THIS IS THE UNOFFICIAL 10KTF HOW-TO GUIDE
v1.6

THE CONTENT OF THIS PAGE IS SUBJECT TO CHANGE

DONATE HERE IF YOU'RE USING THIS PAGE:

copied… 10KTF-OG.ETH

Things you need to know!

10KTF WEB3 GUARDIAN

powered by the Boring Security DAO

Learn the
Web3 Security Fundamentals

Powered by the Boring Security DAO.

Safeguarding your assets and knowing how to avoid scams are crucial in the Web3 world. Here are some essential tips to navigate safely.

The Boring Security DAO is designed to keep the NFT community safe. You will find resources, classes, articles, tweet threads, smart contract reviews, and a community of friendly security experts from all across the community to answer your questions. Make sure to visit them and take part in the classes.

Warm Wallet Setup

Prove you own an NFT without the risk of accidentally signing a malicious transaction. See the below diagram for more details:

Cold Wallet

Vault Wallet Address

Delegation Service

Warm.xyz lets you use your hot wallet as if it owned the assets in your cold wallet.

Hot Wallet

Wallet Address for Battle.Town or other dApps

Warm.xyz and delegate.cash are both common services to attest ownership of one wallet with another. However, delegate.cash allows for delegation of not just entire wallet contents, but allows you to delegate just certain contracts or particular NFTs to another wallet. Learn more about Wallet Delegation as well as an in-depth comparison between Warm and Delegate here:
Wallet Delegation Explained

So how can you make sure your assets are safe but still experience Web3 and take part in your favorite projects?

YOU NEED TO UTILIZE TAP: Three Address Protocol

Three Address Protocol

How and why you should use multiple wallet addresses

Just like you wouldn’t leave your house putting the entire contents of your bank account in your pocket, you shouldn’t be connecting your wallet address containing all your crypto to every random website and protocol you encounter in Web3! Mistakes happen. Being tired, inebriated, or just uninformed about the dangers of certain kinds of transactions or signatures, one wrong confirmed transaction and you could lose most, if not all of your funds!

Vault Wallet Address

This is to keep assets very safe. Only use it for transfers and gasless signatures.
Avoid smart contract interactions and DON'T make any approvals with this one.

Marketplace Wallet Address

Use this wallet to make approvals and signatures on TRUSTED websites only. Remember to revoke your approvals when not needed anymore.

Mint Wallet Address

Your 100% degen wallet. This is the turning your brain off, connecting to untrusted sites, and letting your FOMO go wild, wallet. You will NEVER store valuable assets in this and keep your ETH balance as low as possible.

By separating your wallets, you significantly reduce the risk of falling victim to scammers, and limiting your losses if you do. It becomes more challenging for them to launch attacks against you. Additionally, it is crucial to avoid rushing transactions and maintain a clean transaction history. This approach ensures greater security and minimizes the chances of fraudulent activities.

Wallet separation will add a lot of security to your journey!

THE TAP APPROACH (THREE ADDRESS PROTOCOL) IS AMAZING.
BUT YOU WON'T BE ABLE TO USE MOST OF THE WEB3 TOOLS AND WEBSITES WITHOUT APPROVALS.

Approvals

Web3 would be hardly possible without them

Approvals give smart contracts the ability to interact with your tokens (ERC-20, NFTs, etc). They can pull them at will, based on parameters set in the smart contract. This allows you to sell one NFT on multiple marketplaces, or as a buyer, make offers on dozens, or hundreds of NFTs, and have the tokens debited automatically from the seller and buyer’s account without further needing to confirm or require actual escrow from these platforms. Remember: when using a marketplace like Opensea, the tokens and NFTs never leave your wallet until a deal is made!

OpenSea needs your approval to execute and transfer your NFT if another person sends the equivalent amount in ETH to the contract.

Set approval for all (SAFA)

Approves all assets in a given wallet address for an entire NFT collection to a single address (usually a contract/NFT marketplace)

Approval

Approves a single asset in a given wallet address from an NFT collection to a single address (not used often in NFTs).

Increase Allowance

Although less commonly used for legitimate purposes, this is a standard method on many ERC-20 contracts that effectively operates identically to approve(), with some nuanced differences for programmers.

Approvals are often necessary, but exercise caution and diligence when granting them.

So now we've got the WARM setup, we've added additional security with TAP by separating our wallets. We know we need to give approvals to contracts.
We're still missing one important part of the puzzle... Signatures!

Signing Messages

The different Types of gasless signatures

The Identity Proof

(safe)

The most common signature. It's human readable and most used for Terms of Service or for your wallet address. Like the one below for example.

The Typed Signature

[Smart Contract Interaction]
(Use Caution)

Some smart contracts need off-chain signatures. In this example, you can read all inputs if you cared to. However, where you get these kinds of signature requests matter: Opensea or a trusted marketplace? Probably safe. Some “new trading site” or link you found on twitter? I’d think twice!

The Obfuscated Hex Signature

(Use Extreme Caution!)


Can you read this? No? So your first thought should be: "What am I signing here?" Be very careful with these kind of signatures as you don't know what you're signing.

ETH_Sign

Outdated & Well, A Little Bit Scary
(Dangerous!)

This is a very dangerous signature type, basically the “blank check” of Ethereum. The requester can use it and sign any transaction with your private key. Some services like Opensea Pro require you to enable them, but for 99% of people, leave them disabled, which is the default in Metamask and some other wallets!

Don't sign this!

Signing fraudulent transactions is causing many to lose their assets!

Signing the wrong transaction might end up in losing your assets. So please stop degening with your wallet that holds all the valuables! Split your wallets, use warm.xyz and delegate to your vault to stay safe and enjoy the fun of Web3!

Still a little confused about all of this stuff? Consider using a wallet extension like Wallet Guard or Pocket Universe, as they can help “demystify”.

Boring Security offers live free classes every month with advanced classes as well!




TAKE ACTION NOW!


Checklist

TAP
Create at least 3 wallet addresses, and use them right!
Warm Setup
Connect your Vault Wallet via Warm
Don't rush
Be patient, check what you're doing and use wallet protection extensions!
Get a hardware wallet
Yes, buy one now, set it up and stay safe!
Ask questions
Ask people if you're not sure

One of the best places to ask and get help from an amazing community is the Boring Security DAO 😉
They even got their own Ledger now! Get it here: Boring Security Ledger