Safeguarding your assets and knowing how to avoid scams are crucial in the Web3 world. Here are some essential tips to navigate safely.
The Boring Security DAO is designed to keep the NFT community safe. You will find resources, classes, articles, tweet threads, smart contract reviews, and a community of friendly security experts from all across the community to answer your questions. Make sure to visit them and take part in the classes.
Warm Wallet Setup
Prove you own an NFT without the risk of accidentally signing a malicious transaction. See the below diagram for more details:
Warm.xyz and delegate.cash are both common services to attest ownership of one wallet with another. However, delegate.cash allows for delegation of not just entire wallet contents, but allows you to delegate just certain contracts or particular NFTs to another wallet. Learn more about Wallet Delegation as well as an in-depth comparison between Warm and Delegate here:
Wallet Delegation Explained
So how can you make sure your assets are safe but still experience Web3 and take part in your favorite projects?
YOU NEED TO UTILIZE TAP: Three Address Protocol
Three Address Protocol
How and why you should use multiple wallet addresses
Just like you wouldn’t leave your house putting the entire contents of your bank account in your pocket, you shouldn’t be connecting your wallet address containing all your crypto to every random website and protocol you encounter in Web3! Mistakes happen. Being tired, inebriated, or just uninformed about the dangers of certain kinds of transactions or signatures, one wrong confirmed transaction and you could lose most, if not all of your funds!
By separating your wallets, you significantly reduce the risk of falling victim to scammers, and limiting your losses if you do. It becomes more challenging for them to launch attacks against you. Additionally, it is crucial to avoid rushing transactions and maintain a clean transaction history. This approach ensures greater security and minimizes the chances of fraudulent activities.
Wallet separation will add a lot of security to your journey!
THE TAP APPROACH (THREE ADDRESS PROTOCOL) IS AMAZING.
BUT YOU WON'T BE ABLE TO USE MOST OF THE WEB3 TOOLS AND WEBSITES WITHOUT APPROVALS.
Web3 would be hardly possible without them
Approvals give smart contracts the ability to interact with your tokens (ERC-20, NFTs, etc). They can pull them at will, based on parameters set in the smart contract. This allows you to sell one NFT on multiple marketplaces, or as a buyer, make offers on dozens, or hundreds of NFTs, and have the tokens debited automatically from the seller and buyer’s account without further needing to confirm or require actual escrow from these platforms. Remember: when using a marketplace like Opensea, the tokens and NFTs never leave your wallet until a deal is made!
OpenSea needs your approval to execute and transfer your NFT if another person sends the equivalent amount in ETH to the contract.
Set approval for all (SAFA)
Approves all assets in a given wallet address for an entire NFT collection to a single address (usually a contract/NFT marketplace)
Approves a single asset in a given wallet address from an NFT collection to a single address (not used often in NFTs).
Although less commonly used for legitimate purposes, this is a standard method on many ERC-20 contracts that effectively operates identically to approve(), with some nuanced differences for programmers.
So now we've got the WARM setup, we've added additional security with TAP by separating our wallets. We know we need to give approvals to contracts.
We're still missing one important part of the puzzle... Signatures!
The different Types of gasless signatures
The Identity Proof
The most common signature. It's human readable and most used for Terms of Service or for your wallet address. Like the one below for example.
The Typed Signature
[Smart Contract Interaction]
Some smart contracts need off-chain signatures. In this example, you can read all inputs if you cared to. However, where you get these kinds of signature requests matter: Opensea or a trusted marketplace? Probably safe. Some “new trading site” or link you found on twitter? I’d think twice!
The Obfuscated Hex Signature
(Use Extreme Caution!)
Can you read this? No? So your first thought should be: "What am I signing here?" Be very careful with these kind of signatures as you don't know what you're signing.
Outdated & Well, A Little Bit Scary
This is a very dangerous signature type, basically the “blank check” of Ethereum. The requester can use it and sign any transaction with your private key. Some services like Opensea Pro require you to enable them, but for 99% of people, leave them disabled, which is the default in Metamask and some other wallets!
Don't sign this!
Signing the wrong transaction might end up in losing your assets. So please stop degening with your wallet that holds all the valuables! Split your wallets, use warm.xyz and delegate to your vault to stay safe and enjoy the fun of Web3!
TAKE ACTION NOW!
One of the best places to ask and get help from an amazing community is the Boring Security DAO 😉
They even got their own Ledger now! Get it here: Boring Security Ledger