Author: INSIGHTFUL

Compiled by: TechFlow

Disclaimer

This guide does not guarantee anything and is not written from the perspective of a "crypto or cybersecurity expert", but is based on ongoing learning from multiple sources and personal experience.

For example, I myself was scammed due to fear of missing out (FOMO) and greed when I first entered this field (fake live broadcast scams and fake MEV robot scams), so I took the time to seriously learn, set up and understand security.

Don’t be that person who is forced to learn security because they lose everything or a significant amount of their assets.

Hacker attack or user error?

All types of wallet, token, or NFT “hacks” or compromises can be broadly divided into two categories:

  • Abuse of previously granted token approval.

  • Leakage of private keys or mnemonics (usually occurs on hot wallets).

Token Approval

Token approvals are essentially permissions that allow a smart contract to access and move a specific type or amount of tokens in your wallet.

For example:

  • Give OpenSea permission to move your NFT so you can sell it.

  • Give Uniswap permission to use your tokens for swaps.

As background information, essentially everything on the Ethereum network, except ETH, is an ERC-20 token.

One of the features of ERC-20 tokens is the ability to grant approval permissions to other smart contracts.

These approvals will be required at some point if you want to do core DeFi interactions like swapping or bridging tokens.

NFTs are ERC-721 and ERC-1155 tokens respectively; their approval mechanism is similar to ERC-20, but for the NFT market.

The initial token approval prompt for MetaMask (MM) provides several pieces of information, the most relevant of which are:

  • You are granting approved tokens

  • The website you are interacting with

  • The smart contract you are interacting with

  • Ability to edit token permission amounts

In the Full Details drop-down menu, we see an additional piece of information: Approval Features.

All ERC-20 tokens must have certain features and properties as outlined by the ERC-20 standard.

One of these is the ability for smart contracts to move tokens based on approved amounts.

The danger with these approvals is that if you grant token permissions to a malicious smart contract, your assets could be stolen or drained.

Unlimited and custom restricted approvals (ERC-20 tokens)

Many DeFi apps will prompt you for unlimited approval of ERC-20 tokens by default.

This is done to improve the user experience as it is more convenient and does not require possible additional approvals in the future, thus saving time and gas fees.

Why is this important?

Allowing approval for an unlimited number of tokens may put your funds at risk.

Manually setting token approvals to a specific amount limits the maximum amount of tokens that a dApp can move without signing a new approval for a larger amount.

This reduces your risk in the event that a smart contract is exploited. If you grant unlimited approval to a dApp and that dApp is vulnerable, you could lose all of your approved tokens from the wallet that holds those assets and granted that approval.

For example, Multichain WETH (WETH is an ERC-20 token wrapper for ETH) has suffered from such a vulnerability.

This commonly used bridge was hacked due to abuse of previously unrestricted token permissions, resulting in the theft of user funds.

Below is an example (using the Zerion wallet) showing how to change the default unlimited approvals to manual approvals.

NFT Approval

「setApprovalForAll」 for NFT

This is a commonly used but potentially dangerous approval that is usually granted to trusted NFT marketplaces when you want to sell your NFT.

This enables the marketplace’s smart contract to transfer your NFT. So when you sell your NFT to a buyer, the marketplace’s smart contract can automatically move the NFT to the buyer.

This approval grants access to all NFT tokens in a specific collection or contract address.

This could also be used by malicious sites or contracts to steal your NFTs.

Example of a malicious actor abusing setApprovalForAll

The classic “wallet shrinkage” in the case of FOMO free minting looks like this:

  • A user visits a malicious website that they think is legitimate.

  • When they connect their wallet to a website, the website can only view the contents of the wallet.

  • However, the malicious website scans the wallet for the highest value NFT and prompts the user to “set all approvals” for the contract address of that NFT from MetaMask (MM).

  • Users thought they were minting NFTs, but were actually granting a malicious contract permission to move those tokens.

  • The scammers then steal the tokens and liquidate them into bids on OpenSea or Blur before the items are marked as stolen.

Signature and Approval

Approvals require payment of gas fees as they are involved in transaction processing.

Signatures do not require gas and are typically used to log into dApps to prove your control over the wallet.

Signing is generally a low-risk operation, but could still potentially be used to exploit previously granted approval for a trusted site like OpenSea.

For ERC-20 tokens, you can also modify your approval via gas-free signatures, as the permissioning feature was recently introduced on Ethereum.

You can see this if you use a decentralized exchange (DEX) like 1inch.

Token Approval Points

Be cautious when giving any approvals, make sure you know which tokens you are approving and for which smart contract (use etherscan for this).

Limit your approval risk:

  • Use multiple wallets (approvals are wallet specific) — Don’t sign approvals for your vault or high value wallets.

  • Ideally, granting unrestricted approvals for ERC-20 tokens would be reduced or avoided altogether.

  • Regularly check and revoke approvals via etherscan or revoke.cash.

Hardware / Cold Wallet

Hot wallets are connected to the internet through your computer or mobile phone, and the keys and wallet credentials are stored online or locally in your browser.

Cold wallets are hardware devices where keys are generated and stored completely offline and physically close to you.

Considering that a Ledger costs around $120, if you have over $1000 in crypto, you should probably buy and set up a Ledger. You can connect your Ledger wallet to your MetaMask (MM) to enjoy the same functionality as other hot wallets while maintaining some security.

Ledger and Trezor are the most popular choices. I like Ledger because it has the best compatibility with browser wallets (similar to Rabby and MM).

Best Practices When Buying Ledger

Always buy from the official manufacturer’s website, never on Ebay or Amazon – it may be tampered with or pre-installed with malware.

Make sure the packaging is sealed when you receive the item.

When you first set up your Ledger, it generates a mnemonic phrase.

Only write your mnemonic phrase on physical paper, or in the future write it on a steel plate to ensure your mnemonic phrase is fireproof and waterproof.

Never take a picture of your recovery phrase or enter it on any keyboard (including your phone) - this will digitize the recovery phrase and your cold wallet will become an insecure hot wallet.

Crypto assets are not stored on a hardware wallet, but rather in a wallet generated by a mnemonic phrase.

The mnemonic phrase (12-24 words) is the be-all and end-all and must be protected and kept safe at all costs.

It provides full control and access to all wallets generated under that mnemonic phrase.

The mnemonic phrase is not device-specific and you can “import” it into another hardware wallet as a backup if needed.

If your recovery phrase is lost or damaged, and your original hardware wallet is also lost, damaged, or locked, you will permanently lose access to all your assets.

There are various ways to store a mnemonic, such as dividing it into multiple parts, increasing the physical distance between parts, storing it in an inconspicuous place (e.g., a soup can at the bottom of the refrigerator, somewhere under your property, etc.).

At a minimum you should have 2-3 copies, one of which should be made of steel to protect against water and fire.

A "private key" is similar to a mnemonic phrase, but specific to one wallet. It is often used to import a hot wallet into a new MetaMask (MM) account or to use in automated tools such as trading bots.

Word 25 - Ledger

In addition to the original 24-word mnemonic, Ledger also offers an optional additional security feature.

Passphrase is a premium feature that adds a 25th word of your choice up to 100 characters to your recovery phrase.

Using a passphrase generates a completely different set of addresses that cannot be accessed with just the 24-word recovery phrase.

In addition to adding a layer of security, a passphrase provides plausible deniability if you are compromised.

If you use a passphrase, be sure to store it securely or remember it exactly, character by character and case sensitive.

This is the only and final defense against physically threatening situations like the $5 wrench attack.

Why go through all the trouble of setting up a hardware wallet?

Hot wallets store your private keys in a location connected to the internet.

It is extremely easy to be deceived, misled and manipulated into revealing these credentials via the internet.

Having a cold wallet means that a scammer would need to physically find and obtain your Ledger or recovery phrase to access these wallets and the assets inside.

Once the mnemonic is leaked, all hot wallets and the assets in them are at risk, even those that have not interacted with malicious websites or contracts.

Common ways people were “hackered” in the past

Common ways people have been “hacked” (mnemonic phrase leaked) through hot wallets in the past include:

  • Being tricked into downloading malware, such as through job opportunity PDFs, beta games, running macros through Google Sheets, or imitating legitimate websites and services.

  • Interacting with malicious contracts: FOMO minting on parody sites, or interacting with unknown airdropped or received NFT contracts.

  • Insert or send the key and mnemonic phrase to Customer Support or related program/form.