The Smart User's Essential Web3 Security Guide

Many users are drawn to the promise of Web3, but may not know all the security best practices in this emerging space. It’s important to keep your information and assets safe when using cryptocurrency, so you don’t suffer identity theft or financial losses. Here at Dragonscale, we’ve found that even experienced Web3 adopters may not be taking all the steps they should to protect themselves.

To help bridge that gap, this guide provides an overview of essential Web3 security practices that are broadly applicable across blockchain technologies.

Note that blockchains vary in their technical details, and it’s not feasible to cover all variations in a single, short guide. The discussion here applies primarily to Ethereum and similar blockchains.

To understand Web3 security and how to protect yourself, let’s start by reviewing the fundamental concepts you need to know:

Basic concepts in Web3 security

Tokens

The assets in crypto are primarily tokens on a blockchain. There are two types of tokens, fungible and nonfungible.

Cryptocurrencies are fungible tokens–identical and divisible units of value. Unique digital assets such as art, music, games, and memes can be marketed and sold online as non-fungible tokens (NFTs), an increasingly popular way for creators to profit from their digital creations.

In most blockchains, every node in the network has a copy of the token. In other words, each node contains a complete copy of all the network’s data.

When you buy or sell an NFT, the change of ownership is recorded in the blockchain. Sometimes the content of an NFT is code that is stored on-chain; this is often the case for generative or algorithmically created art. If the content is another file such as a JPG, it is pointed to by a uniform resource identifier (URI) field. For example, it may point to a decentralized store or peer-to-peer sharing storage network such as The InterPlanetary File System (IPFS).

Public keys

A public key is a blockchain address. It’s analogous to an email address, in that you may share it with others, allowing them to send tokens to it.

You can’t control what people send your public key, so you may get the blockchain equivalent of spam.

Unlike an email address, your public key is public in another sense: every transaction it participates in and every token stored with it is also visible. It’s public because the blockchain as a whole is public.

Private keys

A private key provides a password for the public key. A public key and private key come in pairs. The private key allows you to move tokens out of the public key, and to sign messages.

Your private key is the main thing that needs to be guarded, from a security perspective. Never share it.

Wallets

A wallet is software that contains a set of private keys. Wallets come in a variety of configurations. For example, some run on devices you own (e.g., a laptop or smartphone), where others run on special-purpose devices (e.g., a Trezor or Ledger).

There are three distinctions commonly applied to wallets. They are either:

• hosted (by some web service) or non-hosted (on a device you own)
• hot (on an internet-connected device) or cold (on a non-internet connected device)
• custodial (with a service controlling the private keys) or non-custodial (with you controlling the private keys)

Seed phrase

A seed phrase is a set of words (usually 12, 18, or 24) provided when setting up a wallet. It can be used to recover the wallet.

Passphrase

A passphrase is a set of characters, chosen when setting up a wallet, that’s combined with your seed phrase for wallet recovery. The passphrase is optional–an empty set of characters is  the default.‍

Security imperatives

The three items that must be secured and never shared are private keys, seed phrases, and passphrases. Any request for your private key, seed phrase, or passphrase is a security threat.

One challenge is that the goal of security is in tension with resilience, the features that make it less likely that you’ll lose your private keys. Security requires keeping your private keys away from others, while resilience requires keeping access to your private keys yourself. Unfortunately, measures that increase security may impair resilience, and vice versa. Every user must find a balance between these two poles in their Web3 activities.

Types of wallets

Different types of wallets offer different levels of security and serve different uses. There are many different wallet offerings available. Here, we will only mention the major categories of wallets and a few prominent options. Note that these are merely examples and not endorsements.

Popular exchanges often offer hosted wallets. For example, Coinbase offers hosted, custodial accounts as well as hosted, non-custodial wallets.

Many decentralized apps (dApps) require a compatible wallet–typically a non-hosted, hot wallet. In the Ethereum ecosystem, the most popular of these is MetaMask, which supports both a browser extension and mobile app.

Hardware wallets, in contrast, are dedicated hardware devices that run wallet software. The most popular of these are Trezor and Ledger.

Security concerns by transaction size

Most users will employ more than one wallet to cover different uses. We can consider three scenarios based on whether the monetary value of the assets involved are small, medium, or large. The exact monetary value for each category will depend on the individual, so let’s think about them qualitatively.

‍Small amounts are amounts you’re willing to expose to higher risk of loss for the sake of convenience. Medium amounts are ones that you don’t wish to expose to risk of loss and for which you’re willing to undertake the inconvenience of stronger security. High amounts are those for which you’re willing to arrange the highest possible security.

For small amounts, it’s OK to use hot wallets, whether it’s a hosted service such as a Coinbase account or a non-hosted wallet such as MetaMask.

For medium amounts, you should set up a non-hosted, cold, non-custodial wallet.

For high amounts, you should investigate multisignature (multisig) services, which are beyond the scope of this guide.

MetaMask

When setting up a MetaMask wallet, you will be given a seed phrase that allows you to recover your wallet. You will use this seed phrase if you lose access to your installed instance of MetaMask.

You should record the seed phrase on paper outside of your computer and store it in a safe location. Some people store the seed phrase on engraved, fire-resistant steel devices. For large transactions, some people split up their seed phrase into multiple parts and store them in separate, secure locations as protection against physical theft.

MetaMask will have you create a password. This is the password for your installed instance of MetaMask–it has nothing to do with the underlying wallet.

As mentioned above, most people use more than one wallet. Hardware wallets should be used for medium or high amounts of assets. If you plan to invest in this range, you should set up a hardware wallet from the beginning to avoid the sometimes tricky process of moving assets later.

Once a hardware wallet is set up, it can be connected to MetaMask, allowing you to transfer tokens to the hardware wallet.‍

General online security

There are two relevant online security practices that aren’t specific to crypto, but they’re still important to follow.‍

Two-Factor Authorization (2FA)

2FA should be used on any crypto platform where it’s available. The most common form of 2FA uses a 6-digit temporary token generated by a third-party app, such as Google Authenticator or Authy.

Practice good password hygiene

It’s important to create passwords that are complex, hard to guess, and unique across sites and apps that you use.

‍Crypto threats

Transactions involving crypto are irreversible. Once you send a token to another party, there is no way to get it back without the receiving party’s authorization. This means the burden is on you to verify a party’s identity before sending anything to them, whether tokens or security information.

Crypto security threats almost always involve tricking you into sending tokens or supplying security information. These threats usually come in the form of messages via popular apps or media such as Discord, WhatsApp, Facebook, Twitter, text messages, or email.

Detecting common security threats

Identity– and asset–theft scams are sadly common when it comes to using cryptocurrency and operating in a Web3 environment. To protect yourself, be sure to watch out for these popular gambits:

Impersonation scams

Messages that falsely claim to be from a platform you use (such as Amazon’s technical support) are known as impersonation scams. The message will ask for passwords, private keys, 2FA codes, or similar information.

Giveaway scams

Giveaway scams are invitations posted on social media platforms–sometimes appearing to come from a celebrity–to deposit crypto to an address, with the promise of receiving a greater amount.

Investment scams

Investment scams are platforms that promise very high rates of return, but which in fact operate as Ponzi schemes.

Ransom scams

In a ransom scam, you’ll get a message claiming that the sender has infected your machine with malware. They will threaten some harmful action unless you send payment in crypto.

Pump-and-dump scams

Pump-and-dump operators offer tokens whose price has been inflated by false or misleading information. These often come in the form of a social media campaign employing the “fear of missing out” (FOMO). As investors flock to purchase the token and drive its price up, its creator(s) sell off their own tokens at the elevated price, causing the price to plunge. This is also known as a “rug pull.” Investors are left with less-valuable or worthless tokens.

Phishing scams

‍Phishing scams attempt to harvest personal information from you. These messages, which usually claim to be from legitimate companies, request that you click on a link or enter information.

Gift tokens

People will sometimes send tokens to your wallet without your knowledge. These tokens can be lures to phishing sites.

App or browser extension scams

Scammers will sometimes place fake versions of familiar apps on Google Play. Another variant is to advertise fake versions of familiar browser extensions, such as MetaMask, via Google ads.

Stay cautious to protect your assets in Web3

For all its great promise, Web3 is currently a challenging environment. There are thefts, scams, and hacks reported in the news every day. By following the security practices outlined in this guide, you can operate in Web3 with a high level of confidence that your identity and assets are protected.