Open in app

Sign in

Write

Sign in

Protecting your NFTs: Best OPSEC practices

Reducing your exposure to risk on the blockchain

Wilson Oryema
6 min readJan 26, 2022

Technological advancements are part and parcel with steep learning curves for entrants and often growing pains due to outsized demand. There are many informational gaps early on, that allow for exploits or hackers to run rampant. This is, of course also true for the crypto/web3 space. Where much is asked of the end user, one fair comparison I’ve seen is that, as opposed to a customer depending on the bank to secure their assets, insure them, and take care of their (as the user) needs. The reverse is applicable here, as Web3/Crypto requires users to become the bank themselves, managing OPSEC: securing their own data and assets. Which is a massive ask for many without any straightforward guides or explainers. This has resulted in massive losses for many individuals, having their NFTs and/or cryptocurrency taken. Of course, getting these things back are difficult, if not impossible, but there are many things which can be done to reduce your risk vector, fortunately. Most of which I will go over below:

What is OPSEC?

Operations security (OPSEC) is a process that identifies critical information to determine if friendly actions can be observed by enemy intelligence, determines if information obtained by adversaries could be interpreted to be useful to them, and then executes selected measures that eliminate or reduce adversary exploitation of friendly critical information.

In a more general sense, OPSEC is the process of protecting individual pieces of data that could be grouped together to give the bigger picture (called aggregation). OPSEC is the protection of critical information deemed mission-essential from military commanders, senior leaders, management or other decision-making bodies

Now that we have a basic understanding of OPSEC, let’s explore how you can secure your NFTs, as well as some of the reasons you may be at risk.

General Security Tips

Courtesy of Bharat Krymo, here are a list of several security tips that will benefit any NFT user. All may not be applicable for you but it is useful to know nevertheless:

  • Mac over PC as the modified linux kernel is more secure/less prone to malware
  • Use 2FA (2 Factor Authentication) but primarily through an app like authy or google authenticator (SMS can be sim swapped/spoofed)
  • Secure your email with a hardware yubikey to prevent spoofing.
  • Disable email as an authentication mechanism, if possible
  • Avoid clicking suspicious links, on discords, social media, and always double check if the person you’re speaking to is who they claim to be. Also, if unsure (link provided without context) ask the person to describe what is on the link they shared — try to use a separate machine for clicking links
  • Store your NFTs and coins on a hardware wallet (ledger or trezor) where you can, and try to spread across different wallets (virtual and HW) so you won’t lose everything in a single attack
  • Check metamask (other wallet popups) before confirming transactions. Be wary of approving random sites access to your wallet,
  • Use a VPN where possible
  • Use debank or dappstar.io to revoke permission from apps you no longer use

Seed Phrases

Probably one of the more confusing aspects of crypto for new users are seed phrases. Coinbase describes them as follows:

A seed phrase is a series of words generated by your cryptocurrency wallet that give you access to the crypto associated with that wallet. Think of a wallet as being similar to a password manager for crypto, and the seed phrase as being like the master password. As long as you have your seed phrase, you’ll have access to all of the crypto associated with the wallet that generated the phrase — even if you delete or lose the wallet.

As described above, the seed phrase will be a 12 to 24 word string unique to you. The only advice here is…

DO. NOT. SHARE. YOUR. SEED. PHRASE. WITH. ANYONE.
UNDER ANY CIRCUMSTANCE!

Also, if you have no plans to access your wallet/storage for some time. Your best bet is to give separate parts of your seed phrase to trusted people in your circle who don’t know each other, for additional obfuscation and risk reduction.

NFT Listings exploit

One way some collectors have been unexpectedly losing their NFTs, is through their misunderstanding of the listings system on platforms such as Opensea. As one would assume the process is as follows: you list an item for your preferred price (for example, 8 ETH), later on you then take it down from the marketplace assuming the listing at 8 ETH is nullified. However, even if you take down your listing on the front end, it has not been removed from the backend. Meaning that as soon as someone takes advantage of a previous listing, your NFT can disappear from the wallet. As such, this exploit has led to the loss of several NFTs over the past month or so, most notably, several Bored Apes.

For more info about this particular exploit, fortunately one user on Twitter, was able to add more detail. As you can see below:

I’ve also pasted the thread below for brevity:

While I think its unfortunate for Carson (who has other apes and now 80+ eth), people need to understand the mechanics of what happens when you list on Opensea. Opensea uses a fork of the Wyven protocol which is a derivative of the 0x protocol. Both of these protocols and others allow for trading of assets between people using the concept of a relayer. What a relayer does (in essence) is it holds a partial order that is fully signed. This is key. It’s a fully signed part (in this case half) an order. Opensea has a relayer and anybody, including Rarible, can use the fully signed partial orders from that relayer. Its the enire point of the relayer system. Namely, that any DApp can provide the other part(s) of the order as long as those are fully signed. So to walk thru this the flow goes like this. When you list on Opensea what happens is you have to sign something. But you don’t gas it (assuming away approvals). The reason you don’t gas it is you’ve just signed a transaction to transfer your NFT but that tx is sent to a relayer. So now Opensea’s relayer has a fully signed partial order. Anyone with the eth can then fully signed the other part of the order, gas that transaction by sending onto the chain, and viola the NFT and eth move simultaneously and gas is only used once. The tricky thing tho is that that is a fully signed partial order sitting in a sort of open API. So anyone on Rarible or other DApps can be shown that fully signed partial order and choose to complete the order. Which is what ACYC did here. There is an opensea hack of transferring out an NFT and back into a wallet to “cancel” orders. But the problem is that this doesn’t remove these from the relayer or tell the on chain protocol that the order shouldn’t be filled (which is why you have to gas your cancels). So the ape was sitting in a wallet that had previously fully signed a partial order. On the human side this kinda is a bummer but it isn’t a hack or theft or an exploit. It’s being your own bank level stuff. To be your own bank requires you to understand a lot of these nuances….

While that explanation is not required reading for everyone. What you should take note of is that in order to defend yourself from this listing exploit. You will have to use a revoke permissions/access tool, such as, revoke.cash or one of the others mentioned earlier in the General tips section (debank or dappstar) to nullify the listing.

Or even simpler.. you can send it to another wallet of yours.

In Closing

For the every day NFT collector, the above should suffice as suitable protection for your wallet. However, if and when that possibly changes, I will surely endeavour to update you on how to best protect yourself in the future.

Nft
Cryptocurrency
Cryptosecurity

--

--

Wilson Oryema

Written by Wilson Oryema

73 Followers

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams