Wallet Security 2023

Crypto Wallet Security Notes

Terms

Cryptocurrency Wallet: A wallet is a digital means of storing cryptocurrency. It works in a similar way to a bank account, allowing users to send or receive cryptocurrencies, view their balance, and conduct other operations.

Public Key: The public key is akin to your bank account number. This is the address where others can send cryptocurrencies.

Private Key: The private key is like your ATM pin. It’s a secret piece of data that proves your right to spend cryptocurrencies from your wallet. It is important to keep this secure.

Seed Phrase/Mnemonic Phrase: A seed phrase, mnemonic recovery phrase or backup seed phrase is a list of words which store all the information needed to recover a cryptocurrency wallet. This must be kept secret and secure.

Hot Wallet: A hot wallet is a wallet that is connected to the internet. It provides user-friendly interfaces and is perfect for storing small amounts and performing daily transactions.

Cold Wallet: Cold wallets are not connected to the internet. These are used for storing large amounts of cryptocurrencies and are considered more secure than hot wallets.

Hardware Wallet: A type of cold wallet that stores a user’s private keys on a hardware device. They are immune to computer viruses and have been considered very secure.

Paper Wallet: This is a type of cold wallet where public and private keys are printed on a piece of paper. Paper wallets are not commonly used these days due to their susceptibilities to various risks such as loss, theft, and damage.

Software Wallet: A software wallet is an application that can be installed on a device (desktop, mobile) or accessed through the web. These wallets could be hot or cold depending on their internet connectivity.

Deterministic Wallet (HD Wallet): These wallets generate a hierarchy of keys from a single starting point known as a seed. The seed is typically a phrase that will generate all future keys for the wallet. This makes wallet backups easy because they only involve the seed phrase.

Non-deterministic Wallet (Random Wallet): Each key is randomly generated on its own accord, and they are not derived from a common key or seed. These wallets require the backup of every individual key.

Multi-signature Wallet (Multisig): Multisig refers to requiring more than one key to authorize a transaction. It is generally used to divide up responsibility for possession of cryptocurrency.

Brain Wallet: This is a cryptocurrency key created from a password or passphrase chosen by the user and it’s stored in the user’s brain (by memorization). This method is generally not recommended due to human tendency to pick weak and easily guessable passwords.

Custodial Wallet: This type of wallet is provided by third-party services where the private keys are owned and controlled by the service provider.

Non-custodial Wallet: In a non-custodial wallet, the user has complete control of their private keys and hence their assets.

Watch-only Address: This is a feature of some cryptocurrency wallets that allows you to view the balance and transactions of any public address without having the private key.

Address Reuse: This term refers to the use of the same address for multiple transactions. This is generally considered a bad practice as it can compromise privacy.

Change Address: In the context of Bitcoin and similar cryptocurrencies, when the output of a transaction is used as the input of another transaction, it must be spent in its entirety. The new transaction will send the unspent amount of funds to a change address in the sender’s wallet.

Events

1. Between 2011 and 2021, an estimated $12.1 billion in cryptocurrency was stolen. The most common tactics included exploiting vulnerabilities in crypto exchange security systems ($3.18bn lost), Decentralized Finance (DeFi) hacks ($1.76bn stolen), and crypto scams ($7.12bn lost). The number of crypto scams increased by 850 percent from 2011 to 2021​1​.
2. Some of the biggest cryptocurrency security breaches include:

• Mt. Gox Hack (2014): The hack of the Japanese crypto exchange Mt. Gox in 2014, which is still the biggest in history. Mt. Gox lost almost 850,000 bitcoins (equivalent to $615m) after hackers flooded the exchange with a huge amount of fake Bitcoin. The exchange had previously fallen victim to a similar attack in 2011 when $8.75 million worth of Bitcoin was lost​2​.
• DAO Hack (2016): The DAO (Decentralized Autonomous Organization) was a venture capital fund built on the Ethereum blockchain, where investment decisions were made by token holders. An attacker exploited a vulnerability in the DAO smart contract, draining about 3.6 million Ether (around $70 million at the time) into a “child DAO”. This led to a controversial hard fork in the Ethereum network to return the stolen funds, creating Ethereum (ETH) and Ethereum Classic (ETC).
• NiceHash Hack (2017): NiceHash, a cryptocurrency mining marketplace, reported a theft of more than 4,700 Bitcoins from its wallet. The stolen amount was valued at more than $60 million at the time.
• Bitfinex Hack (2016): Bitfinex, one of the largest Bitcoin exchanges, was hacked and nearly 120,000 BTC (around $72 million at the time) was stolen. The company proposed a socialized loss scenario, spreading the losses across all users and issuing BFX tokens in proportion to their losses.
• Coincheck Hack (2018): In January 2018, hackers infiltrated the exchange Coincheck and stole $534m in cryptocurrency. The attackers accessed hot wallets in a phishing attack before spreading malware to extract the funds​4​.
• Parity Multisig Wallet Bug (2017): A user of the Ethereum network accidentally exploited a bug in the Parity Multisig Wallet library contract, which allowed them to become the owner of the library contract. The user suicided the contract, resulting in over 513,774.16 Ether (over $150 million at the time) being frozen and inaccessible to the owners.
• DeFi Exploits: The emerging DeFi (Decentralized Finance) space on Ethereum has seen a series of smart contract exploits. These include the bZx flash loan attacks (2020), the dForce hack (2020), and the Harvest Finance attack (2020), among others.
• Poly Network (2023): The second biggest cryptocurrency security breach occurred in August 2023, when the blockchain-based platform Poly Network had more than $600m in cryptocurrency stolen from it. However, most of these funds were eventually returned​3​.
• Ledger Data Breach (2020): Ledger, a company that manufactures hardware cryptocurrency wallets, faced a significant data breach in June 2020 that compromised the personal information of many of its users. The breach involved the leaking of email addresses of over a million individuals subscribed to the Ledger newsletter, as well as the names and addresses of about 273,000 people who purchased a Ledger device. While the breach was serious, it did not compromise the cryptocurrencies stored in the users’ Ledger wallets. However, it did increase the risk of phishing attacks and physical security threats for the affected customers​1​.

1. Regarding wallet security, keeping your coins in a private wallet, where you have full control over the private keys, is the best way to protect them. A case in point is a data breach suffered by Ledger, a hardware wallet manufacturer, in June 2020. Email addresses of over one million Ledger newsletter subscribers and names and addresses of about 272,000 Ledger device owners were leaked online. This incident highlighted the importance of having a private wallet with full control over the keys, as the leaked information put Ledger customers at greater physical and digital security risks​5​​6​.

Recent events

TL;DR Ledger 2023: basically there’s a new feature that allows you to pull your seed out of the device, which has never been possible before.

This requires physical interaction from the user BUT this means that firmware can be pushed that exposes the PK

A recent controversy has arisen from a feature Ledger added to their devices, which allows the recovery of the seed phrase from the device itself. This feature, intended as a safety measure, has been met with significant backlash from the Ledger community. The concern is that, despite the fact that the feature requires physical approval from the device owner to function, it introduces a potential vulnerability that could be exploited by hackers. The negative reaction to this feature has led to a loss of trust among many in the Ledger community, and many users have reportedly been moving to other hardware wallet providers as a result​2​​3​.

Tips

1. Use a hardware wallet: Hardware wallets are the most secure way to store your cryptocurrencies because they keep your private keys offline and immune from hacking attacks. Examples of hardware wallets include Ledger, Trezor, and KeepKey.
2. Keep your software up to date: Ensure your wallet software is up to date. This includes not only your hardware wallet software but also the software on the devices you use to manage your cryptocurrencies.
3. Use strong and unique passwords: A strong, unique password can be the first line of defense in securing your wallet. Avoid using common phrases or easily guessable passwords.
4. Enable two-factor authentication (2FA): 2FA adds an additional layer of security. It requires you to confirm your identity using two different methods, usually something you know (like a password) and something you have (like a mobile device to receive a verification code).
5. Never share your private keys: Your private keys are the most important piece of information because they control access to your cryptocurrencies. Never share them with anyone, and avoid storing them online where they could be susceptible to hacking.
6. Beware of phishing attempts: Be cautious of emails, messages, or websites asking for your personal or financial information. Always verify that you’re on a legitimate site before entering any sensitive information.
7. Backup your wallet: In case something happens to your device, it’s important to have a backup of your wallet. The exact process for this will depend on the wallet you’re using, but it usually involves writing down a series of words (your recovery phrase) and storing them in a safe place.
8. Secure your computer: Use antivirus software, keep your system up to date, and avoid downloading or clicking on suspicious links.
9. Consider a multisig wallet: Multisig (short for multi-signature) wallets require more than one private key to authorize a transaction, adding an additional layer of security.
10. Educate yourself: The world of cryptocurrency is always changing, and new threats can emerge. Stay informed about the latest security practices and issues in the industry.

Social Recovery Wallets

Social recovery wallets are a type of crypto wallet that uses a network of trusted contacts to help recover access to the wallet in the event that the private key is lost or stolen. The way it works is that when the wallet is set up, a group of trusted friends or family members are chosen to be part of the recovery network. These individuals don’t have access to the wallet or its funds, but if the owner of the wallet loses access, these trusted contacts can help them recover the wallet.

Each trusted contact is given a “piece” of the recovery key during the wallet setup process. If recovery is necessary, a certain number of these pieces (say, 3 out of 5) can be combined to recreate the recovery key and regain access to the wallet. The idea is that even if one or two of these contacts are unavailable or uncooperative, the owner can still recover their wallet using the remaining contacts.

This system provides a more user-friendly way of managing private keys, as it doesn’t rely on the owner remembering a complex key or keeping a physical copy of it safe. However, it also introduces new potential points of failure, as the contacts now have to securely manage their pieces of the recovery key.

Smart Contract Wallets

Smart contract wallets, sometimes referred to as “contract-based accounts” or “smart contract accounts,” are a newer type of crypto wallet that are built with smart contracts on a blockchain network. This means they have programmable functionality beyond just sending and receiving tokens.

For example, a smart contract wallet might have built-in rules about transaction limits, or it could require multiple signatures for large transactions. It could also implement a social recovery system, as described above.

Smart contract wallets can also interact directly with other smart contracts on the blockchain, which is particularly useful in the context of decentralized finance (DeFi) applications. For example, a smart contract wallet could be used to directly interact with a lending protocol to borrow or lend tokens.

One of the best known examples of a smart contract wallet is Argent, which provides features like recovery options, spending limits, and the ability to interact with DeFi protocols, all without transaction fees.

The drawback of smart contract wallets is that they are more complex than regular wallets, which introduces more potential for bugs or security vulnerabilities. They can also be more expensive to use due to the gas fees associated with executing smart contract functions on the blockchain.