Entering the world of cryptocurrency for the first time can be a daunting experience. For some, it's a way to get to grips with an exciting new technology, whilst others are enticed by the promise of huge returns (ignoring the warnings of equally huge losses). Yet whilst cryptocurrency can be an exciting and rewarding investment, it is vital to have an understanding of web3 security and the measures needed to protect yourself and your fund. All too often excited but naive investors rush into crypto investment and fall into the traps set by scammers.
Given these risks, all security-minded crypto investors will first do their own research into both the security of the projects they are eyeing and their own security as they move through web3. Security is not a one-time check but an end-to-end process, and those who don’t take it seriously will only have themselves to blame.
With this in mind, we have put together a checklist of some best practices for any new crypto investor looking to step into the exciting world of web3.
One of the primary ways that investors are defrauded of their funds is through rugpulls and exit scams, and new investors are typically more susceptible to bad faith projects than their more seasoned counterparts. Evidence of this is seen in the current bear market, where the amount of funds lost to rugpulls has fallen largely due to the lack of new money entering the space.
To avoid falling prey to these scams, investors should check for teams that cultivate transparency and accountability around themselves and their projects. All too often founders are able to execute exit scams by hiding behind pseudonyms and concealing malicious code. From the perspective of web3 security, this lack of transparency is a major pain point as it allows malicious founders and teams to act without accountability. In working to ensure web3 security, CertiK recently introduced CertiK KYC - which provides identity verification for project teams- to help investors make shrewder decisions based on an awareness of web3 security.
In attempting to avoid exit scams, investors should also be wary of projects making wild promises of astronomical returns. Projects pursuing "too good to be true" marketing strategies are a sign that there could be malicious intent at play. Whilst huge yields from crypto investments aren’t unheard of, they are very rare, and investors should stay sober and keep their heads when deciding on what to invest in. If it sounds too good to be true, it probably is.
Web3 security for investors is bound up with web3 security for projects; just as you would not put your money in a bank that doesn’t have a strong vault, crypto investors should not put their money in projects that do not have secure smart contracts. This is why wise investors will check to see that the projects they invest in take an end-to-end approach to their web3 security.
Of course, the average investor does not have the time or knowledge to meticulously analyze every line of a project’s code. What they can do is check for the signs that the project has taken a proactive approach to its security through smart contract audits and on-chain monitoring with tools such as CertiK’s Skynet. Ultimately, good faith projects want their communities to know that they are serious about web3 security, so investors should be wary of projects that are unclear about theirs. For a useful comparison between projects and their security, you can check out the CertiK Security Leaderboard, which rates and ranks all onboarded projects in terms of their security.
Once you have done your research and decided on some interesting and secure projects you would like to invest in, the next step is to ensure that your wallets and authorizations are secure. First off, it is wise to make a new email address before opening an account with a cryptocurrency exchange. Having just the one email address for all your online activity is very high risk. If that address is hacked or compromised, the consequences are far more severe than if your sensitive information is distributed across multiple emails.
Next, ensure that your login credentials are unique. Using the same password to access all your online accounts is like having the same key to open all of your locks. In short, it is one of the clearest examples of centralization risk imaginable, if the key is compromised then so is everything else it secures. This process can then be streamlined through the use of password managers which provide an easy and secure way to conveniently access multiple passwords.
Lastly, in securing your accounts you should set up 2FA (2 Factor) authentication. 2FA authentication is a tool that generates a random passcode every 60 seconds directly on your device. When logging in to an account with 2FA authentication, you will be asked to retrieve and enter the code to gain access. This means that a hacker would need to have both your password and the device with 2FA authentication to be able to access your account. 2FA authenticators come in a number of forms, with useful apps such as Google Authenticator, and even hardware-based security keys that are plugged into your computer.
These practical and simple measures are vital for ensuring your web3 security as you begin investing in crypto. Attackers will often attempt to use scams and phishing attacks in an attempt to trick investors into handing over their login credentials and other sensitive information. Typically, phishing attacks will approach a user with a seemingly urgent matter that they have to respond to immediately. This urgency is just a ploy to make you forget to do your due diligence and check the sender's reliability. Don’t be fooled! Always make sure to check the authenticity of the person contacting you, and be extremely cautious when sharing personal information about yourself online.
NFTs in particular are prone to social media attacks, with one notable example being the recent OpenSea phishing attack, after scammers sent phishing emails impersonating OpenSea which asked them to sign a malicious transaction disguised as a legitimate request.
One clear lesson from this example is to never validate a transaction that you didn’t author yourself. Scammers will often approach you with links that prompt you to authorize transactions. These transactions must always be refused.
If approached by an organization you recognize, always verify the legitimacy of the source through independent means. Most companies will have information on the ways that they will and won’t get in touch with you, and you can always get in touch with them via their official contact asking whether the email is legitimate.
Once you have bought some cryptocurrency, the next step is deciding where to store it. Cryptocurrency ‘wallets’ are either ‘hot’ or ‘cold. A ‘hot wallet’ refers to any wallet that is connected to the internet, whilst a ‘cold wallet’ is a piece of hardware that stores cryptocurrency and is not connected to the internet. As a general rule, hot wallets are more convenient as they allow for a streamlined transfer of funds, and cold Wallets are more secure as an attacker would need physical access to the hardware to access your funds. The choice between a hot and cold wallet is not an either/or situation. Many people will hold some of their funds on a cold wallet for security, and some on a hot wallet to allow for a smoother flow of funds.
Ultimately, the two wallets reflect two different kinds of crypto investors. For investors looking to hold on to one token for the long term, they can afford to sacrifice convenience for security. For investors looking to make frequent trades, a hot wallet is necessary for their ease of access. Yet both cases require an awareness of web3 security: cold wallets require setting up a recovery phrase in the event that the wallet becomes inaccessible; hot wallets require decisions around entrusting a third party with the funds (as in the case of custodial wallets provided by centralized exchanges), and non-custodial wallets where the user has exclusive control and responsibility of their own wallet and private keys.
Whilst the above measures are essential to the security of any new crypto investor, it is important to reiterate that web3 security is not a one-time check, but an ongoing process. Just checking your security at the start and never again is like watering a plant once and expecting it to thrive. This goes both for projects themselves who fail to continually audit and monitor their protocols, and individual investors who fail to stay vigilant and implement web3 security best practices. The world of crypto investment is a dynamic yet high-risk place, and whilst there is no measure that can completely ensure immunity from attack, moving forward on a foundation of security is essential to prosperity.