Introduction
OKX Web3 Wallet has specially planned the “Security Special Issue” column to provide specialized answers to different types of on-chain security issues. Through real-life examples that happen around users, combined with security experts or organizations in the field of security, we aim to provide insights and answers from different perspectives, in order to comprehensively summarize and summarize the rules of secure transactions. Our goal is to strengthen user security education and help users learn to protect their private keys and wallet assets from themselves.
Is the Security Factor for Frequent Users Negative 5?
As frequent users of on-chain interactions, security is always the top priority for users.
Today, the two “pit-avoiding kings” of on-chain interactions will teach you how to protect yourself with a security protection strategy.
This issue is the third issue of the Security Special Issue. We have invited industry-renowned security expert 0xAA and the OKX Web3 Wallet security team to explain the common security risks and preventive measures for “frequent users” from the perspective of practical operation guides.
WTF Academy: Thank you very much for inviting OKX Web3. I am 0xAA from WTF Academy. WTF Academy is a Web3 open-source university that helps developers get started with Web3 development. This year, we incubated a Web3 rescue project called RescuETH (On-Chain Rescue Team), which focuses on rescuing stolen assets from users’ wallets. So far, we have successfully rescued over 3 million RMB worth of stolen assets on Ethereum, Solana, and Cosmos.
OKX Web3 Wallet Security Team: Hello everyone, we are very happy to participate in this sharing session. The OKX Web3 Wallet Security Team is mainly responsible for the construction of various security capabilities of OKX in the Web3 field, such as wallet security, smart contract security audit, on-chain project security monitoring, etc. We provide users with multiple protection services such as product security, fund security, and transaction security, and contribute to maintaining the entire blockchain security ecosystem.
Q1: Please share some real-life risk cases encountered by frequent users.
WTF Academy: One of the major security risks that frequent users face is the leakage of private keys. Essentially, a private key is a string of characters used to control encrypted assets. Anyone who possesses the private key can have complete control over the corresponding encrypted assets. Once the private key is leaked, attackers can access, transfer, and manage the user’s assets without authorization, resulting in financial losses. So, I will focus on sharing a few cases of private key theft.
Alice (alias) was induced by a hacker to download malicious software on social media, which led to the theft of her private key. Currently, there are various forms of malicious software, including but not limited to mining scripts, games, conference software, phishing scripts, and clipper robots. Users need to increase their security awareness.
Bob (alias) accidentally uploaded his private key to GitHub, which was obtained by others, resulting in the theft of his assets.
Carl (alias) trusted a fake customer service who proactively contacted him in the official Telegram group of a project and disclosed his mnemonic phrase, resulting in the theft of his wallet assets.
OKX Web3 Wallet Security Team: There are many such risk cases, and we have selected several classic cases that users have encountered during on-chain interactions.
The first type is high-quality account publishing fake airdrops. User A was browsing a popular project’s Twitter and found a notice of an airdrop activity below the latest tweet. He clicked on the notice link to participate in the airdrop, which eventually led to phishing. Currently, many phishers use high-quality official accounts and repeatedly post false announcements under official tweets, thereby misleading users. Users should be vigilant and not take it lightly.
The second type is the hijacking of official accounts. The official Twitter and Discord accounts of a certain project were hacked, and the hacker posted a false airdrop activity link on the official account. Since the link was posted through official channels, user B did not doubt its authenticity and clicked on the link to participate in the airdrop, only to be phished.
The third type is encountering malicious project teams. User C participated in the mining activities of a certain project and invested all his USDT assets into the staking contract of the project in order to obtain higher rewards. However, the smart contract did not undergo strict auditing and was not open-source. As a result, the project team stole all the assets deposited by user C through the backdoor reserved in the contract.
For frequent users, who often have dozens or even hundreds of wallets, it is very important to protect wallet and asset security. They need to remain vigilant and increase their security awareness.
Q2: What are the common security risks and protective measures for frequent users in on-chain interactions?
WTF Academy: For frequent users and all Web3 users, the two common security risks are phishing attacks and private key leakage.
The first type is phishing attacks: Hackers usually impersonate official websites or applications and lure users to click on them through social media and search engines. Then, they induce users to trade or sign on phishing websites to obtain token authorization and steal users’ assets.
Protective measures: First, we recommend that users only access official websites and applications through official channels (such as links in the official Twitter bio). Second, users can use security plugins to automatically block some phishing websites. Third, when entering suspicious websites, users can consult professional security experts to help judge whether they are phishing websites.
The second type is private key leakage, which has been introduced in the previous question and will not be elaborated here.
Protective measures: First, if a user’s computer or mobile phone has a wallet installed, try not to download suspicious software from unofficial channels. Second, users need to know that official customer service will not proactively private message you, let alone ask you to send or enter private keys and mnemonic phrases on fake websites. Third, if a user’s open-source project needs to use a private key, please configure the .gitignore file first to ensure that the private key is not uploaded to GitHub.
OKX Web3 Wallet Security Team: We have summarized five common security risks that users face in on-chain interactions and listed some protective measures for each risk.
1. Airdrop scam
Risk overview: Some users often find a large number of unknown tokens in their wallet addresses. These tokens usually fail to be traded on popular DEX platforms, and the page will prompt users to go to their official website for redemption. When users make authorization transactions, they often grant the smart contract permission to transfer their account assets, which eventually leads to asset theft. For example, the Zape airdrop scam, many users suddenly received a large amount of Zape coins in their wallets, with a value that seemed to be worth tens of thousands of dollars. This made many people think that they accidentally struck it rich. However, this is actually a carefully designed trap. Since these tokens cannot be queried on legitimate platforms, many users who are eager to cash out will find the so-called “official website” based on the token name. According to the instructions to connect the wallet, they think they can sell these tokens, but once authorized, all the assets in the wallet will be immediately stolen.
Protective measures: To avoid airdrop scams, users need to remain highly vigilant, verify the source of information, and always obtain airdrop information from official channels such as the project’s official website, official social media accounts, and official announcements. Protect private keys and mnemonic phrases, do not pay any fees, and use communities and tools for verification and identification of potential scams.
2. Malicious smart contracts
Risk overview: Many unaudited or unopen-sourced smart contracts may contain vulnerabilities or backdoors, and cannot guarantee the security of user funds.
Protective measures: Users should try to interact only with smart contracts that have been rigorously audited by reputable audit companies or check the project’s security audit report. In addition, projects with bug bounty programs usually have better security guarantees.
3. Authorization management
Risk overview: Excessive authorization to interacting contracts may result in fund theft. Here are a few examples: 1) If the contract is an upgradable contract and the privileged account’s private key is leaked, attackers can use that private key to upgrade the contract to a malicious version and steal the assets of authorized users. 2) If the contract has unidentified vulnerabilities, excessive authorization may allow attackers to exploit these vulnerabilities in the future and steal funds.
Protective measures: In principle, users should only grant necessary authorization to interacting contracts and regularly check and revoke unnecessary authorizations. When signing off-chain permit authorization, it is important to clearly understand the target contract/asset type/authorization amount and think twice before acting.
4. Phishing authorization
Risk overview: Clicking on malicious links and being induced to authorize malicious contracts or users.
Protective measures: 1) Avoid blind signatures: Before signing any transaction, make sure to understand the content of the transaction to be signed, and ensure that each operation is clear and necessary. 2) Be cautious about the authorization target: If the authorization target is an EOA address (Externally Owned Account) or an unverified contract, extra caution is required. Unverified contracts may contain malicious code. 3) Use phishing-proof wallet plugins: Use wallet plugins with anti-phishing protection, such as OKX Web3 Wallet, which can help identify and block malicious links. 4) Protect mnemonic phrases and private keys: All websites that require mnemonic phrases or private keys are phishing links. Do not enter these sensitive information on any website or application.
5. Malicious airdrop scripts
Risk overview: Running malicious airdrop scripts can result in the installation of Trojan horses on computers, leading to the theft of private keys.
Protective measures: Be cautious when running unknown airdrop scripts or airdrop software.
In conclusion, we hope that users can remain cautious and protect their wallet and asset security when interacting on-chain.
Q3: Summarize the classic types and tactics of phishing attacks, and how to identify and avoid them?
WTF Academy: I would like to answer this question from a different perspective: once users find that their assets have been stolen, how to distinguish between phishing attacks and private key leakage? Users can usually distinguish them based on the characteristics of these two types of attacks:
1. Characteristics of phishing attacks: Hackers usually obtain authorization for a single or multiple assets under a user’s single wallet through phishing websites, thereby stealing assets. Generally speaking, the types of assets stolen are equal to the number of times the user has authorized on the phishing website.
2. Characteristics of private key/mnemonic phrase leakage: Hackers gain complete control over all assets in a user’s single or multiple wallets. Therefore, if the following characteristics occur
