Introduction
OKX Web3 Wallet has specially planned the “Security Special” section to answer different types of on-chain security issues. By sharing and answering real-life cases that happen to users, in collaboration with security experts or institutions in the security field, from different perspectives, we aim to gradually sort out and summarize the rules of secure transactions. The goal is to strengthen user security education and help users learn to protect their private keys and wallet assets from themselves.
Protecting Wallet and Asset Security: The Ultimate Guide for Frequent Users
As frequent users of on-chain interactions, security is always our top priority. Today, the two “pitfall kings” will teach you how to protect yourself with a security defense strategy.
WTF Academy: Thank you very much for the invitation from OKX Web3. I am 0xAA from WTF Academy. WTF Academy is an open-source university for Web3, helping developers get started with Web3 development. This year, we incubated a Web3 rescue project called RescuETH (On-chain Rescue Team), which focuses on rescuing stolen assets from users’ wallets. We have successfully rescued over 3 million RMB worth of stolen assets on Ethereum, Solana, and Cosmos.
OKX Web3 Wallet Security Team: Hello everyone, we are very happy to be able to share with you today. The OKX Web3 Wallet Security Team is mainly responsible for the construction of various security capabilities in the Web3 field, such as wallet security capability building, smart contract security auditing, and on-chain project security monitoring. We provide users with multiple protective services for product security, fund security, and transaction security, contributing to the maintenance of the entire blockchain security ecosystem.
Q1: Please share some real-life risk cases encountered by frequent users.
WTF Academy: One of the major security risks faced by frequent users is the leakage of private keys. Essentially, the private key is a string of characters used to control encrypted assets. Anyone who possesses the private key can fully control the corresponding encrypted assets. Once the private key is leaked, attackers can access, transfer, and manage the user’s assets without authorization, resulting in financial loss. So, I will focus on sharing a few cases of private key theft.
Alice (alias) was lured to download malicious software on social media and had her private key stolen after running the software. Currently, there are various forms of malicious software, including but not limited to mining scripts, games, conference software, phishing scripts, clipper robots, etc. Users need to raise their security awareness.
Bob (alias) accidentally uploaded his private key to GitHub, allowing others to access it, resulting in his assets being stolen.
Carl (alias) trusted a fake customer service representative who proactively contacted him in the official Telegram group of a project and disclosed his mnemonic phrase, resulting in the theft of his wallet assets.
OKX Web3 Wallet Security Team: There are quite a few risk cases like this, and we have selected some classic cases that users have encountered while frequenting.
The first type is the high-quality account publishing fake airdrops. User A was browsing a popular project’s Twitter and found a notice of an airdrop activity below the latest Twitter post. He immediately clicked on the notice link to participate in the airdrop, which eventually led to being phished. Currently, many phishers imitate official accounts and continuously send false announcements under official tweets to lure users. Users should be alert and not take it lightly.
The second type is the hijacking of official accounts. The official Twitter and Discord accounts of a certain project were attacked by hackers, who then posted a false airdrop activity link on the official account. As the link was posted through official channels, User B did not suspect its authenticity and clicked on the link to participate in the airdrop, only to be phished.
The third type is encountering malicious project teams. User C participated in a mining activity of a certain project and, in order to obtain higher rewards, invested all his USDT assets into the project’s staking contract. However, this smart contract had not undergone rigorous auditing and was not open-source, resulting in the project team siphoning off all the assets user C had deposited.
For frequent users, who often have dozens or even hundreds of wallets, it is very important to protect the security of wallets and assets. They need to remain vigilant and increase their security awareness.
Q2: What are the common security risks and protective measures for frequent users in on-chain interactions?
WTF Academy: For frequent users, as well as all Web3 users, the two common security risks are phishing attacks and private key leaks.
The first type is phishing attacks. Hackers usually impersonate official websites or applications and deceive users into clicking on them through social media and search engines. They then induce users to make transactions or sign on phishing websites, thereby obtaining token authorization and stealing users’ assets.
Protective measures: First, we recommend that users only enter official websites and applications through official channels (such as links in the official Twitter bio). Second, users can use security plugins to automatically block some phishing websites. Third, when entering suspicious websites, users can consult professional security experts to help determine if they are phishing websites.
The second type is private key leaks, which has already been discussed in the previous question.
Protective measures: First, if the user’s computer or mobile phone has a wallet installed, try not to download suspicious software from unofficial channels. Second, users need to know that official customer service will not actively private message them, nor will they ask users to send or enter private keys and mnemonic phrases on fake websites. Third, if a user’s open-source project requires the use of a private key, configure the .gitignore file first to ensure that the private key is not uploaded to GitHub.
OKX Web3 Wallet Security Team: We have summarized the five common security risks that users face in on-chain interactions and listed some protective measures for each risk.
1. Airdrop scams:
Risk overview: Some users often find a large number of unknown tokens in their wallet addresses. These tokens usually fail to trade on popular DEX platforms, and the page prompts users to go to their official website for redemption. When users perform authorization transactions as instructed, they often grant permissions to smart contracts to transfer their assets, resulting in asset theft. For example, the Zape airdrop scam, many users suddenly received a large number of Zape coins in their wallets, with a value that seems to be worth hundreds of thousands of dollars. This makes many people mistakenly believe that they have unexpectedly made a fortune. However, it is actually a carefully designed trap. Since these tokens cannot be queried on legitimate platforms, many users eager to cash out will search for the so-called “official website” based on the token name. As instructed, they connect their wallets, thinking they can sell these tokens. However, once authorized, all the assets in the wallet will be immediately stolen.
Protective measures: To avoid airdrop scams, users need to remain highly vigilant, verify the source of information, and always obtain airdrop information from official channels such as the project’s official website, official social media accounts, and official announcements. Protect your private keys and mnemonic phrases, do not pay any fees, and use communities and tools to verify and identify potential scams.
2. Malicious smart contracts:
Risk overview: Many unaudited or non-open-source smart contracts may contain vulnerabilities or backdoors, which cannot guarantee the security of user funds.
Protective measures: Users should try to interact only with smart contracts that have been audited by reputable auditing companies or check the project’s security audit report. Additionally, projects that offer bug bounties usually have better security.
3. Authorization management:
Risk overview: Over-authorization to interacting contracts can result in funds being stolen. Here are two examples to illustrate: 1) If the contract is an upgradable contract and the privileged account’s private key is leaked, the attacker can use that private key to upgrade the contract to a malicious version and steal the authorized user’s assets. 2) If the contract has unidentified vulnerabilities, over-authorization may allow attackers to exploit these vulnerabilities in the future to steal funds.
Protective measures: In principle, only authorize the interacting contracts with necessary limits and regularly check and revoke unnecessary authorizations. When signing off-chain permit authorizations, it is essential to clearly understand the target contract, asset type, and authorization limit before proceeding.
4. Phishing authorization:
Risk overview: Clicking on malicious links and being induced to authorize malicious contracts or users.
Protective measures: 1) Avoid blind signatures: Before signing any transaction, make sure to understand the content of the transaction you are about to sign, ensuring that each step is clear and necessary. 2) Be cautious about the authorization target: If the authorization target is an EOA address (Externally Owned Account) or an unverified contract, extra caution is required. Unverified contracts may contain malicious code. 3) Use phishing protection wallet plugins: Use wallet plugins with anti-phishing protection, such as the OKX Web3 Wallet. These wallets can help identify and block malicious links. 4) Protect mnemonic phrases and private keys: All websites that require mnemonic phrases or private keys are phishing links. Do not enter these sensitive information on any website or application.
5. Malicious rug-pull scripts:
Risk overview: Running malicious rug-pull scripts can implant trojans into your computer, resulting in the theft of private keys.
Protective measures: Be cautious when running unknown rug-pull scripts or rug-pull software.
In conclusion, we hope that users can be extremely cautious and protect their wallets and asset security when interacting on-chain.
Q3: Summarize classic phishing types and techniques, as well as how to identify and avoid them?
WTF Academy: I would like to answer this question from a different perspective, which is how to distinguish between phishing attacks and private key leaks once users discover that their assets have been stolen. Users can usually distinguish between the two types of attacks based on the following characteristics:
1. Characteristics of phishing attacks: Hackers usually obtain authorization for a single or multiple assets under a user’s single wallet through phishing websites, thereby stealing assets. Generally, the types of stolen assets are equal to the number of authorizations made by the user on the phishing website.
2. Characteristics of private key/mnemonic phrase leaks: Hackers gain complete control over all the assets in a user’s single or multiple wallets. Therefore, if the following characteristics appear, it is likely a case of private key/mnemonic phrase leak.
In conclusion, users can distinguish between phishing attacks and private key leaks based on the characteristics mentioned above. By understanding these risks and protective measures, users can better protect their wallets and assets in on-chain interactions.