Web3 has the potential to restructure our lives for the better, but it also requires us to take more responsibility for how we protect our Web3 assets. There are two reasons for this:
- Web3 transactions are irreversible: For the most part, you can’t get your money back.
- Web3 accounts are anonymous (pseudonymous to be exact): It’s hard for law enforcement to track down thieves.
If we choose the wrong service providers or products to hold our assets there is little to no recourse if something happens. Unfortunately the standard product reviewers like PC Magazine and Consumer Reports haven’t done a good job in this area so far, so we’re here to give some guidance.
The most common way to store assets is to keep them in a reputable crypto exchange like Binance, Coinbase, Crypto.com, FTX, etc. These exchanges are called “custodial solutions” because they create and store your Web3 account’s private key (the “password” that controls your account) on their infrastructure. You need these exchange custodial accounts to swap government-backed (“FIAT”) currency with crypto currency. These accounts are often insured by the exchange against theft.
However, the functionality of custodial accounts is limited. For example, you can’t create NFTs on OpenSea with an exchange custodial account because exchanges haven’t integrated their infrastructure with all the services (e.g.- OpenSea). These integrations are both time consuming and risky as hackers can target the integration. There are also many cases of exchange custodial accounts getting hacked for large amounts of money. In 2021 BitMart was hacked for $196 million and BHX was hacked for $139 million. Even Coinbase was hacked in 2021, although the total amount is unknown and users were eventually reimbursed. If you want to participate in everything Web3 has to offer, you need to expand beyond custodial accounts.
The other popular alternative is to create your own self-custody account, which is often called a “crypto wallet”. Wallets give you full functionality in Web3, but it means you are responsible for the security of the account (keeping the private key private). If you want insurance you have to get it yourself. There are different types of wallets with different levels of security and convenience, the most popular of which include (in order of increasing security and decreasing convenience):
- Browser wallet- creates and stores your private key in a web browser extension. MetaMask is the most common browser wallet that has this feature.
- Mobile wallet- creates and stores your private key on your phone using an app.
- Hardware wallet- creates and stores your private key on a purpose-built piece of hardware. You need to connect the hardware wallet to a computer or phone when you want to execute a transaction.
There are also new types of wallets called “social wallets” and “multisig wallets”, where you enlist trusted people to help secure your wallet.
The security of a wallet depends on how well you manage the wallet (how you create the backup, where you store the wallet, etc.) and the integrity of the wallet itself. You can control the first yourself, and if you choose your wallet wisely you can control the second as well. Here are a few things you can do to validate a wallet vendor’s security claims and marketing materials:
- Research the track record- if a wallet has been on the market for a while, do a search to see if it’s been hacked in the past and if so what the vendor’s response was. A successful hack doesn’t necessarily mean you should choose another wallet. The most popular wallets have been hacked because hackers spend the most time trying to compromise them. The important thing is to observe how they responded to the incident. Did they brush it off as “no big deal”? Were they slow to admit it? Did they wait too long to release a fix? If the answer to any of these questions is “yes,” it’s a red flag.
- Confirm cybersecurity testing- check if the wallet has been tested by an ethical hacker (also called a “white hat” hacker or “penetration tester”) who tries to find security holes for a fee. This is especially important for new wallets. It’s not enough for a vendor to claim the wallet successfully passed testing. You want to know who did the testing and what the conclusion was (often in the form of a report). Some wallets have cybersecurity certification, which means the wallet meets certain cybersecurity requirements as tested by a lab. Some examples of certifications include UL CAP and Intertek Cyber Assured. Unfortunately there are a multitude of certification programs with varying degrees of effectiveness and there doesn’t seem to be much consolidation yet. Ideally you want a wallet to have both- certifications as well as a report by an ethical hacker.
- Vet the team- look at the wallet vendor’s management team. Do at least some team members come from the cybersecurity industry? Cybersecurity veterans think differently than typical engineers. They know how to design secure products by crafting all the hacking scenarios and then designing products that address them. They realize there is no such thing as perfect security, but understand the level of security they want to meet and engineer accordingly. They also know how to create a culture of security that minimizes breaches and responds appropriately when there is one.
These are a few elements of the framework Wivity uses when we help creators choose the right wallet strategy for minting NFTs. You can use them to guide your wallet purchase decisions, and if you follow the process we designed to help individual NFT creators set up their wallets you’ll be well protected against most attacks. For creators that are organizations (e.g- corporations or DAOs) we use a few more elements to address the added threat of rogue employees. We are available to engage if you need guidance on setting up corporate crypto wallets.