Security for the paranoid

In an evolving blockchain technology ecosystem, the number of bad actors and exploiters grow, one could experience some fear or paranoia around interacting with strangers on the terrifying internet.

In this short article, we will explore a few ways to equip yourself with the necessary tools to fend off any potential attacks and keep your keys/system secure. This handbook will encompass a few protective security measures, including:

• Key storage
• Wallet security
• Ephemeral execution environments
• Making smart decisions

Our exploration will dive into the Ethereum blockchain system and associated tools and technologies.

How to safeguard blockchain keys

One's key(s) is an essential component to interacting with the blockchain and an incredibly valuable piece of data that should be well guarded. Safeguarding these keys should be prioritized and those keys should always be used with caution.

A simple way to start is choosing how one's private keys are generated. Opt for offline generation to ensure that the process remains concealed from prying eyes and potential data breaches. An offline private key generator, such as this one, guarantees the confidentiality of your private key. You can also look into the SLIP-39 protocol. It is a mnemonic private key generator that uses Shamir Secret Sharing to split the seed phrase into parts.

These private keys, or mnemonic—a list of 12 or 24 words, must be safeguarded and should never be lost or stolen. You may wish to physically write down your private key/mnemonic on a piece of paper, which is called a "paper wallet". It is imperative to never lose this piece of paper and take precautionary security measures, such as buying a safe to store it in. The best way to protect your keys is to generate them offline on a dedicated computer/device. This computer/device will never connect to the internet and will be "air gapped", which will further shield your keys.

You can also trust a well-known crypto wallet app to manage your keys on a PC or your mobile devices. Be careful. Some crypto wallets are custodial. They own your keys and only let you access them through their platform. Choosing a non-custodial wallet gives you more control. You can fully manage your digital assets by exporting your private key. As the saying goes, "not your private key, not your coins".

Among various "non-custodial" crypto wallets, ZenGo, Torus, Argent and AlphaWallet stand out. ZenGo is the most tech-savvy option for protection. This is due to the its MPC (multi-party computation) as well as the "social recovery" feature.

There are also different types of crypto wallets such as hot wallets and cold wallets. Any keys used to continually connect to the internet and make frequent cryptocurrency transactions would be a "hot wallet". "Cold wallets", or "cold storage", would refer to stored keys that are not connected to the internet and are rarely used, such a Ledger and Trezor. For highest security, both should be used. Keep long-term assets in a cold wallet. You do not need to move these often. Keep only a small amount of money in a hot wallet. This should be the amount you are willing to lose.

To note, there is actually a vulnerability for the Terzor T. Additional information can be found

Strategies for ongoing wallet security

So now that you have a crypto wallet, does that mean it's secure forever? Most likely not... However, there are a few ways to make sure your wallets are protected. Let us explore some important strategies for proper and ongoing maintenance.

Asset monitoring

Employ monitoring tools like Tenderly and OZ Defender to track wallet addresses and associated digital assets. These will help you check wallet address(es), and you may optionally configure notifications for any activity on those address(es). Alternatively, a blockchain explorer can be used to view your address.

Approval management

When interacting with tokens, there is a process by which you allow "approval" for another address to transfer the corresponding token. This is a necessary step when minting/burning/transferring tokens. However, there are plenty of times a contract will request "indefinite approval" for any amount of tokens. These are especially dangerous if the contract has malicious intent. Utilize tools such as revoke, unrekt, or zapper to manage "approvals" for all of your addresses.

Key rotations

Regularly rotate your keys to enhance security. While there is no particularly fixed schedule for key rotations, the more frequently you do it, the more likely your keys will be secure - granted they are generated in a secure manner. Key rotation involves generating a new key and then transferring your previous assets to the new key. Though execution costs may be a deterring factor in the frequency of key rotations, it is still an important practice to exercise.

Adding canary tokens or accounts

For the ultra-cautious, there is a great tool to provide insight into potential breaches. Canary Tokens generates a dummy file and it can be given an obvious name, like "privatekeys.txt". The file will then keep track of who accessed the file, when it has been accessed, and from where. This is a great way to ascertain if your computer has been compromised and if there is anyone lurking that could potentially cause you harm. To get started, you can follow this quick guide.

Ephemeral execution environment

A great way to ensure that all web3 interactions are safe would be to setup a brand new environment. This will account for any potential malware or undetected bad-actors that could be present in your current system.

One way this could be done is by creating a VM (virtual machine) - ideally a dedicated machine. This will be used solely for any blockchain activity. This will guarantee a clean working environment and can foster some peace of mind. Another benefit to this type of setup is that if anything anomalous occurs, you can always tear down the VM and build a new one again!

A very useful article for quickly setting up and getting started is available here. Remember, this article does not explain every factor of crypto security in detail, like network security.

Making smart decisions

People are prone to making mistakes, but rarely do they make a royal one. When it comes to protecting your digital assets, however much, there is nothing more important. Minimizing errors is crucial, as actions within the blockchain are immutable.

A very common problem for blockchain users is phishing scams. Some are relatively easy to catch, and here are a couple of tips on how to avoid them. Firstly, never click any links (especially if they're phish-y) in emails or strange websites - supplemental information can be found here. Secondly, do not send tokens to any address(es) that are unknown or unverified. Along these lines, be aware of who you are interacting with online (whether username, email, etc.). If an email or DM was sent by a funny-looking email/username, one could deduce that it is most likely a scam.

Another tip is to go deeper into the code. If able, one should try to examine the protocol's codebase and make sure that it is public and verified. This will help with making informed decisions when interacting with a smart contract. Although this may be a far more difficult crypto security practice, there are other simpler ways such as ensuring a protocol has received an audit.

Summary of essential crypto security measures

While this article offers a succinct overview, I hope it goes through some useful tips to be more security-centric. As a now-informed reader, delve into further research and tread cautiously in the dark forest.

If this article was helpful, please let us know and make a request! There is a number of things that could be added or further expounded on and could possibly be in another article. Thanks for the read and stay (Chain)Safe.