NFTSECURITY

Secure Crypto Wallets | NFT Investors Share Three-Layer Wallet Structure, 6529 Demonstrates Minting, Snapshot Standard Operations

share
Secure Crypto Wallets | NFT Investors Share Three-Layer Wallet Structure, 6529 Demonstrates Minting, Snapshot Standard Operations

Recently, the founder of DeFiance Capital fell victim to a phishing attack, resulting in a large amount of NFTs and cryptocurrencies being stolen from their wallet. NFT investor ycxc expressed his dismay over the incident and shared personal security measures as a reference for investors looking to enhance their security levels. Renowned NFT collector 6529 also provided some recommendations.

ycxc: https://twitter.com/ycxc_6senseth/status/1506300739232190471?s=21

6529: https://twitter.com/punk6529/status/1506626244284231681?s=21

Advertisement - Please scroll down for more content

1. Multi-Wallet Structure

ycxc believes that having a hardware cold wallet is a good choice, but using the cold wallet as the main wallet is not advisable. He personally implements a three-tier wallet system:

  • First Tier: Hot wallet MetaMask
  • Second Tier: Hardware wallet between cold and hot
  • Third Tier: Hardware wallet as a vault

First Tier: Hot wallet MetaMask

This is the wallet used for all daily activities, including interacting with websites, buying/selling, minting, ensuring that the total value in MetaMask in USD, NFTs, never exceeds what you can afford. Whenever possible, transfer USD and NFTs out. This wallet operates under the assumption that you could lose everything at any time.

Third Tier: Hardware Wallet Vault

Connecting to the first tier, this is the wallet where users hold USD and high-value NFTs. Other than receiving/sending assets from trusted wallets, no other interactions are made. For higher security, ycxc also refrains from using the third-tier wallet to interact with public addresses. It is recommended to have multiple third-tier wallets, and he recommends the Ledger hardware wallet.

Second Tier: Hardware Wallet Between Cold and Hot

This is used because certain projects/websites may require users to hold specific NFTs for minting, snapshots, etc. ycxc does not want to hold high-value NFTs in the first-tier hot wallet but also does not want to use the third-tier vault wallet. Hence, the need for this second-tier wallet. However, this is limited to trusted websites/projects, and NFTs should be transferred to the vault wallet when idle.

2. Exercise Caution in Contract Interactions

When using the first and second-tier wallets, interactions with project smart contracts require authorization for the platform to operate tokens on behalf of users. For example, when bidding with WETH on OpenSea, the signed contract authorizes the platform to transfer tokens. While OpenSea follows procedures, investors should not trust that all websites operate the same way.

Scam teams and hackers are adept at this; seemingly normal contracts may grant hackers permission to transfer all assets. Consequently, malicious links are common in phishing attempts, messages, and emails.

3. Cryptocurrency Security Guidelines

Mnemonic Phrase

Do not store mnemonic phrases on any internet-connected devices, whether typed or photographed. Malware lurking on connected devices actively searches for mnemonic phrases. Once detected, it can immediately access wallets and assets.

Also, avoid entering the mnemonic phrase of a hardware cold wallet into a computer, as this would turn the cold wallet into a hot wallet.

Avoid Using MetaMask Mobile Version

ycxc is unsure about the security of this. Mobile phones frequently connect to various random public Wi-Fi networks, websites, and documents, potentially exposing wallets to hacking.

Revoke Authorization

Operations signed with malicious contracts are still recorded on the blockchain. Users can review authorized contracts and revoke them. ycxc mentions that he does this daily or whenever he feels he has signed a suspicious contract. He recommends two websites for revoking authorization:

It is important to note that if a second or third-tier wallet is created with the same mnemonic phrase as a Ledger, and the second-tier wallet signs a malicious contract one day, only the second-tier wallet would be compromised. However, if the mnemonic phrase is exposed, hackers could access the second and third-tier wallets simultaneously.

6529: You Need a Cold Wallet

6529 laments:

Every time I post saying, "Get a cold wallet," ten people reply saying, "This won't protect you from signing malicious contract authorizations." That's right, but the purpose of a cold wallet is to protect you from malicious software running on your computer, not your own mistakes.

To avoid mistakes, 6529 suggests:

  • Avoid signing contracts from unknown websites found on Discord.
  • If you must sign, use a wallet with fewer NFTs for operations.

He mentions that he initially moved the Mutant Ape mintpass NFT to an empty address before minting and did the same when minting Quantum NFTs.

Additionally, he believes that practices like snapshots, airdrops, mintpass are insecure, and major projects should avoid such operations. For added security, he holds several cold wallets along with dozens of hot wallets.