Nothing is more interesting than earning +40% apy on your stablecoin with DeFi. Imagine, doubling your cash in almost 2 years! But you can lose everything in just a mere of minutes. Due to this asymmetry, everyone should spend a non-negligible time researching how to stay safe in DeFi. But that’s boring to do compared to finding the next best protocols/schemes to earn some passive income with your stablecoin. Luckily for you, here is my take on how to protect oneself in DeFi.
What are my best practices/tricks to protect myself?
In general, there are simple concepts to protect your coins. Most of them rely on being discreet, pessimistic and on your guard. Ok, practically speaking, here is what I am doing:
- Have an external cold wallet like Ledger or Trezor. I have a Trezor, but to be honest, it’s quite impossible to make a real difference between these two. Geeks have been arguing for years, on which one is the best. For normal people, the only thing to remember is this: it’s better to have a cold wallet, even not the best one, than not to have any. Your cold wallet will hold your private keys (see here to understand the concept of public/private keys). If you don’t have one yet, I highly encourage you to buy one. Better safe than sorry. If I convinced you, you can help my blog by using these referral links: Ledger & Trezor.
- Rarely seen anywhere else: have a vault at your place to hold your cold wallet in case you get robbed. Could be highly impractical, BUT I actually found the perfect solution for me. House keys vault! Just keep your ledger or Trezor inside it when you are not using them. In order to transform this into a habit, the vault should be not far away from your computer, but hidden and fixed to a support (for example, inside the drawer of your office desk.
- Only interact with Metamask with your cold wallet. Your private keys won’t be held on your computer with the Metamask wallet anymore, but stay within your cold wallet. You will thus have to approve with your cold wallet every transaction, with a push on your wallet buttons, instead of a click in the Metamask extension. As normally, no one has access to your cold wallet, you will thus greatly reduce the risk of hacks.
- Have a special computer for crypto. This is highly impractical, and most people can’t afford it. An alternative could be to have a virtual desktop. Linux.
- Don’t go degen, downloading stuff from unknown sources, or giving your Metamask authorization to every DeFi website you walk into.
- Don’t tell anyone you are into crypto (I may have failed this point with this blog…).
Recently we have seen a wave of Metamask hacks. Broadly speaking, I have seen 3 general patterns for these Metamask attacks, that I will resume here:
.src file hacking of Metamask
What are .src attacks of Metamask ?
This attack relies on the use of .scr files. These files are sent by scammers by email, or bundle with other files or inserted in files that you could download with BitTorrent, etc.
How protect against .src file hacking of Metamask?
It is extremely hard to notice this type of file. But to protect yourself against this type of attack is simple, it’s the same as with Trojan countermeasures. Do not open/download files from unknown sources. If you want to keep downloading your video games with BitTorrent, your pron from shady websites, don’t do it on the same computer as your crypto computer. Having a cold wallet is also a good protection against this type of attack.
Free token airdrop: the dust attack
What is the dust attack in Metamask?
It’s simple, you may have noticed on your different wallet address that you have received free token airdrops that you never asked to receive. Well, these free tokens are the core of the dust attack. If you try to interact with these tokens, like swapping them back to some other token (because you could earn some free money) you would actually have to interact with the free token contract. In the contract could lay malicious lines, that could potentially steal some other coins that you have in your wallet. It’s what happened with the UniH tokens dust attack, and the RUNE token stealing.
How to protect oneself against the token airdrop, dust attack with Metamask?
It’s the simplest one: don’t do anything with free tokens you received on your wallet.
Metamask phishing attempt
This is probably the oldest type of attack, but it still exists and gets more subtle. Recently someone with 16 cryptopunks NFTs (over $1m dollars!) fell for a phishing scam as described in this video:
So never ever write your seed phrase anywhere other than on Metamask.io
Metamask: advices, tricks to protect yourself and best resources
It is very important to keep some good practices, hygiene, while using Metamask:
- You should have a browser only dedicated to the Metamask extension. For example, have the Chrome browser for your daily activities, and Firefox browser with the Metamask extension for your crypto activities. Again, as a bonus, connect it to your Trezor or Ledger wallet!
- Once you are done using your Metamask wallet you should log out.
- Don’t use Metamask with several tabs open. If you are on a non-scammy website but have some tab on a malicious one, while approving a request from the legit website, the scammy one could slide some request in between the legit one, and you would just accept the scam request just by not being careful.
- Revoke approvals: As you may know, when you do an approval in Metamask for a protocol, you basically give the right for “infinite approval” by default. It’s convenient because it makes you save time and fees, not having to approve every single transaction anymore. Different hacks have been related to this infinite allowance, just like this one. So please, do yourself a favor, and revoke the approval of platforms that you are not actively using. It can be done easily here.
- Never type your Metamask password. Instead use Keepass, that enable to fill password with its “Auto-Type” feature. It’s not perfect, but it’s better than typing your password.
Here are the best resources concerning DeFi hacks and safety:
- Rekt: The best resource to check the latest scam hacks and failures in DeFi
- Defisafety: the best resource to assess the security of a DeFi protocol
So, as you may have understood, being on the safe side is actually easy. However, even if it’s easy, we are lazy. And laziness could ruin any of us. Because we didn’t revoke some access, because we were tired and did not check the contract addresses or the website urls, and so forth. There are countless of reasons why wngmi! You should see your safety routine, hygiene, as the sport routine that we are all supposed to do. It’s a pain, but if well structured, it will become a healthy habit