12 OpSec Things You Want To Know
One day I woke up to one of my wallets drained – over $1,000 in crypto gone. Poof. I suppose it’s a rite of passage in web3 to be “rug pulled” or scammed at least once. But it doesn’t have to be.
In this article, I’ll go over some tips to up your OpSec. OpSec is short for operations security, a term originated in the military but popular in the blockchain community. In this context, it refers to the strategies you can take to protect your assets and transact safely.
Why does OpSec Matter?
First, bad actors exist in this space. Fortunately, the overwhelming majority of folks are awesome people working on amazing technology. But it is imperative to maintain a high level of caution because of those with malicious intent.
Second, with so many people generating life-changing wealth, it is easy to see this space as a get rich quick scheme, making it tempting to fall for some of these scams. After all, who doesn’t like making money?
Third, the onus is on you. This is because crypto allows for self-custody, in which you can possess your coins in your own wallet that nobody else can access. This is unlike traditional finance where your assets are custodied by an institution like a bank or brokerage. This is great to be truly self-sovereign, but it is also the digital analogue of walking around with all your money in your back pocket. Even some of the best solutions are only as good as keeping your life savings under your mattress. As a result, if your keys are compromised, there is no recourse; Ethereum has no customer support team to freeze your account or refund unauthorized transactions. With great power comes great responsibility.
1. Use a password manager
Password managers generate secure passwords for any of your accounts and safely store them. It’s imperative to make difficult passwords with many letters, numbers, and symbols such that it is difficult for a hacker to brute-force or socially engineer out of you. It’s also imperative to have different passwords for each account, as otherwise if one password is exposed all your accounts are compromised. Security breaches are common, and there are even sites that allow you to see if your password for a particular site has been compromised.
2. Employ Multifactor Authentication
Multifactor authentication involves verifying that you are logging in via entering a code on a different device, typically your cell phone. This adds another layer of security because even if your password is compromised someone would need access to your phone.
3. Utilize Biometrics
Personally, I’m also a fan of biometrics such as fingerprint or facial recognition as an additional layer of defense, as it is difficult to spoof someone’s face or thumb.
Nine More Things To Be Aware Of…
4. Celebrity shills !== reputable projects
While you might be tempted to buy an NFT that your favorite athlete or musician is promoting, I see it as a red flag. Oftentimes, influencers will use their following to promote scammy projects to make a quick buck. They’re usually being paid a lot to post about these projects and not posting them in good faith with due diligence. A notorious example was Etheruem Max, which was shilled by folks such as Kim Kardashian and Floyd Mayweather. Ultimately, it was a rug pull, and they are facing lawsuits for deceiving people to buy into this token.
5. Social Media Messages
On Twitter, there are more and more scam accounts popping up tagging and DM-ing millions of people on posts to mint an NFT or buy a particular coin. You should not trust these. Sometimes it is easy to see if the account is a scammer: telltale signs are low follower count, no profile picture, no mutual followers, recent account creation date, and only posting about the project they are shilling. However, some scammers are getting smart, making their profile pictures Bored Apes, buying followers, and copying reputable people’s bios and posts. Double check the handle, as oftentime they will have one that is similar to the account they are impersonating. EX: my twitter is @thedanhepworth, so a scammer might make an account called @lhedanhepworth, which from a quick glance looks the same but is not.
Similarly, Discord is a common vector of attack. My advice here is to turn off direct messages. 99.999% are scams; I’ve never had a valuable interaction happen through DM. If you really need to reach someone from a Discord, friend request them or move the conversation to another platform.
Moreover, on Telegram I have noticed I have been added to a bunch of scammy and spammy chats. Be leary of who has access to your telegram username. It’s best to immediately leave these and report sketchy group chats.
6. Gone Phishing…
Phishing is when a scammer creates a deceiving website or email to get you to login, on which they obtain your account information. OpenSea faced a recent phishing scam where people were emailed about having to migrate their NFTs, for which they had to sign a transaction. This transaction was malicious and resulted in over a million dollars in NFTs being stolen. Double check that the sender of an email is trustworthy. Even then, it is possible to spoof someone’s email address, so look for any inconsistencies in the body of the message.
It’s common for attackers to spin up sites of popular dApps with incorrect URLs. For example, opensea.io is OpenSea’s URL, but a scammer can buy the domain for opensea.com or openseaa.io, as those are common typos. They can then spin up a fake landing page, on which you can sign-in via Metamask. However, when you transact on this imposter app your wallet will likely have been compromised.
There have even been cases of scammers buying Google Ads so their fake URLs rank above the real ones. For safety, you can find the real URL through the official Twitter or CoinGecko listing of a project.
7. Suspicious Airdrops
These are common on cheaper blockchains like Polygon where it is not expensive to send tokens to millions of wallets en masse. Generally speaking, do not touch any tokens or NFTs that have been sent to you from someone you do not know.
When you try to transfer or sell, the consequences could be deleterious. This is counterintuitive, as you might want to “clean up” your wallet and get rid of those tokens, but there is no harm in them being in your wallet.
They may also have manipulated price feeds so your airdrops looks valuable, and thus egging you into FOMOing going to their website. The attacker wants you to transact with their malicious smart contracts to drain tokens from your wallet. Don’t ever sign a transaction inside a dApp you haven’t verified as legitimate.
8. Be Alert To Social Engineering
Fraud in crypto is coming from all angles. One common scam, beyond crypto even, is for someone to impersonate a person you know and ask for help. It’s unfortunate that this is the world we live in; but if your friend, relative, or colleague is asking for financial information, please verify that it is really them. If it’s someone you know only from online, beware of trusting them also, because some criminals are really good at what they do.
9. Pay Attention To Wallet Hygiene
The most popular browser wallet is MetaMask. How it works under the hood is your private keys are stored in the metadata of your browser. While they are convenient for interacting with web3 sites, it isn’t recommended to keep large sums of money in this wallet. In addition to the fact that it is connecting to a lot of different sites, there is also the chance that your private key could be breached. There was recently a vulnerability discovered in an old version of Google Chrome that potentially exposed your private keys. Scammers have also impersonated Apple to retrieve your AppleID password, which gives them access to your iCloud that can contain private key backups as well.
The most popular ones are Ledger and Trezor, and how they work is that they are a small device like a USB-drive that contains your private keys. When you transact, the data to sign is sent to the device, and then it is signed and the signed transaction is sent back to your computer and then broadcasted on the blockchain. These are recommended for dealing with larger amounts of money. Make sure to buy a hardware wallet from their official site.
Hot vs. Cold Wallets
Another method of separating concerns is designating a wallet as the “hot” wallet and another as the “cold” wallet. The hot wallet is the one you use to transact regularly on the blockchain for activities such as staking, DeFi, buying NFTs, swapping tokens. The cold wallet is one that funds are sent to, and it never interacts with smart contracts. This is analogous to having a checking and savings account. It’s convenience vs. security, like having a WiFi smart lock on a rental property, but only a physical “cold” key for your home.
Multisignature wallets, or “multisigs” for short, are actually smart contracts. They’re an abstraction, in which the smart contract can do all the things a regular wallet can. However, for a transaction to be executed it must be approved by a certain number of signers. They’re great for families, friends, and DAOs. The most popular one is Gnosis Safe, which is available on EVM blockchains (Ethereum, Polygon, etc.). You can also use a multisig for your own funds by having multiple of your wallets as the signers. It’s effectively multifactor authentication for the blockchain! Even better if one of the signers is a hardware wallet.
10. Keep Exchange API Keys Secure
We’ve all used centralized exchanges to buy and sell crypto – think Coinbase, Binance, etc. Most of the time you do so from their website or mobile app. But they also offer API keys; an API key is a string of letters and numbers that you can use to use the exchange without their site. This is mainly used for serious traders who are using bots or third-party platforms to implement complex strategies. If that isn’t you, then don’t worry about making API keys. Sometimes they’re needed for connecting crypto tax accounting software.
If this is you, you should do a few things to keep your API keys secure:
- Never give transfer/withdrawal permissions. Otherwise, if your key is exposed the hacker can not only trade on your behalf but send all your assets to their wallet.
- Whitelist IPs. If your bot is running on a server in California, but the attacker is in New York, then they cannot use your account.
11. Understand how Crypto Wallets Actually Work
It’s important to understand this to fully grasp how high the stakes are. At the core of crypto wallets is public-key cryptography. Your wallet is a private key that corresponds to a public key. Like your home’s lock is public, everyone in your neighborhood can see it, but your house key in your pocket is private. It is easy to generate a public key from a private one, but nearly impossible via super complex math to go in the other direction.
The difference between a public-private key pair and a “web2” username and password is that the latter is stored on a centralized database and the two have no intrinsic relation. However, your public and private keys are generated algorithmically and deterministically. In other words, you cannot change your private key or generate a specific public key.
Your seed phrase, or mnemonic, is a set of 12-24 words that is used to generate private keys. So on Metamask, you have one seed phrase, but you can make an infinite number of wallets with it. As a result, your seed phrase is equally as important as your private key.
You never want to give either out. Ever! Nobody in a good faith attempt to help you will ask for it, only scammers. I also recommend keeping a copy on pen & paper or some offline medium. This is for two reasons. First, if your computer breaks, then you do not have access to your funds. Second, if your computer is compromised, then all your funds are also compromised. If a large amount of funds are secured, you may want to store the phrase in something indestructible like a fireproof case. In the event of your passing, family may also need to be aware of it, or they have no access to your funds.
12. Only Interact With Smart Contracts that are Verified and Audited…
Smart contracts are self-executing programs that run on the blockchain. For the most part, anything you interact with is a smart contract – an NFT, an ERC-20, a DEX, a cross-chain bridge, etc. You should only interact with smart contracts that are verified and audited.
Think of this as like the blue checkmark on Twitter. The creator of a smart contract typically uploads their Solidity source code to a block explorer like Etherscan after it is deployed. This is then compared to the non-human-readable bytecode/opcode that lives on the blockchain, and if the two match then that code can be posted. The Solidity code is human readable and allows one to understand the logic of the code.
Audits of smart contracts are done by security firms. They are paid a large sum of money to poke and prod at the code for weeks to discover vulnerabilities. Then, they compile their findings into a report along with recommendations. If the team follows their recommendations, then that is reported by the audit team.
However, these conditions are necessary but insufficient. In other words, you can have a smart contract that is both verified and audited and still malicious. As a result, I also recommend the following:
- Make sure the smart contract is used by a lot of other people. This is observable on block explorers.
- Make sure the smart contract is the correct one. Popularly used smart contracts, such as the Uniswap Router, are labeled for convenience.
- Ask a technical friend or family member to read through the code.
The smart contract could also be verified, audited, and non-malicious, but still susceptible to exploiting and draining the funds. As the saying goes, don’t put all your eggs in one basket and understand that the overall security of the crypto industry is still in its infancy.
However, don’t let all of the security concerns prevent you from joining this innovative space, and getting yield far beyond what traditional finance offers. There are some smart contracts that are so well-verified that third parties will insure them. Smart contracts and hacking-event insurance is a new industry that will mature along with the rest of the field.
Blockchain technology has the ability to empower people and create more equitable systems of finance, culture, and many other aspects of our lives. However, it is important to maintain a high level of security given the additional responsibility of custodying your own assets. If something is too good to be true, chances are it is. Fear-of-missing-out (FOMO) is deceptive. Have a healthy level of paranoia: don’t trust, verify.