Introduction | OKX Web3 Wallet has specially planned the “Security Special Issue” column to provide special answers to different types of on-chain security issues. Through real-life cases that happen around users, combined with experts or organizations in the security field, we aim to share and answer from different perspectives, in order to systematically summarize and summarize the rules of secure transactions. The goal is to strengthen user security education and help users learn to protect private keys and wallet assets from themselves.
As a frequent user of on-chain interactions, security is always the top priority for users.
Advertisement – The article continues below
[Image]
[Image]
[Image]
[Image]
Today, the two “pitfall avoidance masters” on the chain will teach you how to implement security protection strategies.
This issue is the third issue of the Security Special Issue. We have invited industry-renowned security expert 0xAA and the OKX Web3 Wallet security team to explain the common security risks and preventive measures for “frequent users” from the perspective of practical guidelines.
WTF Academy: Thank you very much for the invitation from OKX Web3. I am 0xAA from WTF Academy. WTF Academy is a Web3 open-source university that helps developers get started with Web3 development. This year, we have incubated a Web3 rescue project called RescuETH, which focuses on rescuing the remaining assets in stolen wallets for users. So far, we have successfully rescued over 3 million yuan worth of stolen assets on Ethereum, Solana, and Cosmos.
OKX Web3 Wallet Security Team: Hello everyone, we are very happy to participate in this sharing session. The OKX Web3 Wallet Security Team is mainly responsible for the construction of various security capabilities in the Web3 field, such as wallet security, smart contract security audits, on-chain project security monitoring, etc., providing users with multiple protection services for product security, fund security, and transaction security, and contributing to the maintenance of the entire blockchain security ecosystem.
Table of Contents
Toggle
Q1: Please share some real-life risk cases encountered by frequent users.
Q2: What are the common types of security risks and protective measures for frequent users in on-chain interactions?
Q3: Summarize the classic phishing types and techniques, and how to identify and avoid them?
Q4: What are the security considerations for frequent users using various tools?
Q5: How can frequent users manage multiple wallets and accounts more securely compared to single wallets?
Q6: What are the protection recommendations for transaction slippage, MEV attacks, and other issues related to frequent users?
Q7: Can users use monitoring tools or professional methods to regularly monitor and detect abnormal wallet accounts?
Q8: How to protect on-chain privacy and security?
Q9: What should users do if their wallet account is stolen? Have any efforts been made or mechanisms established to help stolen users recover their assets and protect user assets?
Q10: Can you share some cutting-edge security technologies, such as using AI to enhance security protection?
WTF Academy: Please share some real-life risk cases encountered by frequent users.
One of the major security risks faced by frequent users is the leakage of private keys. In essence, a private key is a string of characters used to control encrypted assets, and anyone who possesses the private key can fully control the corresponding encrypted assets. Once the private key is leaked, attackers can access, transfer, and manage the user’s assets without authorization, resulting in economic losses for the user. Therefore, I will focus on sharing some cases of private key theft.
Alice (pseudonym) was induced by a hacker on social media to download malicious software, which led to the theft of her private key. Currently, there are various forms of malicious software, including but not limited to mining scripts, games, conference software, soil dog scripts, clipper robots, etc. Users need to increase their security awareness.
Bob (pseudonym) accidentally uploaded his private key to GitHub, which was obtained by others and led to the theft of his assets.
Carl (pseudonym) trusted a fake customer service who contacted him proactively in the official Telegram group of a project and disclosed his mnemonic phrase, resulting in the theft of his wallet assets.
OKX Web3 Wallet Security Team: There are many such risk cases, and we have selected several classic cases encountered by users during on-chain interactions.
The first type is the release of fake accounts for airdrops. User A saw a notice of an airdrop activity at the bottom of a popular project’s Twitter page and clicked on the link to participate in the airdrop, which eventually led to phishing. Currently, many phishers use high imitation official accounts and post false announcements under official Twitter accounts to induce users to take the bait. Users should pay attention and not take it lightly.
The second type is the hijacking of official accounts. The official Twitter and Discord accounts of a project were attacked by hackers, and then the hackers posted a false airdrop activity link on the official accounts. Since the link was posted through official channels, User B did not doubt its authenticity and clicked on the link to participate in the airdrop, but was phished.
The third type is encountering malicious project teams. User C participated in a mining activity of a project and put all their USDT assets into the staking contract of the project in order to receive higher rewards. However, the smart contract did not undergo strict auditing and was not open-source. As a result, the project team stole all the assets deposited by user C through the backdoor reserved in the contract.
For frequent users who often have dozens or even hundreds of wallets, it is very important to protect wallet and asset security. They need to remain vigilant and increase their awareness of security precautions.
WTF Academy: For frequent users and all Web3 users, the two common security risks at present are phishing attacks and private key leakage.
The first type is phishing attacks. Hackers usually impersonate official websites or applications to deceive users into clicking on links, and then guide them to trade or sign on phishing websites in order to obtain token authorization and steal user assets.
Preventive measures: Firstly, we recommend that users only access official websites and applications through official channels (such as links in the official Twitter profile). Secondly, users can use security plugins to automatically block some phishing websites. Thirdly, when entering suspicious websites, users can consult professional security personnel to help determine if it is a phishing website.
The second type is private key leakage, which has been discussed in the previous question and will not be elaborated here.
Preventive measures: Firstly, if a user’s computer or mobile device has a wallet installed, try to avoid downloading suspicious software from unofficial channels. Secondly, users need to know that official customer service will not actively private message you, nor will they ask you to send or enter private keys and mnemonics on fake websites. Thirdly, if an open-source project requires the use of a private key, please configure the .gitignore file properly to ensure that the private key is not uploaded to GitHub.
OKX Web3 Wallet Security Team: We have summarized five common types of security risks encountered by users in on-chain interactions and listed some protective measures for each type of risk.
1. Airdrop scams
Risk overview: Some users often find a large number of unknown tokens in their wallet addresses. These tokens usually fail to be traded on popular DEX platforms, and the page will prompt users to go to their official website for redemption. When users authorize transactions, they often grant the smart contract the permission to transfer the account’s assets, which ultimately leads to asset theft. For example, the Zape airdrop scam, many users suddenly received a large number of Zape coins in their wallets, which seemed to be worth hundreds of thousands of dollars. This made many people mistakenly believe that they accidentally made a fortune. However, this is actually a carefully designed trap. Since these tokens cannot be found on legitimate platforms, many eager users try to cash them out based on the token name and find the so-called “official website”. After connecting the wallet according to the instructions, they think they can sell these tokens, but once authorized, all the assets in the wallet will be immediately stolen.
Preventive measures: To avoid airdrop scams, users need to remain highly vigilant and verify the source of information, always obtain airdrop information from official channels such as the project’s official website, official social media accounts, and official announcements. Protect private keys and mnemonics, do not pay any fees, and use communities and tools for verification to identify potential scams.
2. Malicious smart contracts
Risk overview: Many unaudited or non-open-source smart contracts may contain vulnerabilities or backdoors, which cannot guarantee the security of user funds.
Preventive measures: Users should only interact with smart contracts that have been rigorously audited by reputable auditing companies or check the project’s security audit reports. Additionally, projects with bug bounties generally have better security guarantees.
3. Authorization management
Risk overview: Excessive authorization to interacting contracts may lead to fund theft. Here are two examples: 1) If the contract is an upgradable contract and the private key of a privileged account is leaked, attackers can use that private key to upgrade the contract to a malicious version and steal the authorized user’s assets. 2) If the contract has unidentified vulnerabilities, excessive authorization may enable attackers to steal funds using these vulnerabilities in the future.
Preventive measures: In principle, users should only grant necessary authorization to interacting contracts and regularly check and revoke unnecessary authorizations. When signing off-chain permit authorization, users must clearly understand the target contract/asset type/authorization amount and think twice before proceeding.
4. Phishing authorization
Risk overview: Clicking on malicious links and being induced to authorize malicious contracts or users.
Preventive measures: 1) Avoid blind signatures: Before signing any transaction, make sure you understand the content of the transaction to be signed and ensure that each step is clear and necessary. 2) Be cautious about the authorization target: If the authorization target is an EOA address (Externally Owned Account) or an unverified contract, be vigilant. Unverified contracts may contain malicious code. 3) Use wallet plugins with anti-phishing protection: Use wallet plugins that have anti-phishing protection, such as the OKX Web3 Wallet, which can help identify and block malicious links. 4) Protect mnemonics and private keys: All websites that require mnemonics or private keys are phishing links, so do not enter these sensitive information on any website or application.
5. Malicious script for interacting with contracts
Risk overview: Running malicious scripts can implant trojans into computers, leading to the theft of private keys.
Preventive measures: Be cautious when running unknown scripts or software for interacting with contracts.
In summary, we hope that users will maintain high vigilance and increase their awareness of security precautions when conducting on-chain interactions.