The Quickest And Cheapest Way To Boost Security
Level 1 - NGMI
Welcome Avatar! It has been 1 year since the first security overview was published on BowTiedBull. The goal was to generate awareness of all the different types of potential security threats. But. Many people weren’t ready to prioritize security due to cost & time.
As we predicted, there has been a bull market in cyber crime. According to Chainalysis, $3.2 billion worth of cryptoassets were lost to hacks in 2021.
Security is at the forefront of everyone’s minds.
State sponsored hackers from North Korea (and elsewhere) have stolen hundreds of millions of dollars from DeFi in dozens of hacks
Your favorite protocol has probably been DNS hijacked / frontend attacked. This includes large DeFi protocols like BadgerDAO (lost $120 million) and Curve Finance
The irreversible nature of crypto transactions means that hacked funds are gone forever and there is no way to get that money back unless the hackers return them.
Protocols aren’t the only ones at risk. A few weeks ago, over 8,000 Solana hot wallets were attacked and drained.
In March 2022, DeFiance Capital founder Arthur_0x lost $1.6 million worth of cryptoassets to an attack that drained his hot wallet.
Security is easy to neglect. “That would never happen to me” most people think. But why risk your funds when there is a fairly simple solution?
Today, we’ll discuss the fastest and cheapest way to boost your security - hardware wallets.
What Is A Hardware Wallet And Why Do You Need One?
A wallet is a piece of software or hardware which has two functions
store your private key (seed phrase)
sign crypto transactions
If you only used a software wallet - a program on your computer or phone (example: MetaMask) then the private key (seed phrase) is stored on your device. This means if your device is hacked, the attacker can steal all your crypto!
Is this likely to happen?
A few weeks ago, Slope (a wallet for Solana) was exploited. Users lost $6 million. How was this possible? The wallet (mobile app) sent seed phrases to the cloud, and somebody broke into the cloud account and stole the seed phrases.
When you use a hardware wallet, your seed phrase is never shared with your computer or software wallet.
This means when you disconnect your hardware wallet from the computer after signing a transaction, your funds are safe. The seed phrase isn’t stored on your computer or smart phone, so it can’t be stolen by attackers or leaked by badly written software. Your funds are in your control.
Which Hardware Wallets Do We Recommend?
The first thing to do is get your first hardware wallet from a reputable provider. We prefer Trezor. There are some tradeoffs to both which we will cover here but either wallet should be sufficient for most people.
If you have a lot of crypto - let’s draw the line at half a million - then you’ll want to do some more research into different wallets, such as a Gnosis Multisig.
These wallets can also protect your online accounts. Trezor Model T and supports U2F standard, allowing you to use your hardware wallet as a 2 factor device to secure accounts such as Google and Dropbox. This feature alone is worth the money as using SMS for two factor isn’t secure.
Threat model: when considering physical attacks, your risk is different if you travel with your hardware wallet frequently (crossing borders) vs if you keep it in a discreet location safe from a “quick in and out” burglary. If your device is stolen, thieves might attack the hardware to get at your seed phrase (or sell the device to hackers who specialize in this).
Color touch screen allows you to view and sign transactions on the wallet, so you can see exactly what you are approving before funds are sent
Open Source software (including firmware)
STM32F427VI chip has no “secure element”- must use / remember a strong passphrase to protect against physical attacks
If you’re interested in a resilient distributed backup using Shamir Secret Sharing and 5 Cryptosteel Capsules, Trezor sells a bundle. You can recover your crypto with any 3 of the capsules. Ideas include giving one to next of kin, another to a lawyer, another in a safe deposit box, another buried in the back yard, etc.
Trezor devices have known issues which allow an attacker with physical access to obtain the seed phrase from your wallet. To defeat this attack you need to use a strong passphrase. As a precaution, you should not let your hardware wallet leave your possession / control. If the threat of physical attacks are of particular concern for your personal situation, don’t buy the Trezor.
Exploit History (Ledger)
Ledger suffered a data breach where hundreds of thousands of customer names, postal addresses, emails, and telephone numbers were copied by a hacker. Several years ago it was possible to hack a Monero private key from a Ledger wallet.
Ledger documentation for threat model.
Ledger now has issues with a “recover” product which allows you to retrieve your private keys. Naturally, this goes against the entire point of owning your keys since you could just buy BTC/ETH on a brokerage like fidelity instead. This is a big red flag since it implies there are ways to get the keys via an “update”. While you’re more than likely fine if you never use any software update and never use the recover product, the brand damage is high.
Any hardware wallet is better than not using one at all.
The best option for most people is going to be the Trezor Model One
Does A Hardware Wallet Protect Against Everything?
No. If someone tricks you into signing a transaction with your hardware wallet, you’ll still lose your funds. A hardware wallet protects against most attacks where the thieves steal your seed phrase from an insecure computer or mobile device. You still need to follow good security practices like checking transactions before you sign.
Why We Have More Than One
Your hardware wallet could be lost, damaged, or destroyed. If you’ve maintained your seed phrase securely you can still access your funds but you’d have to use a hot wallet since you have no backup. This introduces risk as you may end up downloading a malicious file.
Imagine the sinking feeling - your crypto gone for good!
Either buy a second hardware wallet and use the “restore” feature to make sure both wallets use the same seed phrase, or you can store the seed phrase on something indestructible like a CryptoSteel Capsule or a CryptoTag Zeus.
You can also have multiple hardware wallets using the same seed phrase in different locations in case you want one at home, one in the office, etc. This way you can keep one wallet in a location you are using it actively and a backup wallet to be accessed less frequently.
Finally, we like to diversify risk across multiple wallets. Note - it’s important that you manage your keys securely, otherwise having multiple wallets can introduce more risk.
Where Can I Buy A Hardware Wallet?
For your safety you should only ever buy a hardware wallet direct from the manufacturer to avoid risk of tampering. Supply chain attacks are real. You should not use a reseller like Amazon.
BTB readers can use our affiliate links to purchase their Trezor wallet. We make a small commission at no extra cost to you.
Buy a Trezor Model T
Buy a Shamir HODL Pack (Trezor Model T plus 5 Cryptosteel Capsules)
Buy a Cryptotag Zeus - indestructible titanium plate to store your seed
Other Security Resources
In the last year, our software security expert BowTiedIguana has contributed a book’s worth of information for people who want the best security for their computer coins.
Best practice is to either have a separate laptop for crypto, or if you are a more advanced user install QubesOS - see this guide.
Set up a VPN *properly* - be disciplined not to mix identities when using VPN
Privacy Tech: what is public key cryptography and zero knowledge proofs?
Security for larger Ethereum wallets - use Gnosis Safe multisig
We hope you enjoyed our overview.
Until next time..
Affiliate Disclaimer: The products recommended here are affiliate links and the proceeds of any income will be distributed as follows: 1) 70% to DeFi Ed team, 2) 15% BTB and 15% Community DAO/Treasury. The income received has *no* cost to you. Sicne we’ve recommended this for years collecting revenue for the DAO and getting the DeFi team extra revenue is the priority. Thank you and hopefully you didn’t leave your coins on CONbase!
Disclaimer: None of this is to be deemed legal or financial advice of any kind. These are *opinions* written by an anonymous group of Ex-Wall Street Tech Bankers and software engineers who moved into affiliate marketing and e-commerce. We’re an advisor for Synapse Protocol and on the JPEG team. Links for hardware/crypto products are Affiliate Links.
Paid subs receive our old book which can be found here