Citizen's Guide: Operational Security in Web3

Any Citizen joining Neo Tokyo will commit to securing their crypto assets and looking out for their fellow Citizens.

Web3, the decentralized web, presents unique opportunities and challenges for crypto users. As the value of assets and the Neo Tokyo ecosystem grows, our Citizens will be increasingly targeted. Ensuring security and privacy becomes paramount. This article aims to guide intermediate crypto users on how to operate safely in Web3, focusing on wallet management, smart contract permissions, and general security practices.

A MintDefense tweet directing Web3 users to revoke wallet permissions after a smart contract exploit was discovered.

Before going any further, make sure to enable notifications for MintDefense via their X account and their discord server. MintDefense is the premiere Web3 security company created by Neo Tokyo Citizens.

• MintDefense on X: https://twitter.com/MintDefense
• MintDefense discord server: https://discord.gg/mintdefense
• MintDefense website: https://mintdefense.com/

Hot Wallets

Hot wallets are connected to the internet and provide ease of access for day-to-day transactions. Examples include MetaMask, Trust Wallet, and other browser or mobile wallets. A hot wallet should not be used to store high-value assets, unless the wallet is being used as the intermediary to purchase or sell the valuable asset via an exchange or swap.

Pros: Easy access, user-friendly interfaces, and quick transactions.
Cons: Higher risk of online attacks and vulnerabilities.

Cold Wallets

Cold wallets are offline storage solutions like hardware wallets (e.g., Ledger, Trezor) or paper wallets. Your cold wallet should function more like a bank vault, where your high value assets are stored long-term. Avoid signing transactions or granting contract permissions to your cold wallets.

Pros: Enhanced security, reduced risk of online hacks. Cons: Less convenient for frequent transactions.

Best Practices

• Use hot wallets for small, daily transactions and cold wallets for the bulk of your assets.
• Regularly backup your wallet information securely.

Digital signatures are a key tool for verifying identity and authorizing transactions, distinguished by their efficiency and lack of associated gas fees. Always remain vigilant and question any requests for fees associated with simple signing activities.

Typical Uses of Signatures

• Identity Verification: Confirming ownership of a blockchain address without executing a network transaction.
• Authorization in DApps: Granting permissions or agreeing to terms in decentralized applications, again without on-chain transactions.

Emphasis on No Gas Fees

• No Gas Fees for Signing: Crucially, signing a message or a transaction with your digital signature does not require any gas fees. This process is conducted off-chain and does not interact with the blockchain directly.
• Scam Alert: If you are prompted to pay a gas fee for merely signing a message or transaction, be cautious. This is a common red flag indicating a potential scam or attack, as legitimate signing processes do not incur blockchain network fees.

Importance of Revoking Permissions

Over time, your wallet may accumulate numerous permissions granted to various DApps and smart contracts, increasing vulnerability.

How to Revoke Permissions

Use tools like Etherscan or BscScan to view and revoke permissions:

• Connect your wallet.
• Navigate to the “Token Approvals” section.
• Review and revoke unnecessary permissions.

Alternatively, use https://revoke.cash

Verifying Smart Contracts

Always verify the authenticity of smart contracts:

• Check contract addresses against official sources.
• Use blockchain explorers to review contract code and audit reports.

Being Cautious with DApps

• Research DApps before use.
• Be wary of granting high-level permissions.

Common Scams in Web3

• Fake ICOs, airdrops, and giveaways.
• Pump-and-dump schemes.
• Impersonation scams.
• In Neo Tokyo, Citizens are often targeted to install early game demos which are actually malicious software.

Preventing Phishing Attacks

• Never share private keys or recovery phrases.
• Double-check URLs and email addresses.
• Use hardware wallets for an additional layer of security.

Perform regular audits of your wallet and transactions. Keep track of permissions granted and assets held. Utilize security services and tools available in the crypto ecosystem for ongoing monitoring.

Web3 users should strive for anonymity because it protects against exploitation, targeted attacks, and unwanted attention that could result from the public disclosure of their cryptocurrency assets and transaction histories tied to real-world identities.

Tying your cryptocurrency assets directly to your real-world identity represents a threat for a few key reasons:

1. It eliminates pseudonymity and privacy. Cryptocurrencies like Bitcoin were originally designed to allow more privacy and pseudonymity of transactions. Associating wallet addresses to real identities diminishes this privacy.
2. It exposes you to targeted attacks. If malicious actors can tie your identity to your cryptocurrency holdings, you become vulnerable to attacks like phishing attempts, SIM swapping to steal assets, or physical threats to reveal access keys. Criminals may target wealthier individuals.
3. It reveals transaction history. On public blockchains like Bitcoin and Ethereum, your full transaction history can be viewed. Linking this to a real identity means everyone can see what you've purchased and who you've transacted with, losing financial privacy.
4. It can lead to unwanted attention. Public knowledge of cryptocurrency wealth may lead many people, including media, friends, family and scammers to pepper you with requests for money or investment opportunities. This loss of privacy enables unwanted attention.

Revealing your real-world identity alongside cryptocurrency holdings effectively nullifies many of the privacy benefits of cryptocurrencies. It opens up attack vectors and encourages unwanted attention on current wealth and transaction histories.

Navigating Web3 safely requires vigilance, knowledge, and the right tools. By understanding the intricacies of hot and cold wallets, managing smart contract permissions, conducting secure transactions, and staying alert to scams, you can significantly reduce risks and enhance your Web3 experience. Remember, the crypto world is constantly evolving, and staying informed is key to operating safely in this dynamic environment.

Note: Links on a publicly-editable Web3 wiki are a possible attack vector. This is not a comprehensive guide. It is intended to provide a general understanding of Web3 security. Do your own research.