Nine Tips to Stay Safe in Web3
Table of Contents
Simple ways to protect your crypto and keep your tokens secure
If you’re reading this, you’ve probably already taken the leap down the Web3 rabbithole. This is a fascinating place, filled with innovative technologies, incredible communities, and sometimes, money to be made.
However, there are risks. There is, unfortunately, no shortage of stories about hacks, exploits, and scams which prey on innocent people. As of September, more than $2.2 billion had been lost to crypto hacks in 2022, and that number has only grown since.
To protect yourself and your money, it’s important to make your safety a priority. Many of the techniques which protect you in Web3 are similar to standard Internet best practices that you probably already follow. Here are few simple tips to help you stay safe:
1. Secure Your Browser
The first line of defense against security risks is a good web browser. Firefox, Opera, and Brave are great options that prioritize security, and they offer a variety of security features to help keep you safe. In addition, you can install browser extensions like DuckDuckGo, uBlock Origin, or Privacy Badger. These extensions block malicious trackers and scripts, making it harder for potential attackers to target you. (A privacy-oriented browser will likely have these features already built-in.) Plus, you won’t have to see any annoying ads!
2. Use a VPN
A Virtual Private Network (VPN) encrypts your Internet traffic and routes it through a server in another location. This makes it much harder for others to monitor your web activity and target you. There are numerous VPNs on the market, both free and paid, available for desktop, mobile, or as browser extensions. Just make sure to pick one with a lot of downloads and good reviews.
3. Enable Two-Factor Authentication
Two-factor authentication (2FA) is a security tool that requires you to prove your identity when logging in, in addition to your username and password. Oftentimes, 2FA involves sending you an email or text with a code. In addition, 2FA can be achieved through mobile apps like Microsoft Authenticator or Google Authenticator. Be sure to enable 2FA on all of your accounts, both Web2 and Web3, to ensure you are protected if your login information is compromised.
4. Avoid Phishing
Phishing means using a fake website, link, or app, designed to look like a legitimate service, in order to scam someone. Sadly, phishing is quite common in crypto. Always check links carefully! Be sure that there are no sneaky misspellings, periods (like writing “yo.utube” instead of “youtube”), or tricks like subbing a lowercase "l” for a capital “I”. Make sure the URL ending is correct, too.
Do not click links from suspicious sources or people you do not know! Furthermore, it is common for hackers to take over someone’s account in order to send phishing links. If someone on Twitter, Discord, Telegram, or elsewhere is sending strange messages with links, do not click them!
If you absolutely must click a link, take measures to protect yourself. Do so in a secure browser where you have no crypto wallets installed and where you are not logged into any websites.
5. Not Your Keys, Not Your Crypto
This is a common phrase in the space, and it only becomes more prophetic as we see more and more big centralized exchanges like FTX and Celsius going down. Cryptocurrency wallets have keys, usually long strings of numbers and letters. There are two types:
- Public keys, which are used to transact between accounts and show holding on the blockchain;
- Private keys, which protect custody of the wallet.
“Not your keys, not your crypto” refers to custodial wallets at centralized exchanges, where the user does not actually have control of their private key. These types of wallets are how customers lose funds when exchanges go under.
To protect your tokens, you must use a non-custodial wallet. Depending on the blockchains you’re using, you might need several non-custodial wallets. MetaMask and Rainbow are among the most popular for Ethereum, and our very own Pontem Wallet is the best choice for the Aptos blockchain.
For even more security, choose a hardware wallet (or “cold” wallet, in comparison to software-based “hot” wallets.) These keep your tokens disconnected from the Internet entirely for an additional layer of safety. Ledger is the most common example.
6. Connect Your Wallet Carefully
Your wallet is extremely sensitive; if compromised, you can quickly lose all of your holdings. Make sure to connect your wallet only to dApps which you trust. Only connect your wallet when necessary to minimize your potential exposure.
While we’re talking wallets, never share your wallet’s secret phrase! Sometimes called a mnemonic, this sequence of words controls access to your wallet. If someone gets it, they get your wallet and all its contents. Do not share your secret phrase with anyone — and anyone who asks for it is probably trying to scam you.
7. Read Transaction Messages
Many crypto webapps or decentralized applications (dApps) will connect to your crypto wallet in order to function. In doing so, they will ask you to sign transactions, which usually appear in a pop-up with an explanation and a button to click.
Read these transaction messages extremely carefully! Make sure the application is not asking for permission to do something other than what you expected. Malicious apps may say they are asking for one thing, then actually send a transaction for something more sinister. These transactions can be extremely damaging, including draining your entire wallet irrevocably in one swoop. And once a transaction is signed, it is virtually impossible to undo.
8. Only Risk What You Can Lose
This one is pretty simple, but it is powerful advice. Simply put, don’t put money in crypto if you can not afford to lose it. Cryptocurrencies, while exciting, groundbreaking, and useful, are still relatively new. They are also often volatile and should be treated as speculative assets. Even stablecoin or fiat deposits at crypto exchanges can be lost, as we’ve seen recently. Temper your FOMO, diversify your holdings, and don’t get in over your head.
Also, carefully consider your risk level and sophistication. What are your other investments? How diversified is your portfolio? What is your time horizon? Do you plan to invest for weeks, months, years, decades? What level of volatility are you willing to tolerate? At what levels of profit or loss would you exit your positions? How deep is your level of expertise in the things you’re investing in? Think carefully about these questions before making any investment decision.
9. Do Your Own Research
This one gets said a lot in crypto, but is so, so important. Do. Your. Own. Research.
Before putting your money into a token, dApp, NFT collection, or anything else, do a great deal of research. Here are some starters for your research, but this is far from an exhaustive list.
- Check out the project’s website. Is it well-made and well-written? This is a project’s public face, so if it arouses doubt, that is a big red flag to start.
- Read the project’s whitepaper and analyze it carefully. Does it make sense? Does it seem credible? Does the project have clear goals? Do they offer a roadmap, and does it seem viable?
- Look into the team. Who is behind this project? What have they done before? Are they “doxxed” (meaning their true identities are known) or are they pseudonymous?
- Check out the community. Take a look at the project’s community on Twitter, Discord, Telegram, or more. How big is it? Do they seem excited? Is there any suspicious activity or a lot of bots?
- Examine the statistics. Sites like DappRadar or CoinMarketCap are great for finding trustworthy data on crypto projects. How popular is this project at that moment, and how does that compare historically? How does it rank against similar projects? For a token or NFT, is there enough trading volume that you can exit your position?
- Look for audits. Audited projects have had a team of experts carefully examine their code for potential vulnerabilities and issues. Has the project been audited? Did it publish reports? Did they show how they fixed any issues which were found? At Pontem, we had our Liquidswap DEX audited three separate times (!) and we only partner with audited projects because we believe it is so important.
Pontem Network is a product studio building for Aptos and the wider Move ecosystem. We work in close collaboration with the Aptos Foundation to deliver secure, audited dApps, including Pontem Wallet and the Liquidswap DEX. We also offer groundbreaking tools for coders, including ByteBabel, the first EVM implementation for Aptos, and Move Code Playground, the first browser code editor for Move. Join us on Twitter, Discord, and Telegram to learn more.