This issue is the 03rd special issue on security . We have invited industry-renowned security experts 0xAA and the OKX Web3 wallet security team to explain the common security risks and preventive measures of "momo people" from the perspective of practical guidelines.
WTF Academy: Thank you very much for the invitation from OKX Web3. I am 0xAA from WTF Academy . WTF Academy is a Web3 open source university that helps developers get started with Web3 development. This year, we incubated a Web3 rescue project , RescuETH (chain rescue team), which focuses on rescuing the remaining assets in users' stolen wallets. So far, we have successfully rescued more than 3 million RMB worth of stolen assets on Ethereum , Solana , and Cosmos.
OKX Web3 Wallet Security Team: Hello everyone, I am very happy to share this. The OKX Web3 Wallet Security Team is mainly responsible for the construction of various security capabilities of OKX in the Web3 field, such as wallet security capabilities, smart contract security audits, on-chain project security monitoring, etc., providing users with multiple protection services such as product security, fund security, and transaction security, and contributing to maintaining the entire blockchain security ecosystem.
Q1 : Please share some real-life examples of risks encountered by pet owners.
WTF Academy : Private key leakage is one of the major security risks faced by Coinbase users. In essence, a private key is a string of characters used to control crypto assets, and anyone who possesses a private key can fully control the corresponding crypto assets. Once a private key is leaked, an attacker can access, transfer, and manage the user's assets without authorization, causing the user to suffer financial losses. Therefore, I will focus on sharing several cases of private key theft.
Alice (pseudonym) was induced by hackers to download malware on social media, and her private key was stolen after running the malware. Currently, malware comes in various forms, including but not limited to: mining scripts, games, conference software, bot scripts, clamp robots, etc. Users need to raise their security awareness.
Bob (pseudonym) accidentally uploaded his private key to GitHub , which was then obtained by someone else, leading to the theft of his assets.
When Carl (pseudonym) was consulting a question in the project's official Tegegram group, he trusted the fake customer service who contacted him and leaked his mnemonic phrase, and his wallet assets were subsequently stolen.
OKX Web3 Wallet Security Team: There are many risk cases of this type. We have selected several classic cases that users encountered when they were making money.
The first type is fake airdrops released by high-imitation accounts. When user A was browsing the Twitter of a popular project , he found an announcement of an airdrop activity under the latest Twitter, and then clicked on the announcement link to participate in the airdrop, which eventually led to phishing. Currently, many phishers use high-imitation official accounts and post false announcements under official Twitter to lure users into the trap. Users should be careful to distinguish and not take it lightly.
The second type is the hijacking of official accounts. The official Twitter and Discord accounts of a certain project were hacked, and then the hacker posted a fake airdrop activity link on the official account of the project. Since the link was released from the official channel, user B did not doubt its authenticity. After clicking on the link to participate in the airdrop, he was phished.
The third type is encountering malicious project parties. When user C participated in a mining activity of a certain project, in order to obtain higher rewards, he invested all his USDT assets in the staking contract of the project . However, the smart contract was not strictly audited and was not open source. As a result, the project party stole all the assets deposited by user C in the contract through the backdoor reserved in the contract .
For LuMao users, who may have dozens or hundreds of wallets, how to protect the security of wallets and assets is a very important topic. They need to be vigilant at all times and improve their safety awareness.
Q2 : As a high-frequency user, what are the common security risks and protective measures for people in on-chain interactions?
WTF Academy : For Web3 users and even all Web3 users, the two most common security risks are: phishing attacks and private key leaks.
The first type is phishing attacks: hackers usually impersonate official websites or applications, trick users into clicking on social media and search engines, and then induce users to trade or sign on phishing websites to obtain token authorization and steal user assets.
Preventive measures: First, it is recommended that users only access official websites and applications from official channels (such as links in official Twitter profiles). Second, users can use security plug-ins to automatically block some phishing websites. Third, when users access suspicious websites, they can consult professional security personnel to help determine whether they are phishing websites.
The second type is private key leakage: This has been introduced in the previous question and will not be expanded here.
Preventive measures: First, if the user has a wallet installed on their computer or mobile phone, try not to download suspicious software from unofficial channels. Second, users need to know that official customer service usually will not take the initiative to send you private messages, let alone ask you to send or enter private keys and mnemonics on fake websites. Third, if the user's open source project needs to use a private key, please configure the .gitignore file first to ensure that the private key is not uploaded to GitHub .
OKX Web3 Wallet Security Team: We have summarized five common security risks that users encounter in on-chain interactions and listed some protective measures for each risk.
1. Airdrop Scam
Risk profile: Some users often find a large number of unknown tokens in their wallet addresses. These tokens usually fail to trade on commonly used DEXs. The page will prompt users to exchange them on its official website. Then, when users authorize transactions, they often grant smart contracts the authority to transfer account assets, which eventually leads to asset theft. For example, in the Zape airdrop scam, many users suddenly received a large number of Zape coins in their wallets , which seemed to be worth hundreds of thousands of dollars. This made many people mistakenly believe that they had accidentally made a fortune. However, this is actually a carefully designed trap. Since these tokens cannot be queried on regular platforms, many users who are eager to cash out will find the so-called " official website " based on the token name . After connecting the wallet as prompted, they thought they could sell these tokens, but once authorized, all assets in the wallet would be stolen immediately.
Protective measures: Avoiding airdrop scams requires users to be highly vigilant, verify the source of information, and always obtain airdrop information from official channels (such as the project's official website, official social media accounts, and official announcements). Protect private keys and mnemonics, do not pay any fees, and use communities and tools for verification to identify potential scams.
2. Malicious Smart Contracts
Risk Profile: Many unaudited or non-open-source smart contracts may contain vulnerabilities or backdoors and cannot guarantee the safety of user funds.
Protective measures: Users should try to interact only with smart contracts that have been strictly audited by formal audit companies, or pay attention to checking the security audit report of the project. In addition, projects that usually have bug bounties are more secure.
3. Authorization management:
Risk Profile: Over-authorization of interactive contracts may lead to theft of funds. Here are some examples: 1 ) The contract is an upgradeable contract. If the private key of the privileged account is leaked, the attacker can use the private key to upgrade the contract to a malicious version, thereby stealing the assets of the authorized user. 2 ) If there are unidentified vulnerabilities in the contract, over-authorization may allow attackers to exploit these vulnerabilities in the future to steal funds.
Protective measures: In principle, only necessary authorizations are granted to interactive contracts, and unnecessary authorizations need to be checked and revoked regularly. When signing off-chain permit authorizations, be sure to clearly understand the target contract / asset type / authorization amount, and think twice before acting.
4. Fishing Authorization
Risk Profile: Clicking on a malicious link and being induced to authorize a malicious contract or user
Protective measures: 1 ) Avoid blind signing : Before signing any transaction, make sure you understand the content of the transaction you are about to sign and ensure that each step is clear and necessary. 2 ) Be cautious with the authorization target: If the authorization target is an EOA address ( Externally Owned Account ) or an unverified contract, you must be vigilant. Unverified contracts may contain malicious code. 3 ) Use anti-phishing plug-in wallets: Use plug-in wallets with anti-phishing protection, such as OKX Web3 wallet, which can help identify and block malicious links. 4 ) Protect mnemonics and private keys: All websites that require mnemonics or private keys are phishing links. Do not enter these sensitive information on any website or application.
5. Malicious Scripts
Risk profile: Running malicious scripts can cause Trojans to be implanted in your computer, leading to the theft of your private keys.
Protective measures: Be cautious when running unknown plucking scripts or plucking software.
In short, we hope that users can be cautious and protect the security of their wallets and assets when interacting on the chain.
Q3 : What are the classic fishing types and techniques, and how to identify and avoid them?
WTF Academy : I would like to answer this question from another perspective: Once a user discovers that their assets have been stolen, how can they tell whether it is a phishing attack or a private key leak? Users can usually distinguish between the following two types of attack characteristics:
1. Characteristics of phishing attacks: Hackers usually obtain authorization for one or more assets in a user's single wallet through phishing websites, thereby stealing assets. Generally speaking, the types of stolen assets are equal to the number of times the user authorized on the phishing website.
2. Characteristics of private key/mnemonic phrase leakage: Hackers completely gain control of all assets in all chains under a single or multiple wallets of the user. Therefore, if one or more of the following characteristics appear, it is highly likely that the private key has been leaked:
1 ) The native token is stolen (such as ETH of the ETH chain ) because the native token cannot be authorized.
2 ) Multi-chain assets were stolen.
3 ) Multiple wallet assets were stolen.
4 ) Multiple assets from a single wallet are stolen, and the user clearly remembers not authorizing these assets.
5 ) There is no authorization before or in the same transaction to steal tokens ( Approval event).
6 ) The transferred Gas will be immediately transferred away by hackers.
If it does not meet the above characteristics, it is likely a phishing attack.
OKX Web3 Wallet Security Team: To avoid being phished, you need to pay attention to two points: 1 ) Remember not to fill in the mnemonic / p
