I’m constantly seeing posts about people getting hacked, and it really sucks. I wonder if there exists a comprehensive guide on security to help people be safe. A checklist would be great. Seed security, how to avoid phishing websites, etc.
If it doesn’t exist maybe we can collaborate on something. And pin it in this sub.
22 thoughts on “Is there a dedicated defi security guide / checklist?”
Oof man oh man. I did a small one on this in rtech, but this is what I know and do to avoid potential fuckery in crypto in general, not just defi:
– use Linux
– use a pc only, phones are easier to hack or steal.
– use a vpn
– do not use anything that you also use for your personal use. (The threat is key logs where they see everything you type and steal your logins and anything else that you type through your keyboard is logged and saved for the hackers fun)
– use a physical 2 factor authentication key like yubikey, DO NOT USE TEXT MESSAGE AS 2 FACTOR SECURITY
– avoid binance and any other exchanges with a bad reputation for fuckery.
– use a non-personal email for all your trading accounts
– try to verify using a Google voice cell number rather than your own if you absolutely must.
– try to keep large amounts of crypto in cold storage, keep that cold storage in a bank safe if you are dealing with amounts that might warrant a visit from men in ski masks to your house.
– do not give out your pass phrases, private keys.
– don’t take unsolicated offers/advice from anyone.
– don’t ever disclose what cryptos you hold and how much in a public forum. (People do this one a lot, looking at you reddittors!)
– similar to the above point, do not keep spreadsheets/files with this info on the same device you trade from. Same for any copies of ID used for KYC.
(Someone mentioned they copy and paste their login information from a clipboard file, ANYTHING THAT IS ON YOUR TRADING COMPUTER IS VULNERABLE TO THEFT BY HACKING.)
– no webcams or microphones connected to your pc.
– don’t use your trading device for gaming, porno or anything but crypto trading really.
– get a password manager and only mouse click to enter usernames and passwords. (Back to my point on key logs)
– use a password generator with symbols/numbers/no words.
– for every email that you sign up to a new exchange, make a new email, or use gmail plus sign feature. For example “your email address”[email protected], that way if that email is hacked and starts sending emails to others or you start receiving weird emails, look at the recipients on the email and you can see who is selling your info/got hacked.
– use bookmarks to save the exchanges you use so key logs don’t reveal who you trade with when you type in the URL. THE MOUSE IS YOUR FRIEND, THE KEYBOARD IS YOUR ENEMY!
– don’t leave yourself signed into any accounts
– don’t leave your wallet open on your browser
– don’t leave your computer online or on.
Edit for Additions:
– don’t use telegram or discord on trading computer
Think that covers it for my current security measures, fire some more at me and I will add them to the list!
Edit to put everyone at ease:
– I go way overkill with my security precautions since I had some tokens worth around $2000 disappear mid transaction.
– I got all my opsec ideas from an early episode/episodes of crypto 101 podcast as well as my friend who used to work cybersecurity for the government. He also thinks I’m overkill and said that using Linux and a password manager is all that’s really needed, so it’s up to you and what fits your level of trading and paranoia.
Here’s what I do:
Generic Crypto Security:
1. Use a Hardware wallet. Ledger Nano S is fairly cheap.
2. Never share your seed phrase, and use a 25th word
3. Install and run Malware Bytes and Windows Defender
4. Use a separate browser for your crypto activities
5. If you have the ability, use a separate physical machine for your crypto. Just make sure it stays up to date with patches
1. Someone else pointed out [www.defisafety.com](https://www.defisafety.com). That, and [https://rugdoc.io/](https://rugdoc.io/) are great places to start your research into protocols
2. Consider DeFi insurance. [https://insurace.io](https://insurace.io) and [https://nexusmutual.io/](https://nexusmutual.io/) are two places to start.
3. [https://www.debank.com](https://www.debank.com) to audit your addresses and revoke any smart contracts that you don’t know / don’t trust. You can also set limits.
4. When trying out smaller projects with really high APRs, remember that pulling out a week early is better than an hour late
Never share your seed phrase
Always look at the farm/pool fees
Never invest in a bad tokenomic, especially on dex coin.
Very high apy is not sustainable
I’ll humbly suggest a few deep-dive posts I’ve written about this (each is listenable as a podcast as well):
* [Part 6](https://www.michaelcaloz.com/2021/05/12/cryptocurrency-part-6-overview-of-the-different-types-of-wallets-which-one-is-best-for-you-what-to-be-careful-of-and-why-a-hardware-wallet-might-be-worth-the-investment/), which includes an overview of wallet types and why hardware wallets are important
* [Part 18](https://www.michaelcaloz.com/2021/12/03/easing-into-crypto-part-18-more-preparing-to-invest-security-understanding-what-price-targets-are-realistic-and-using-expected-return-to-choose-between-opportunities/), which includes specific security practices to keep yourself safe (including seed phrase best practices, more info on hardware wallets, 2FA, browser extensions, specific scams I’ve been seeing lately, and one more important security risk that I just realized I’d been neglecting)
* [Part 25](https://www.michaelcaloz.com/2022/03/25/easing-into-crypto-part-25-staying-safe-preparing-your-taxes-avoiding-scams-upgrading-your-security-and-judging-new-projects/) (podcast version coming soon), which includes information on how my friend was scammed out of tens of thousands of dollars and how you can stay safe, what you should look for to evaluate if a new crypto project is legit, and how I decided recently to upgrade my overall crypto security
Hope that helps!
The mantra is “never share your seedphrase,” but this is an incomplete narrative for security.
You have to type in your seedphrase to authenticate new devices. Typing your seedphrase to authenticate a new device IS SHARING YOUR SEEDPHRASE. You hope you’re actually sharing it with the wallet app you intend to, but I don’t know of a way to guarantee that you aren’t being phished or spoofed.
“Be vigilant” is the current strategy for security for defi. 2fa is the solution, but 2fa doesn’t seem compatible with wallets like metamask.
I’ve never seen a comprehensive guide on how to not get phished. I looked on metamask and just see general stuff about being vigilant.
this link should be added to the list if so
Check out the project documentation pages. If there’s no third party audit records, stay away
A googlable term would be „crypto opsec“
Thanks, I would definitely be looking for this as well.
Aside from buying a ledger hardware wallet I’ve also revoked all my outstanding smart contracts using [tin.network](https://tin.network).
Later, I also stumbled upon this site that enables you to revoke outstanding Smart Contracts[https://v2.unrekt.net/](https://v2.unrekt.net/)
You can insure your funds against hacks as well!
Here is what I would recommend if you are serious about getting into the sport:
– Ledger X
– Metal backup for 24 seed phrase
– Buy 2k worth of Eth for transaction fees
– Open accounts with as many fiat solutions as you can
– Get going
Spray n’ pray
There’s a good one the bankless guys out out
it also has some guides for teaching people how to stay safe
In terms of security I use the Dapp of ebox when I’m transferring funds becuase they have a safe sending reversible transactions that makes it easier not to send it to the wrong address, making it more secure imo.
get a hardware wallet. best return on investment you’re gonna get in defi, period
RAMP DeFi has actually set out some guidelines especially for newbies on DeFi. It’s very informative and it helped me avoid the risks on these projects. If you want a good read, here it is: https://www.rampdefi.com/blog/post/the-risks-and-rewards-of-defi
A wallet with a multi-sig signing technology will be beneficial in preventing potential hacks because it distributes keys among users and ensures Enterprise grade security; Unido wallet has these, and I believe Meta Mask does as well, but I’m not certain.
Have you checked on Ebox? It’s exactly what you’re looking for. An escrow service with a security feature. They have features like safe-sending and reversible transactions that will keep you safe from hackers and scammers.
This is the best checklist I’ve come across. It details every single category and way you could get your money stolen and what to do about it.