In the dark forest world of blockchain, please keep in mind two major security rules: zero trust and continuous verification.


This article is an introduction. For the full content, see GitHub.

Original title: (Produced by SlowMist | Yuxian: Blockchain Dark Forest Self-rescue Manual)

Written by: Yu Xian, Founder of SlowMist Technology

Originally published on April 12, 2022

Blockchain is a great invention. It has brought about changes in certain production relations and partially solved the precious problem of "trust". However, the reality is cruel. People have many misunderstandings about blockchain. These misunderstandings have led to bad guys easily taking advantage of loopholes and frequently reaching into people's wallets, causing a large amount of financial losses. This has long been a dark forest.

Based on this, Yu Xian, the founder of SlowMist Technology, devoted himself to producing the Blockchain Dark Forest Self-rescue Manual.

 

This manual (currently V1 Beta) is about 37,000 words. Due to space limitations, only the key directory structures in the manual are listed here, which can also be regarded as a guide. The full content can be seen on GitHub.

We chose GitHub as the primary publishing location for this manual because it is convenient for collaboration and to see historical update records. You can Watch, Fork and Star, and of course we hope you can contribute.

Okay, let’s start the introduction...

Introduction

If you hold cryptocurrency or are interested in this world and may hold cryptocurrency in the future, then this manual is worth reading repeatedly and practicing carefully. Reading this manual requires a certain knowledge background. I hope beginners do not need to be afraid of these knowledge barriers, because a lot of them can be "played out".

In the dark forest world of blockchain, first keep in mind the following two major security rules:

  • Zero Trust: Simply put, be skeptical, and always be skeptical.

  • Continuous verification: If you want to believe, you must have the ability to verify your doubts and make this ability a habit.

Key content

 

1. Create a wallet

Download

1. Find the correct official website

  • Google

  • Well-known industry indexes, such as CoinMarketCap

  • Ask some trusted people.

2. Download and install the app

  • PC wallet: It is recommended to verify whether it has been tampered with (file consistency check)

  • Browser extension wallet: Pay attention to the number of users and ratings on the target extension download page

  • Mobile wallet: The judgment method is similar to that of extended wallet

  • Hardware wallet: Purchase from the official website and pay attention to whether it has been tampered with.

  • Web wallet: It is not recommended to use this type of online wallet

Mnemonic Phrase

When creating a wallet, the appearance of the mnemonic is very sensitive. Please pay attention to whether there is no one around you, no cameras, and anything else that may cause peeping. Also pay attention to whether the mnemonic appears randomly enough.

Keyless

1. Keyless two major scenarios (the distinction here is for the convenience of explanation)

  • Custody is a custodial method. For example, in centralized exchanges and wallets, users only need to register an account and do not own private keys. Security is completely dependent on these centralized platforms.

  • Non-Custodial means non-custodial. The user only has the power similar to the private key, but it is not the direct cryptocurrency private key (or mnemonic)

2. Advantages and disadvantages of the MPC-based Keyless solution

2. Back up your wallet

Mnemonic / Private Key Type

1. Plain text: mainly 12 English words

2. With password: After adding the password to the mnemonic, you will get a different seed. This seed is used to derive a series of private keys, public keys and corresponding addresses.

3. Multi-signature: It can be understood that the target funds need multiple signatures to authorize them before they can be used. Multi-signature is very flexible and can set approval strategies

4. Shamir's Secret Sharing: Shamir's secret sharing scheme is used to split the seed into multiple shards. When restoring the wallet, a specified number of shards are required to restore the wallet.

Encryption

1. Multiple backups

  • Cloud: Google/Apple/Microsoft, combined with GPG/1Password, etc.

  • Paper: Write the mnemonic (plain text, SSS, etc.) on a paper card

  • Device: Computer/iPad/iPhone/Mobile hard disk/U disk, etc.

  • Brain: Be aware of brain risks (memory/accidents)

2. Encryption

  • Regular and irregular verification is necessary

  • Partial verification can also be used

  • Pay attention to the confidentiality and security of the verification process

3. Using a Wallet

AML

1. On-chain freeze

2. Choose a platform or individual with a good reputation as your trading counterparty

Cold Wallet

1. How to use cold wallet

  • Receive cryptocurrency: Cooperate with observation wallets, such as imToken, Trust Wallet, etc.

  • Send cryptocurrency: QRCode/USB/Bluetooth

2. Risks of cold wallets

  • Lack of user interaction security mechanism such as WYSIWYG

  • The user lacks relevant knowledge background

Hot Wallet

1. Interact with DApps (DeFi, NFT, GameFi, etc.)

2. Malicious code or backdoor methods

  • When the wallet is running, the malicious code directly packages the relevant mnemonics and uploads them to the server controlled by the hacker.

  • When the wallet is running, when the user initiates a transfer, the target address and amount and other information are secretly replaced in the wallet background, which is difficult for the user to detect.

  • Destroy the random number entropy value related to the generation of mnemonics, making these mnemonics easier to crack

What is DeFi security?

1. Smart Contract Security

  • Too much authority: add timelock/multi-sign admin, etc.

  • Learn to read security audit reports step by step

2. Basic blockchain security: consensus ledger security/virtual machine security, etc.

3. Front-end security

  • Internal malicious behavior: The target smart contract address in the front-end page is replaced/an authorized phishing script is implanted

  • Third-party malicious behavior: Supply chain malicious behavior / third-party remote JavaScript files introduced by the front-end page malicious behavior or hacking

4. Communications Security

  • HTTPS Security

  • Example: MyEtherWallet security incident

  • Security Solution: HSTS

5. Human safety: If the project owner commits evil acts

6. Financial security: currency price, annualized return, etc.

7. Compliance and Security

  • AML/KYC/ Sanctioned Area Restrictions/Securities Risk-Related Contents, etc.

  •  AOPP

NFT Security

1. Metadata Security

2. Signature security

Sign carefully / Sign against common sense

1. What you see is what you sign

2. OpenSea’s Several Well-Known NFT Thefts

  • User authorized NFT on OpenSea (order)

  • Hackers phished to obtain the user's relevant signature

3. Cancel authorization (approve)

  • Token Approvals

  • Revoke.cash

  • APPROVED.zone

  • Rabby Extended Wallet

4. Real cases that go against common sense

Some advanced attack methods

1. Targeted Phishing

2. Cast a wide net to fish

3. Combining XSS, CSRF, Reverse Proxy and other techniques (such as Cloudflare man-in-the-middle attack)

IV. Traditional Privacy Protection

operating system

1. Pay attention to system security updates and take immediate action when there are security updates

2. Don’t download programs randomly

3. Set up disk encryption protection

cell phone

1. Pay attention to system security updates and downloads

2. Don’t jailbreak or root your device. It’s not necessary unless you are into security research.

3. Don’t download apps from unofficial markets

4. The prerequisite for using the official cloud synchronization: you are sure that there is no problem with the account security

network

1. When it comes to the Internet, try to choose a safe one, such as not connecting to unfamiliar Wi-Fi networks

2. Choose routers and operators with good reputations. Do not try to get cheap prices. And pray that there will be no advanced malicious behaviors at the router and operator level.

Browser

1. Update in a timely manner

2. Don’t install extensions if they are not necessary

3. Multiple browsers can coexist

4. Use well-known privacy protection extensions

Password Manager

1. Don’t forget your master password

2. Ensure your email is secure

3. 1Password/Bitwarden etc

Two-factor authentication

Google Authenticator/Microsoft Authenticator 等

Scientific Internet Access

Surf the Internet scientifically and safely

Mail

1. Safe and well-known: Gmail/Outlook/QQ mailbox, etc.

2. Privacy: ProtonMail/Tutanota

SIM card

1. SIM card attack

2. Defense suggestions

  • Enable a well-known 2FA tool

  • Set a PIN

GPG

1. Differentiation

  • PGP is the abbreviation of Pretty Good Privacy, which is a commercial encryption software that has been released for more than 30 years and is now under the control of Symantec.

  • OpenPGP is an encryption standard derived from PGP

  • GPG, full name GnuPG, is an open source encryption software based on the OpenPGP standard

Isolation Environment

1. Have a zero-trust security mindset

2. Good isolation habits

3. Privacy is not something to be protected, it is something to be controlled

5. Human safety

  • Telegram

  • Discord

  • Fishing from the "official"

  • Web3 Privacy Issues

6. Blockchain’s Evil Ways

Coin theft, malicious mining, ransomware, dark web transactions, Trojan C2 transfer, money laundering, Ponzi schemes, gambling, etc.

SlowMist Hacked Blockchain Hack Archive

7. What to do if your account is stolen

  • Stop loss first

  • Protect the scene

  • Analyze the causes

  • Tracking

  • Case closed

8. Misconceptions

  • Code Is Law

  • Not Your Keys, Not Your Coins

  • In Blockchain We Trust

  • Cryptographic security is security

  • Being hacked is embarrassing

  • Update Now

Summarize

After you finish reading this manual, you must practice it, become proficient in it, and learn from it. If you have your own discoveries or experiences later, I hope you can contribute them. If you feel sensitive, you can desensitize it appropriately, or you can be anonymous. Secondly, I would like to thank the global maturity of legislation and law enforcement related to security and privacy; the efforts of all generations of well-deserved cryptographers, engineers, righteous hackers, and all those who participated in creating a better world, one of whom is Satoshi Nakamoto. Finally, thank the contributors. This list will be continuously updated. If you have any ideas, I hope you can contact us.