Not messing up in DeFi — Level 1, Basics

6 out 10 scams of DeFi & crypto in general take advantage of your inattentiveness. Protocol hacks are not as rare as simple phishing scam attacks on personal emails. At some point it gets real close and attackers can actually hit you from a public network or even home WiFi if it’s poorly protected. 

‍

Common wisdom in DeFi and Web3 is «seed phrase = access to a wallet». It grants access to an address inside the blockchain, where all your funds are kept: memecoins, stablecoins, NFT’s, LP Tokens, coins, tokens, or any new token standard chain devs will come up with. Wallet is the door to funds, and seed phrase is a skeleton key to open every other door to that exact address — keep it safe. 

‍

You know how bad of an issue cybersecurity is in crypto? People lose $5M to phishing, lose rare NFT’s in a blink of an eye — it happens in crypto, but not often. Strictly sticking to the basic stuff will save you billions of dollars at every bull or bear DeFi cycle up ahead. 

‍

Some methods of deep data mining to do hacks in DeFi for crypto wallets include: 

— Active data mining. Some take it off the Twitch stream live, so if you're doing any streaming — common wisdom is not to show the seed phrase. Same goes for Discord video convo, or any group video chat if that’s the matter. 

— Grabbing seed phrase off your device. Like, hackers can grab EXIF metadata off image files from your drive with ML-bots who recognize it by the «smell», it’s rare, but happens. 

— Network Sniffing, you contract this in public WiFi networks. Don’t use public WiFi for DeFi unless critically necessary, McDonalds is unsafe 99% of the time, same for KFC. Should you open up a wallet from office WiFi? No. If the office has a cybersec department? ~Maybe~, if you trust them. 

— Physical access. Yes, people just take unlocked phones and look around apps at times, they might see you’re using crypto and get too curious. 

— Pig Butchering is yet back again in the crime scene of crypto. First rule of crypto — don’t talk about crypto in person or online around people you’re not sure about. Second rule of crypto — don’t talk about the crypto club. If someone from the group chat gets into your DM’s asking about your crypto — no. All talk with strangers is done in group chats to avoid scam. No exceptions, admins won’t ever message you first. 

‍

Start small — set up Biometrics for your own phone if you may:

1. Turn Biometrics On: use Touch ID, Face ID, Face Unlock, Fingerprint; Enable separate Face ID for the mobile wallet app too, just for the added double face-scan at that beefy Web3 backstage party.
2. Make a beefy local passcode for your phone — 8 characters and more; You can use words, numbers or graphical patterns. True chads use 32+ characters long mnemonic phrases.
3. Avoid using simple graphical key patterns, such as U, N, M, E, T, and so on; 6 by 6 grid is good, if you want to git gud — 9 by 9 considered relatively strong, but to get on bruteforcer’s nevers you’d need around 16 by 16. 

Not messing up in DeFi — Level 2, Advanced 

If you are using Windows — set up an alphanumeric password. To look like Hackerman and enter a 32+ character password with ease — use a combination of logically unrelated words. Good news — the human mind is good at generating randomness if you want — come up with 4 to 18 words separated by dashes and that’s it. Then, enable password-only access to every change in the PC. Turn off printer service with a Task Manager if you’re not using it to print stuff.

‍

Mac Laptop? Biometrics, Face ID, Touch ID, remove every bit of remote access services, secure the device, make sure it can’t be leased out via an MSM exploit. 2FA + pair it with physical keys. 

‍

Here's advice from FCC — Federal Communications Commission of USA — for Android users: 

1. Don’t jailbreak. Even if it may be a convenient way to get rid of pre-installed apps, you still risk compromising access to your phone. 
2. Avoid overusing free public WiFi. Some WiFi’s can be deliberate honeypots, asking to enter login credentials, and spamming with “just like real” push requests.  
3. Set yourself a good PIN or long, 8+ character, alphanumeric password. «Settings» —> «Security» —> «Passcode».   

‍

Always turn 2FA on:

1. Set up a 2FA for your Google or iCloud account. You can do this via «Settings» —> «Apple ID» —> «Security» on iOS. For an Android, open «Settings», navigate to Google Account, open «Security» and tap «2-Step Verification», from there you can choose the preferred authentication app. 
2. Be sure to have a back-up mail account for the main one, just in case you lose access to your main account. 

‍

Check who’s accessing your Google Account or iCloud every 2 weeks. Just look up the devices and terminate old sessions, if it was your friend — remove that too. Noone but you has to have access to the digital accounts. 

‍

On email safety: 

• Check the email sender’s addresses. Make sure there’s no omissions, like N0n8ank, 0KX, Binanse.  
• Use phishing code if possible. Like when you sell crypto off OKX. 

‍

Edge Case Protection. If you’re on an iPhone — turn on «Quarantine Mode», but only if you feel specifically targeted or don’t trust the environment you’re in. This will deem most of the web-based attacks on your phone obsolete. For Android users, use trusted anti-malware apps. 

Not messing up in DeFi — Level 3, Pro 

Memorize your seed phrase by heart. That’s how you evade digital hacks; social hacks take a few psychology books, like «Games People Play» or even reading about Game Theory. 

‍

Keep devices clean. Data parsing, remember? If someone can read your seed phrase through hardware, then you need to be sure that it’s clean of any compromising data. 

‍

Don’t talk about the crypto club in a way it can be traced to your real DOB, name, surname and residence. 

‍

Encrypt. Everything, every little bit of data, every HDD and SSD, every PC, every home appliance that can use the network in your apartment, every IoT device. Your toaster goes online? Turn that off. You do business talk via PGP Kleopatra or people won’t take you seriously.  

‍

Your passwords >64 characters or you’re out. Self-explanatory. 

‍

Learn how to read smart-contracts with, and without AI. Analyze what they’re saying, make sense of it and try to understand if devs can lock «SELL», manipulate total coin supply, unlock Liquidity Pools, change NFT overship, drain a random coin off your wallet upon trigger, place a separate wallet address in signature allowances next to yours. 

‍

Don’t sign smart-contracts that:

• Aks for unlimited spending; 
• Ask to add one more user to get approval from;
• Ask for unlimited allowance; 
• Ask to spend anything, but the crypto you’re working with at the moment; 

‍

Avoid smart-contracts that: 

• Allow third party to manipulate contents of your wallet without your consent;
• Allow to lock «Sell» function in smart-contracts;  
• Allow to manipulate token after it’s deployed in your wallet; 
• Can manipulate liquidity during transaction approval; 
• Can manipulate LP tokens without yours or trusted dApp’s permission; 
• Can move coins out of Liquidity Pool without your consent; 
• Allow for too high of APY in profits for no particular reason;

Want to try out the NonBank Wallet made specifically to address every issue a DeFi explorator like you would have? -> https://link.nonbank.io/download