Digital wallets such as MetaMask, xDeFi or Frame are essential for interacting with the world of cryptocurrencies, especially decentralized finance (DeFi). But these browser extensions are also very susceptible to hack risks. Here are 6 best practices to follow, which, if not completely eliminate this risk, will best protect you from the potential theft of your assets.
Basic precautions to protect your cryptocurrency portfolio
Connect your digital wallet to a physical wallet
If you use wallets like MetaMask , you are the owners of your private keys , this is called non-custodial wallets . This has a major upside and downside:
- Advantage : you are solely responsible for your cryptocurrencies;
- Disadvantage : you are solely responsible for your cryptocurrencies.
This dose of irony is actually meant to make you think about all that this entails. Of course, you are accountable to no one, and this is one of the beauties of our ecosystem. But if you make the slightest mistake, there is no customer service to make up for your fault .
The first tip, which is certainly the most important, is to use a hardware wallet alongside your digital wallets . These can be acquired for sixty euros for the simplest models to several hundred for the most sophisticated.
When your cryptocurrency capital starts to take on a certain size, do not neglect this investment. Indeed, we had proof again some time ago that wallets functioning as browser extensions are not entirely secure.
The majority of digital wallets thus offer a “Connect a hardware wallet” function. This will allow you to use them with a Ledger or Trezor key to name a few.
The strength of these tools is that even if someone remotely takes control of your computer, they won’t be able to perform transactions . Indeed, for this, it will be necessary to carry out a physical validation of this transaction directly from the connected hardware wallet.
Of course, under no circumstances should you save any private key, phrase or recovery file on your computer for any address whatsoever. And that, including for a hardware wallet, such behavior would make about as much sense as putting your credit card in a Facebook profile picture.
Retrieve a platform link from CoinGecko or CoinMarketCap
When you go to a protocol for the first time, favor access by CoinGecko or CoinMarketCap . This will definitely give you the right address rather than a fraudulent link found via your search engine. Unless CoinGecko or CoinMarketCap have themselves been hacked, but that is another category…
You can then save this link to your favorites for future use and/or use the automatic entry in your search bar to get to the right address.
A variant of this method is to go through the official Twitter of the protocol in question. Make sure that the account has the “verified” logo so you don’t get tricked by a fake profile.
This last recommendation is also valid for browser wallets as shown in the illustration below. Indeed, the first result of our search “MetaMask Wallet” is an ad redirecting to a fake MetaMask site , as indicated by the URL with an extra “A” and the wrong domain (.co instead of .io) . If you enter your recovery phrase on it, you can be sure to say goodbye to your cryptocurrencies.
MetaMask’s real address is metamask.io , not metamaask, or .com, or other variants. The same goes for xDeFi, Frame, Keplr or even Phantom to name a few, which are often affected in such usurpations.
Know how to detect phishing attempts
Here the mechanics are simple: we will play on your emotions in order to trap you . In this specific case, it is often fear that is used, as with this fraudulent email posing as an official message from MetaMask.
According to what is written, security actions are allegedly to be carried out. However, if we copy and paste the address located on the button, we realize that it does not point to the official MetaMask site . The goal is therefore once again to steal private keys.
Assume that if there really is a security breach, the project teams will not send you emails, they will communicate directly on their official social networks like Twitter.
In a more general way, but which remains in the same spirit, remain particularly vigilant on social networks such as Discord and even more with Telegram . There are many fake project channels and it becomes very easy to get fooled by being redirected to a scam.
Do not touch tokens that come out of nowhere
When we look at our addresses on blockchain explorers, we pretty much all have tokens in our wallets that we don’t know where they come from.
The instruction is simple: do not touch it . These tokens may or may not have a so-called value, but often they all have the same purpose: to siphon off your account .
For this kind of scam, malicious people will randomly send a token to multiple addresses in the hope that someone is trying to sell it.
The future victim will then seek to swap the token in question into a more conventional asset such as ETH for example. It will do this either from a decentralized exchange or from the “project site”. In both cases, she will unknowingly give permission to a smart contract to empty her account.
The token in question may even have a name similar to a more famous cryptocurrency in order to cause confusion. Just keep in mind that if you somehow didn’t cause a token to land on your address, then it’s probably a scam .
To complement these precautions, avoid handling your cryptocurrencies when you are not in an optimal emotional state . Even the most experienced among us can fall into simple pitfalls due to fatigue, stress or inattention. Let’s now look at even more advanced precautions that will help you avoid as many risks as possible.
Manage your wallet permissions
When you interact with a smart contract, you must authorize it to spend your tokens. In order to illustrate this, imagine that you want to add liquidity to the ETH-USDT pool on the decentralized exchange of your choice. You will need to give 3 permissions:
- One for your ETH;
- One for your USDT;
- One for the resulting LP token to make it generate yield.
These authorizations are often symbolized by the “Unlock” or “Approve” button, like the example below where TUSD must be unlocked before being exchanged for MATIC:
In this example, clicking “Approve TUSD” results in 99% of people signing up for unlimited permissions .
The danger of this practice arises if the protocol is hacked or encounters any problem. Consider here that if you give Balancer unlimited permission to spend your TUSD, a problem on the smart contract in question puts ALL the TUSD present in your wallet at risk on the network where they are located.
The following screenshot shows you the list of all the authorizations given by assets on an address as well as the quantity of token exposed on the Polygon network.
The $31 in the example represents the total value of the portfolio exposed to permissions . You also see that the 16 USDCs present on this address have active authorization on 4 different protocols.
The permissions in question are infinite, which means that the potential consequences remain the same , regardless of the amount present in the account : all USDC of the address on the Polygon network are exposed in the event of failure of one of the 4 smart contracts. So if you send 1000 USDC to this address, it will be 1016 USDC which could for example be stolen if the smart contract authorized on Curve were to be hacked.
You will find your different detailed authorizations on the different Ethereum Virtual Machine (EVM) compatible networks by connecting your wallet to the DeBank site and going to the “Approval” tab. To withdraw an authorization, you must click on “Decline”.
A variant is to go directly to the “ Token Approvals” on the blockchain explorer of the network in question, here in this case PolygonScan :
The logic remains the same on the different compatible EVM blockchain explorers. Go to your address using the search bar, then connect using the “Connect to Web3” button. This manipulation will show you all the permissions you have granted.
The “Revoke” option on the right allows you to revoke an authorization . Be careful though, whether via this method or that of DeBank, each cancellation requires a transaction . If the cost is insignificant on the Polygon network, it is quite different on Ethereum. It is then up to you to define whether or not you have a financial interest in removing an authorization based on the capital exposed.
The other possibility is precisely not to grant infinite authorizations, but authorizations limited to the quantity of cryptocurrency that you wish to use in your operation:
When you approve a smart contract, for example with MetaMask, click on “Edit Permission” before validating the transaction. You will see that by default the “Proposed Approval Limit” option is checked and that it represents an almost unlimited amount of tokens . By choosing “Custom Spend Limit” instead, you will only be able to fill in the funds necessary for the operation, thus keeping the rest of your capital safe.
Keep in mind, however, that these permission management operations are not without constraints. Because if you cancel an authorization, you will have to give it back to put assets back on the contract , the same applies if you give a limited authorization.
As mentioned earlier, these methods may have limitations on the Ethereum network if the size of your capital is limited. There are no right or wrong answers, it is up to you to judge the trade-off between flexibility, costs and risks , and to assume the possible consequences of each option.
Owning a hardware wallet theoretically protects you from the risk of smart contract authorization. But what is true at a time T will not necessarily be so indefinitely, which is why it is still necessary to pay attention to it.
Also, if a protocol is hacked, your LP Tokens may very well be safe on your address, but no longer worth anything, because the underlying has been emptied into the defaulting application’s liquidity pool. This is why it is also necessary to do research work upstream in order to eliminate questionable protocols.
Verify a smart contract with blockchain explorers
If you go back to the screenshot that allows you to see approved smart contracts from a blockchain explorer, you will see a “Contract” column there. Let’s take the case of USDC, you can make sure that the smart contract is verified by clicking on it, there must be this little green mark in the appropriate tab:
The small “Warning” logo will also allow you to see which bugs have been spotted, but this part will only make sense for the most technical of you. This lists the possible flaws, their level of severity as well as a summary of the possible consequences that can be generated:
You will also be able to access the page of a smart contract directly before signing the authorization for it. Click once on the contract address from MetaMask, then a second time in the box to the right of the page to which you will be redirected. This manipulation will take you to the same point as the USDC example to do the necessary checks:
It’s typically the kind of little habit that can insulate you from certain types of hacks as was the case in the OpenSea phishing attack .
View audits and potential history of hacks
The first thing to check before interacting with a DeFi protocol, for example, is to know if it has already been hacked. For this, the rekt.news site provides an unrewarding classification , also informing you about the method used to exploit the flaw through detailed articles available in French. Then find out if the flaw has been fixed .
Secondly, find out about the protocol’s smart contract audits.
Generally, projects refer you to their GitBook from their home page (that of their “showcase” website, not their application), look for a “Doc” or “Documentation” tab there. Let’s take the example of the Aave protocol, if you search for “Audit” in the search bar, you will have access to all the audits of smart contracts on the platform.
In this case, clicking for example on the PeckShield audit, you will be redirected to Github and find that it revealed two points of category “Informational”, i.e. they do not represent particular hazard .
Errors or other irregularities are generally classified in this way, in decreasing order of severity:
- Critical ;
- High ;
- Mean ;
- Weak ;
An audit can be complicated to read for a novice. But if you read even the summary of what was found, the dangers it may entail, and any remedial actions that have been taken by the team, then you will have done more than 99% of people .
However, keep two things in mind, firstly, not all smart contract audit companies are created equal , for some it is enough to “write the check” to obtain a certification.
The purpose of this guide is not to make denunciation, but without naming names, you can go on Twitter and type “#” + the name of such or such company specialized in the field. Look at what kind of projects boast of being audited by it. When you see many shitcoins in close time frames , it can give you an indication.
Secondly, no matter how serious an auditing company, it can only be based on past experiences . You will never be safe from a talented hacker finding a loophole that no one has ever thought of.
That said, a project audited by several companies for the same smart contract will still be a guarantee of seriousness, if these entities are audited themselves.
If you do not find the information on the site of the project in question, you are free to ask the founders of it directly. If the team is serious, it will answer you frankly on the progress of the audits and will have no interest in “drowning the fish” by trying to lull you with fine words.
Despite all these tips, keep in mind that no one is immune to a hack or any other scam. Anyone claiming otherwise is going to ruin .
Beyond technical flaws, human credulity often remains the weak link in the equation. That said, although risk 0 does not exist , by following a series of good practices like those set out in this guide, you will be able to limit this risk to a certain extent and navigate more serenely in the complex ecosystem that are cryptocurrencies and blockchain .