Author: day, Plain Blockchain
Recently, users of BN and OK have experienced asset theft issues, sparking a renewed discussion on asset security. Some users immediately withdrew their tokens from the trading platforms when news broke, as one should not stand under a tottering wall.
In this wave of market development, it is evident that the major opportunities in the industry are primarily focused on the chain. The trading platforms are highly competitive, and with the collapse of the value investment system, it has become extremely challenging for retail investors to make money on these platforms. As a result, users are gradually shifting towards on-chain transactions, where the most critical issue is the security of their wallets.
Next, we will comprehensively understand how to protect blockchain assets by exploring wallet-related knowledge, theft cases, and protecting private keys from various aspects.
01
Wallet-related Knowledge
Before ensuring the security of your assets, it is essential to have a basic understanding of some wallet-related concepts in the industry. Let’s briefly introduce a few related concepts.
1. Symmetric Encryption and Asymmetric Encryption
Before understanding public (private) keys, let’s briefly understand symmetric and asymmetric encryption in cryptography. Symmetric encryption refers to A being able to obtain B through a specific algorithm, and conversely, B can decrypt A through the same algorithm. Non-symmetric encryption, on the other hand, allows A to obtain B through a specific algorithm, but B cannot decrypt B through the same algorithm; different algorithms are used for encryption and decryption.
2. Public (Private) Key, Mnemonic Phrase, Address
Having understood symmetric and asymmetric encryption, we can better grasp some basic concepts related to wallets.
Key Pair: In asymmetric encryption, there is a key pair consisting of a public key and a private key. The public key is public, while the private key is kept private.
Public Key: Used to encrypt data, data encrypted with the public key can only be decrypted using the private key.
Private Key: Can generate a public key and decrypt data encrypted with the public key.
Address: Corresponds to the “public key,” as the public key is lengthy, the “address” was created as a shorter version of the public key.
Mnemonic Phrase: Corresponds to the “private key,” as private keys are randomly generated strings that are lengthy and difficult to remember. Hence, a set of human-readable words are used instead of a private key to help users remember it, typically consisting of 12 random phrases. (Private Key = Mnemonic Phrase)
Electronic Signature: A piece of information (e.g., transferring 100 Ethereum to someone) requires your private key’s signature before being broadcasted to the blockchain.
Signature Verification: The recipient can verify this message is indeed signed by your private key using your public key. Hence, whoever controls the private key has control over the wallet.
In simple terms, the public key (address) is like your account number, while the private key (mnemonic phrase) is like your account number and password (as the private key can generate the public key).
To draw a comparison with a bank card, the public key = bank account, address = bank card number, password = bank card password, private key = bank card number + bank card password, mnemonic phrase = private key = bank card number + bank card password, Keystore + password = private key.
3. Saving the Private Key (Mnemonic Phrase)
Your tokens do not exist within your wallet app but rather in the address corresponding to your private key on the blockchain network. As long as you possess the private key, you can access all wallets that support the chain where you have tokens. The wallet serves as a frontend only to display account funds and does not store your private key.
Losing your private key means losing your assets, which cannot be recovered through the wallet. When registering a wallet for the first time, the wallet page usually reminds users to be cautious about this. This is entirely different from platforms like QQ or WeChat, where if you forget your password, you can recover it through mobile verification, security questions, or friend verification. This charm of blockchain decentralization means your assets belong entirely to you.
4. Types of Wallets
Based on whether the private key is connected to the internet, wallets can be categorized as hot wallets and cold wallets, as shown in the image.
Hot Wallets: Client wallets, plugin wallets, mobile apps.
Easy to use, suitable for beginners, high efficiency in transactions, low security, prone to theft.
Cold Wallets: Hardware wallets.
High security, suitable for storing large assets, complex setup, cumbersome transactions, hardware damage or private key loss can lead to asset loss.
From the above, we can understand that the private key is everything, and all measures taken to protect assets are actually aimed at safeguarding the private key, protecting the private key, protecting the private key. (Preventing private key loss or theft by others)
02
Theft Cases
Having understood the relevant concepts, let’s explore the major cases of losses currently prevalent. By studying these cases, we can better protect our wallets.
1. Private Key (Mnemonic Phrase) Leakage
In early 2021, the founder of Shengcaiyoushu, Yiren, stored his Bitcoin private key in a cloud note, resulting in the loss of eight-figure assets in BTC.
In November 2022, the founder of Distributed Capital, Shen Bo, had $42 million worth of digital assets stolen, including 38,233,180 USDC, 1607 ETH, 719,760 USDT, and 4.13 BTC. According to subsequent analysis by security firm SlowMist, the theft occurred due to leaked mnemonic phrases.
2. Private Key (Mnemonic Phrase) Loss
British IT engineer James Howells lost a computer hard drive in 2013 containing 8000 bitcoins. Nine years later, he plans to spend $74.3 million to search through a landfill to retrieve the computer hard drive.
3. Clicking on Virus Links
A user randomly clicked on a link sent by someone, allowing hackers to read the local encrypted backups of Metamask and steal all assets.
A Twitter KOL clicked on a privately sent link, leading to the hacking of the Twitter account. The hacker then posted virus-infected airdrop messages, exploiting the trust of fans in the KOL to click on the link and steal their assets.
4. Unauthorized Authorization, Application Vulnerabilities
On October 2, Token Pocket’s DEX Transit Swap announced that it had been hacked, resulting in a loss of over $15 million in assets, prompting users to revoke authorization.
On October 11, the DeBank team’s plugin wallet Rabby revealed a vulnerability in its Swap contract, advising users to revoke Rabby Swap authorization, ultimately resulting in hackers profiting over $190,000.
5. Downloading Fake Apps (with Malware)
Some hackers obtain user information from platforms and spread panic messages through SMS, claiming the platform is no longer secure and urging users to click on a link to reinstall the app or log in to their accounts. Upon login, the account funds are stolen.
A user downloaded a fake Binance app and mistakenly transferred assets to another address, resulting in the permanent loss of 5 ETH.
From the above cases, we can see that user asset theft mainly occurs in several scenarios: private key (mnemonic phrase) leakage, private key (mnemonic phrase) loss, clicking on virus links, unauthorized authorization, application vulnerabilities, and downloading fake apps (with malware).
Next, let’s organize some methods to prevent the occurrence of the above situations.
03
How to Avoid Financial Losses
1. Private Key Storage (Core: Not easily lost, not easily damaged, inaccessible to others or unusable if accessed)
Back up your wallet promptly after it is generated, with double backups, as losing it means it cannot be recovered.
Store the mnemonic phrase on an offline and secure medium, such as writing it on paper, encrypting it yourself (adding or removing specific characters for easy memory), storing it in a photo on a smartphone that is never connected to the internet, or using mnemonic phrase-related iron plates provided by some wallet providers.
Use a cold wallet (hardware wallet), opt for reputable cold wallets, purchase from official channels, avoid third-party purchases (which may contain viruses), set a strong password, and back up the private key to prevent loss or damage of the hardware wallet.
2. Preventing Private Key (Mnemonic Phrase) Leakage
Avoid copying and pasting the private key, as some software can read the user’s clipboard.
Do not store the private key in WeChat favorites, file transfers, Baidu Cloud, Evernote, or other online platforms.
Never disclose your private key to anyone, remember, not to anyone, as scammers may impersonate wallet officials to trick you into revealing your private key. Do not trust them, as wallet providers have no authority to obtain user private keys.
Avoid copying and pasting the private key when using public Wi-Fi.
Download applications from official channels, as even app stores can sometimes be untrustworthy (remember, all), as fake apps may exist.
Exercise caution when signing transactions with wallets, especially for DeFi protocols and NFT interactions, remember to revoke authorization promptly to prevent asset theft in case of application vulnerabilities.
Avoid clicking on links sent by others (via SMS), downloading shared files, or even clicking on links from KOLs, as they may contain viruses.
If you notice even a slight leakage of assets in your wallet, immediately abandon the wallet without any hope of recovery.
Do not use free VPNs.
Stay informed with the latest news to stay updated on new theft information.
For users heavily involved in on-chain activities, it is recommended to install the ScamSniffer browser plugin, which can intercept and alert you when visiting phishing sites and provide reminders when browsing fake official replies.
All these measures are aimed at protecting your private key from leaking. Remember, not your key, not your money!
3. Diversify Asset Placement
You can diversify your funds by placing them in both wallets and trading platforms. Although FTX incidents have caused a lack of trust in centralized trading platforms, for the vast majority of people, storing assets on a few top centralized platforms is relatively safer than holding them in hand. It is also more convenient, and as long as the losses are not significant, these top platforms should be able to compensate.
When using centralized trading platforms, pay attention to the following:
Enable two-factor authentication (phone, email, Google 2FA).
Enable token whitelisting.
Download the app from official channels.
When making transfers, verify that the address is correct.
Additionally, when logging into the official website of a trading platform using a browser, BN provides several security suggestions:
Isolation – Create a separate Chrome user to log in to DAPP, do not install plugins.
Clearance – When using financial APPs, remember to log out of the website after use.
Incognito – Open the website in incognito mode, disable any plugins.
Privacy – For financial operations, use a separate computer or Apple phone; the security level will be higher.
Permissions – For financial permissions, set to log out immediately after a few minutes.
04
Conclusion
Through the relevant knowledge mentioned above, novice users can gain a comprehensive understanding of blockchain asset security. With the increasing development of blockchain and on-chain interactions, wallet usage will gradually become an important foundational skill. While all these measures do not provide absolute security, they can help us avoid most pitfalls. As the blockchain continues to evolve, new issues will emerge, requiring us to continuously enhance our knowledge.
For small funds, it may not be necessary to follow all the above methods for storage. However, when safeguarding significant assets, one must be extremely cautious, as a single mistake could lead to being left behind by the blockchain train forever, unable to catch up.
Subscribe to Updates
Get the latest creative news from FooBar about art, design and business.