a look at the main cases of loss that exist at present. Through these cases, we can better protect our own wallets.
1. Private key (mnemonic) leakage
At the beginning of 2021, Yiren, the founder of Shengcaiyoushu, saved his Bitcoin private key in a cloud notebook, resulting in the loss of eight-digit BTC assets.
In November 2022, Fenbushi Capital founder Shen Bo’s digital assets worth $42 million were stolen. The stolen assets included: 38,233,180 USDC, 1,607 ETH, 719,760 USDT, and 4.13 BTC. According to subsequent analysis by the security agency Slow Mist, the theft was caused by the leakage of the mnemonic phrase.
2. Private key (mnemonic) is lost
British IT engineer James Howells lost his computer hard drive in 2013, which contained 8,000 bitcoins. Nine years later, he planned to spend $74.3 million to search through the garbage dump to retrieve the computer hard drive.
3. Click on the virus link
A user randomly clicked on a link sent by someone else, causing hackers to read the metamask local encrypted backup and all assets were stolen.
A Twitter KOL clicked on a private link sent by someone else, causing his Twitter account to be stolen. He then released poisonous airdrop information and took advantage of fans' trust in the KOL to click on the link and steal fans' assets.
4. Random authorization leads to application vulnerabilities
On October 2, Token Pocket's flash exchange DEX Transit Swap officially announced that it had been hacked and its asset losses exceeded 15 million U.S. dollars, and reminded users to cancel their authorization.
On October 11, the plug-in wallet Rabby developed by the DeBank team claimed that there was a vulnerability in its Swap contract and recommended users to cancel the Rabby Swap authorization. In the end, the hacker made a profit of more than US$190,000.
5. Download fake apps (with virus software)
After obtaining the platform user information, some hackers spread panic information to users through text messages, saying that the platform is no longer safe and they need to click a link to reinstall the app or log in to their account. After logging in, the account funds are stolen.
A user downloaded a fake Binance app and transferred money to another person's address, and his assets of 5 ETH were completely lost.
We can see from the above cases that user assets are stolen mainly in the following situations: private key (mnemonic) leakage, private key (mnemonic) loss, clicking on virus links, arbitrary authorization, application vulnerabilities, downloading fake APP (with virus software), etc.
Next, let’s sort out some ways to avoid the above situation.
03 How to avoid property loss
1. Storage of private keys (core: not easy to lose, not easy to damage, and not accessible to others or cannot be used if they are accessible)
Back up the wallet in time after it is generated, double backup, because once lost, it will be impossible to recover
The mnemonic phrase should be stored on a medium that is not connected to the Internet and is not easily lost or damaged. For example, you can copy it on paper and encrypt it yourself (add or subtract specific characters for easy memorization); find a camera storage on a mobile phone that is never connected to the Internet; some wallet providers will sell mnemonic phrase related iron plates.
Use a cold wallet (hardware wallet) and choose a well-known cold wallet; purchase it from official channels, not through third-party channels (third-party channels may contain viruses); set a strong password and back up the private key to prevent the hardware wallet from being lost or damaged.
2. Prevent private key (mnemonic) leakage
Do not copy and paste the private key, some software can read the user's clipboard
Do not save the private key in WeChat collections, file transfers, Baidu Cloud, Evernote and other online platforms
Never tell anyone your private key. Remember, no matter who you are, some scammers may impersonate the official wallet person to get your private key. Don’t believe them. The wallet party has no right to obtain the user’s private key.
When using public Wi-Fi, do not copy and paste your private key
When downloading various applications, you should go to official channels. All application stores are sometimes unreliable (remember, all), and there are fake applications.
Be cautious when signing with your wallet. Heavy users of DeFi protocols and NFT interactions should remember to revoke authorization in a timely manner to prevent asset theft due to application vulnerabilities.
Do not click on links sent by others (text messages), download files shared by others, or even click on links from KOLs, as they may contain viruses.
Once you find that your wallet has a little asset leakage, you should abandon the wallet immediately and don’t take any chances.
Don’t use a free VPN
Keep up with the news and learn about new stolen information in real time
If you are a user who plays a lot on the chain, it is recommended to install the ScamSniffer browser plug-in, which can intercept and prompt you when you visit phishing websites. When you browse fake official tweets, reminders will also appear.
All of the above measures are actually to protect your private key from being leaked. Not your key, not your money!
3. Assets are dispersed
You can disperse your own funds among wallets and trading platforms. Although the FTX incident has led to a lack of trust in centralized trading platforms, for most people, it is much safer to keep their assets on several centralized leading trading platforms than to hold them in their own hands. It is also more convenient than a wallet. As long as the losses are not particularly large, several leading platforms can generally afford the compensation.
There are a few things to note when using a centralized trading platform:
Enable triple verification (mobile phone, email, Google two-factor verification)
Enable Token whitelist
Download the app from official channels
When transferring money, confirm that the address is correct
