Paper 6: NFT Security

Part 1: How to start and basic knowledge

Feb 06, 2022

We take security for granted IRL.

Government, legislature, institutions, and the insurance industry make us feel that our assets are safe (or that we would be made whole if our assets were compromised).

Web 3 is not yet developed in such a way.

We must take our own precautions and security measures. This is - at least in part - what it means to be a (digitally) sovereign individual.

As I have mentioned before, I am not a security expert, but I am an expert communicator.

In this article, I draw from those I believe to have more knowledge and experience with NFT security than me to express what best practice looks and feels like.

This week I’ll focus on getting set up; next week I’ll look more at staying safe whilst operating in Web 3.

My task here was to re-draft, re-organise and re-structure already-existing information.

Please remain alive to human error and further developments - things change quickly in this space, so always ask questions and stay alert to anything which might make any of this information incorrect.

NB. This is a guide, NOT a guarantee. No-one can guarantee your assets except you.

1. Before I even begin, what do I need?

a) Computer(s)

From what I have read, it seems that Macs are preferable to PCs (maybe Linux is better than PC too).

OSF @osf_nft

21. Use a Mac or Linux. They're way more secure than Windows. I've used Windows all my life and it's been fucking brutal switching to Mac but it's definitely worth the investment. Try not to use Metamask mobile if you can help it, or at least don't store a lot of value on it.

Without being a tech person myself, I think there is a prevailing opinion that Apple products are less prone to viruses.

Bharat Krymo @krybharat

2/ Starting with physical hardware, I would pick a Mac over a PC all day long. The modified Linux kernel is just more secure and less prone to viruses/malware.

b) Separate hardware

It seems wise to have more than one computer: one for crypto transactions + one for emails/discord and other activities.

Bharat Krymo @krybharat

10/ I know it gets expensive, but think about using separate systems for crypto transactions vs. emails/discord etc.

By doing this you can protect your assets because if you click on a malicious link on one computer, your wallet and assets will be on another - thus your assets are not exposed.

Bharat Krymo @krybharat

7/ Avoid clicking links on discord, DMs etc. Even if it's someone known to you. Also, check the ID of people you communicate with (name + ID in Discord).

(c) Hardware wallets

You must use a hardware wallet. Only ever buy these from the official websites.

richerd.eth ᵍᵐ @richerd

4/ USE A HARDWARE WALLET A hardware based wallet stores the keys off of your main device. Your device that could have malware, key loggers, screen capture devices, file inspectors, that could also be snooping for your keys. I recommend a Ledger Nano S shop.ledger.com/?r=1679b870be97

The general consensus seems to be that a Ledger or Trezor wallet should serve you well.

Bharat Krymo @krybharat

5/ Always use a hardware wallet (Ledger or Trezor) to store your crypto vs. purely Metamask. Spread your crypto across wallets, so a single hack or loss only affects a portion vs. all. Move crypto or NFT that you would like protected to a HW wallet vs. keeping it onchain.

2. Before I even begin, what do I need to know?

(a) What is your NFT and where is it?

Your NFT is a token stored on the Ethereum blockchain. The Ethereum blockchain is like a huge database, on which all activity on Ethereum is recorded.

The Ethereum blockchain is verified and secured by nodes around the globe. A copy of your token is held on all of the Ethereum nodes running globally.

So when you sell an NFT, nothing actually moves anywhere. What really happens is that the database that is the Ethereum blockchain updates to reflect the change of ownership.

Your NFT is NOT in your computer, your MetaMask wallet, or your hardware wallet.

6529 @punk6529

6/ OK, LFG Let’s start with “where are your NFTs?” No, actually let’s start with “where your NFTs are not”: ❎ Metamask ❎ Your computer ❎ Your Trezor ❎ Your Ledger

So where is the actual JPEG?

Usually, it is either on IPFS (InterPlanetary File System) or Arweave (a global permanent hard drive) which is “decentralized storage”. Or it might be on a centralised server.

Sometimes art can be completely “on-chain”. This means that the art itself is stored on the blockchain, and not elsewhere. This is not common, however, as it is usually an inefficient form of storage.

(b) What are public and private keys?

(i) Public key

A public key is an Ethereum “address” (the long string of numbers/letters that start with “0x….”).

You cannot control what is sent to your Ethereum address. Sort of like email in that respect.

It is not like email in that everyone can see everything that you do inside of your Ethereum address.

6529 @punk6529

14/ The best analogy for a public key is an email address. You can safely share it publicly and people can send things to it. Those things are most typically: - ETH - ERC20 Tokens (fungible tokens, like UNI or SUSHI) - ERC721 or ERC1155 tokens (non-fungible tokens aka NFTs)

(ii) Private key

This is your “password” for your public key. It gives you access to your assets.

NEVER give your private key to anyone.

The holder of your private key can access all of your assets.

(iii) Wallet

You can have a software wallet or a hardware wallet:

6529 @punk6529

33/ With the basics out of the way, let’s go to the main event, “wallets” “software wallet” = a software wallet on a general purpose device (computer or mobile phone) “hardware wallet” = a software wallet on a dedicated hardware device (Trezor or Ledger)

You need a wallet so that you can interact with Web 3 applications.

6529 @punk6529

35/ In order to interact with web 3.0 dapps like Uniswap or Opensea, you need a browser extension that interacts with them. The most popular is @MetaMask, but there are others. Metamask has a mobile app that is a pure software wallet

When using a computer, MetaMask often lives in the corner as a browser extension.

6529 @punk6529

36/ Metamask also has a browser extension that can either: a) operate as a pure software wallet or b) provide the browser interface for hardware wallets to interact with dapps

(iv) Seed phrase

The seed phrase is the list of words shown to you when you set up your keys.

6529 @punk6529

22/ There are a couple of more concepts we need to introduce. The first is the seed phrase. A seed phrase is a set of 12, 18, 24 (or more) words. If your private key is your password, your seed phrase is your password recovery method.

“If your private key is your password, your seed phrase is your password recovery method.”

@punk6529

If you lose your private keys, you can regenerate them from your seed phrase.

Again, NEVER give your seed phrase to anyone. If you do, they will be able to take all of your assets.

Richerd recommends the following to check and look after your seed phrase:

Test the seed phrase

richerd.eth ᵍᵐ @richerd

3) Test your recovery After setting up your wallet, do a transaction, reset the device to factory, then restore the wallet with your seed phrase. Make sure you get the same wallet back. Ensure you understand this process and are confident that you can recover your wallet.

Keep multiple copies of the seed phrase and do not store them in the same location

richerd.eth ᵍᵐ @richerd

4) Seed phrase redundancy and security Have multiple copies of your seed phrase, and do not store them in the same location (What happens if your house burns down?) Split your seed phrase into two, if you put one copy in a safety deposit box, what if that box gets compromised?

Do NOT keep your seed phrase on ANY electronic device in ANY form. (No, do not take a photo of it.)

Practically for you starting out, this probably means you will write it down on a piece of paper then consider some of the precautions above.

3. Now what do I do?

Follow the instructions on the official MetaMask website and the information which came with your hardware wallet.

Final thoughts

This is really important. I’ve spent hours and hours reading and learning about this.

Please spend the time to read and learn before diving in with significant amounts of capital.

Next week I’ll look into more of the practicalities of operating safely and avoiding scams day-to-day.

Have a great day,

The Snapshot

Discussion about this post