Beginner’s Guide to Web3 Security: Navigating Wallet Types and Risks
Background
As the cryptocurrency market heats up, Web3 projects are rapidly evolving, and the excitement among users is constantly growing. Along with this surge comes the risk of users inadvertently falling victim to hacks or scams when learning about various new projects. In light of this, and based on the information we’ve gathered both on-chain and off-chain, we aim to create a series of educational articles directly related to user asset security, thus giving rise to the “Beginner’s Guide to Web3 Security Series”.
In this series, we plan to go into details regarding the risks in the Web3 space. We will be using real-life examples to help readers better identify and mitigate risks. The guide primarily covers, but is not limited to: risks involved in downloading and using wallets; pitfalls that might be encountered while participating in various Web3 ecosystems; how to better discern whether signature authorizations are dangerous; and what to do if unfortunately hacked. (Note: The content is subject to change based on new developments and editorial decisions, so the final version may differ slightly in detail and length.)
Whether you’re a Web3 newcomer overwhelmed by industry jargon and unknown risks, or an experienced enthusiast facing challenges in the blockchain space, this guide is for you. Our aim is to help every users effectively safeguard their assets and confidently navigate the dark forest of blockchain.
Wallet category
It is well-known that wallets serve as both the gateway to the crypto world and a fundamental component of Web3 infrastructure. So, without further ado, let us introduce the first topic: Wallet Types and Risks.
Browser wallets
Browser wallets such as MetaMask, Rabby, etc. are installed as browser plug-ins in the user’s browser (such as Google Chrome, Firefox, etc.). They are typically easier to access and use, not requiring the download or installation of additional software.
Web wallets ( not recommended)
Web wallets allow users to access and manage their crypto assets through a web browser. While convenient, the risks associated with web wallets are significant. Typically, web wallets encrypt mnemonic phrases and store them in the browser’s local storage, making them vulnerable to malware and cyber attacks.
Mobile wallets
Similar to web wallets, mobile wallets operate as apps that users can download and install on their smartphones.
Desktop wallets
Desktop wallets were more common in the early days of cryptocurrency, with well-known ones such as Electrum, Sparrow, etc. These wallets are installed as applications on a computer, with private keys and transaction data stored locally on the user’s device, giving users full control over their crypto keys.
Hardware wallets
Hardware wallets, such as Trezor, imKey, Ledger, Keystone, and OneKey, are physical devices used to store cryptocurrencies and digital assets. They offer offline storage of private keys, meaning private keys are not exposed online during interactions with DApps.
Paper wallets ( not recommended)
Paper wallets involve printing a cryptocurrency’s address and its private key on paper as a QR code, which is then used to conduct transactions by scanning the code.
Common wallet risks
Downloading Fake wallets
Due to a person’s geographical locations, limitations like the absence of Google Play support or network issues, many users are forced to download wallets from third-party sites or randomly through browser searches, often leading to the installation of fake wallets. This is especially dangerous since ad space and search rankings can be bought, allowing scammers to lure users with fake wallet websites. The picture below shows the results of searching for TP wallet using Baidu:
Buying Fake Wallets
Supply chain attacks pose a significant threat to the security of hardware wallets. If not purchased from official stores or authorized dealers, there’s uncertainty about how many hands the wallet has passed through before reaching the user, and whether its components have been tampered with. In the picture below, the hardware wallet on the right has been tampered with.
Trojans on Computers
Wallets can be compromised by malware if a computer is infected. The SlowMist security team once wrote an article: How Scammers Are Stealing Your Crypto With RedLine Malware , highlighting the process and impact of such risks. It’s advised to install antivirus software like Kaspersky, AVG, or 360, keep real-time protection active, and regularly update the virus database.
Inherent Wallet Vulnerabilities
Even if you download an authentic wallet and are cautious in its use, vulnerabilities in the wallet’s design could still expose it to hacker attacks. This underscores the importance of choosing wallets not just for their convenience, but also for the openness of their source code. External developers and auditors can identify potential vulnerabilities through open-source code, reducing the likelihood of attacks. Should a breach occur due to a vulnerability, security personnel can quickly locate and address the issue.
Summary
In this issue, we’ve introduced different types of wallets and highlighted common risks to help our readers develop a fundamental understanding of wallet security. Regardless of the type or brand of wallet you choose, always keep your mnemonic phrases and private keys confidential and secure. Consider combining the strengths of different types of wallets, such as using a combination of well-known hardware and software.
In our next issue, we’ll delve into the pitfalls of downloading and purchasing wallets, offering detailed insights to guide you safely. Stay tuned! (Note: The wallet brands and images mentioned are solely for educational purposes and should not be considered endorsements or guarantees.)
About SlowMist
At SlowMist, we pride ourselves on being a frontrunner in blockchain security, dedicating years to mastering threat intelligence. Our expertise is grounded in providing comprehensive security audits and advanced anti-money laundering tracking to a diverse clientele. We’ve established a robust network for threat intelligence collaboration, positioning ourselves as a key player in the global blockchain security landscape. We offer tailor-made security solutions that span from identifying threats to implementing effective defense mechanisms. This holistic approach has garnered the trust of numerous leading and recognized projects worldwide, including names like Huobi, OKX, Binance, imToken, Crypto.com, Amber Group, Klaytn, EOS, 1inch, PancakeSwap, TUSD, Alpaca Finance, MultiChain, and Cheers UP. Our mission is to ensure the blockchain ecosystem is not only innovative but also secure and reliable.
We offers a variety of services that include but are not limited to security audits, threat intelligence, defense deployment, security consultants, and other security-related services. We also offer AML (Anti-money laundering) solutions, Vulpush (Vulnerability monitoring) , SlowMist Hacked (Crypto hack archives), FireWall.x (Smart contract firewall) , Safe Staking and other SaaS products. We have partnerships with domestic and international firms such as Akamai, BitDefender, FireEye, RC², TianJi Partners, IPIP, etc.
By delivering a comprehensive security solution customized to individual projects, we can identify risks and prevent them from occurring. Our team was able to find and publish several high-risk blockchain security flaws. By doing so, we wish to help spread awareness and raise the security standards in the blockchain ecosystem.