DeFi Chads Ultimate Guide to: Staying Safu in DeFi
There’s a reason they call it the “Wild West” of crypto.
Not a day goes by without hearing of a Bored Ape being lost to a fake airdrop, or a famous CT persona having their hard-earned shill cash drained from their wallet.
It’s all too easy to see these errors and think “stupid apes, that would never happen to me”.
If you have ever thought along these lines then this guide is a must read.
Unfortunately, scams and exploits come in all shapes and sizes and — crucially — are constantly evolving to remain as deceptive and effective as possible. What is considered safe today may well cause you to lose your life savings tomorrow.
Some of these tips may already be familiar to you. Others will not be. Whatever your level of experience, you might just learn something that saves you from losing generational wealth.
So, without further ado, let’s get started.
The Myth of Perfect Security
I bet you will have come across countless threads from Twitter accounts with names like “0xdevlord69.eth” preaching about the need for everyone to build a custom PC, install an obscure operating system, meticulously air gap the system and exclusively use the machine for crypto transactions.
This is absolutely the best means of securing your system, so what is the issue?
Well — fundamentally — you are not going to do it.
You see, we are Chads and our schedules are already cluttered with routine Chad matters such as deadlifting 1000 lbs for reps before taking our third Ferrari to the garage.
Fortunately, there are far more straightforward steps that you can take to significantly reduce your exposure to bad actors in crypto.
We are going to break these down into three broad categories:
- OpSec 101
- Cold Wallet Management
- Hot Wallet Management
1. OpSec 101
Say No To ENS
Choosing not to link your primary wallets to a public ENS is one of the easiest ways of reducing your vulnerability to malicious actors.
The issues with ENS link back to the most common attack vector — social engineering. If a malicious actor can link a wallet to a particular social media profile, such as your Twitter account, they can start to target you by, for example, sending phishing links or impersonating a close contact to extract information which can be used to gain control of your account/lure you to into sending funds to the bad actor.
As such — whilst ENS domains come with a vast swathe of benefits — they should always be avoided for wallets on which you conduct significant trading activity or hold any substantial funds.
Keep Your Tracks Fresh
As noted above, it is always a good idea to avoid people tracking your activity and using your routines to identify and target you. We therefore recommend securely moving wallet addresses from time to time to keep your privacy secure.
There are various ways of moving funds from one wallet to another without revealing the original source of funds, though they vary in complexity, effectiveness and perceived legitimacy. Let’s imagine we are trying to move funds from one wallet on Ethereum to another, clean wallet that we are have just freshly created:
- Direct bridge — Bridge from Wallet 1 on Ethereum to Wallet 2 on another chain (e.g. Terra). We then bridge the funds from Wallet 2 to a fresh Wallet 3 on the original chain. Note, however, that these transfers can typically be reverse engineered with sufficient effort.
- Batch bridge — Bridge from Wallet 1 on Ethereum to Wallet 2 on an another chain, but this time using a bridge that transfers funds in batches (such as Anyswap). After some time, bridge the fund back to a fresh Wallet 3 on Ethereum. For added security, transfer the funds to a new wallet in multiple transactions to make this harder to reverse engineer.
- Mixing service — Use a mixing service to directly send funds from Wallet 1 to Wallet 2. The most famous example of this service is Tornado Cash. This route is likely to be the hardest to reverse engineer, but flags the wallet as suspicious and may draw negative attention from the community and regulators (whether this is justifiable in the circumstances or not).
The perks of routinely moving your trading activity are not limited to OpSec. If you are a prolific trader, NFT collector or just passively follow DeFi Chads S tier tips and tricks, then you will undoubtedly have a number of individuals tracking your wallet.
This can be detrimental if you want to keep an edge over the competition, as copytraders or botters can target your movements and use advance notice of your trades to front run or sandwich you. Help to mitigate these risk by keeping your tracks fresh.
2. Cold Wallet Management
The Pros and Cons
Let’s now turn to cold wallet management.
A cold wallet in the purest sense is one that is generated offline and spends its lifespan entirely disconnected from the internet — often termed a “paper wallet”.
As we explained earlier, this is impractical for most people, particularly if you need to access funds on a semi-regular basis. You also risk entirely losing your funds if anything happens to your seed phrase, whereas the method we are going to set out gives you a secure hardware fallback.
If you do want to investigate a true “cold storage” option using a paper wallet, then we recommend this guide from Gemini.
For now, let’s move on to how to create your cold bank wallet the Chads way.
The Cold Wallet — Chads Style
The most important security measure you can take in DeFi is to create a clean “bank” wallet.
Fortunately, the Chads method is straightforward — you simply need to follow these two simple steps:
(i) create a hardware secured wallet;
The most common hardware wallet providers are Ledger and Trezor.
Always order your hardware wallet directly from the company’s own website (verified by checking the address against that shown in the profile of their official Twitter account). Do not order your wallet from Amazon (or, worse, a third party marketplace such as eBay).
If the packaging (including the external delivery box) appears to have been tampered in any way, do not use the wallet and immediately contact the provider’s customer support immediately to investigate.
(ii) do not approve ANY contracts;
Yes, this includes “trusted” contracts such as the Uniswap or OpenSea router.
If you need to swap stables from USDC to USDT, for example, you should transfer the fund your hot wallet, complete the swap, then send the funds back to the bank wallet.
Is this mildly inconvenient? Yes.
You know what else is mildly inconvenient? Losing all your money.
Just do it, degen.
There are many websites you can use to confirm whether your wallet has any active approvals (including Etherscan’s own in-built solution) but the Chads recommend https://revoke.cash/ which we have found to be the most comprehensive. Credit to Bgan Chad https://twitter.com/RoscoKalis for building this excellent tool!
Set A Maximum Value Threshold
Having good security procedures in place will only work if you have equally good practices in place to ensure that you utilize their benefits. It doesn’t matter if you have a clean, hardware-secured wallet if you’re too lazy to use it.
Our advice? Think of a dollar value in your head. Now imagine this amount has just instantly vanished from your wallet. If you could not cope with such a scenario unfolding, then this amount should not be held on your hot wallet.
Get into the practice of transferring assets over to your cold wallet each time your hot wallet value rises to this figure. This sounds straightforward, but is very easy to forget about when an altcoin is skyrocketing, or the floor on an NFT you minted for free is rapidly rising.
“Thanks, Chads — I’ve set up my bank wallet and routinely transfer funds to it — I’m safe!”
If your wallet is set up according to the two simple steps above then you cannot lose funds due to smart contract risk alone. This does not mean you are totally immune to attacks.
For example, this does not make you immune from:
- phishing/social engineering;
- malware (e.g. if you enter your seed phrase on a keylogged device); and
- a $5 wrench attack (though as a Chad we trust you will be able to outmuscle and vanquish any potential foe).
It is therefore essential that you continue to be vigilant and employ all the other tips and advice set out in this article.
However, there is another often overlooked method that can add a final layer of security to your hard earned funds…
Often when people speak of “cashing out” what they really mean is that they have swapped their favorite dog coin for their centralized stablecoin of choice — namely USDT or USDC.
Whilst the dollar value of your portfolio may now be secured, the fact remains that those funds remain at risk.
As we mentioned above, there are still avenues for attack. Perhaps a family member or close contact is not as trustworthy as you thought. Perhaps your device is compromised and you need to re-enter your seed phrase onto your PC for a seemingly legitimate reason.
The (depressing) fact is that centralized fiat custodians are — at this stage in DeFi’s development — safer for storing large sums of wealth. Cash a responsible percentage of your total portfolio out to fiat and get those hard-earned profits to work in real estate, boomer stonks and other assets that won’t be easily stolen by the North Korean Crypto Hacking Division.
3. Hot Wallet Management
Finally, let’s turn to common pitfalls with “hot” wallets.
Your hot wallet is your primary trading wallet, set up for ease of use and therefore more vulnerable to attacks by design. However, even in this context, you can still massively reduce your exposure to malicious actors by adhering to the following tips.
Engaging With New Contracts
When engaging with newly created contracts — which will often take the form of some “token claim” or “airdrop” — always wait a minimum of 24 hours before interacting with the contract.
Never be amongst the first people to interact with a new contract. Any project worth its salt is not going to time-limit its token to a single day’s claim window.
Waiting a day from release will allow time for the airdrop claim to be tested by others in the crypto community, allowing others to bear the risk of engaging with the new contract.
It also gives time for crypto nerds to investigate the contract code and identify any malicious funny business, which you will then inevitably see exposed in lengthy (read: boring) Twitter threads.
As an aside, by waiting a day or two you will also likely get a better return when you do claim and sell the airdrop, as the majority of paper-handed dumping occurs during the day of launch.
Bookmark Regular Websites
It is becoming increasingly common for phishing links to feature on search engine results for CEX’s, DEX’s and NFT websites.
Always bookmark websites for your exchanges of choice and any other Web3 platforms that interact with on a regular basis.
If you are in doubt as to whether you are on the official website, you can use a link in the profile section of the project’s verified Twitter page as confirmation.
Revoke Or Limit Your Approvals
It is essential that you periodically review contracts that are approved on your hot wallet and ensure that any obscure or aged contracts are revoked or limited to a lower threshold of tokens (e.g. not set to “unlimited”).
Contracts are often exploited months or even years after they were initially deployed, meaning you could currently be sitting on an unexploded landmine capable of crippling your entire portfolio. Our old friend, https://revoke.cash/, is perfect for the job.
Depending on how many contracts you have to revoke, it may be more cost efficient to simply transfer your assets to a new wallet without the unnecessary approvals (following our steps above!)
Follow The Chads
We know the markets are rough right now, so we truly appreciate you all for sticking around and continuing to learn and improve your skillsets with the rest of our amazing Chads’ community.
Let us know if there are any tips we’ve missed and we will include them in an update to this guide!
Chat channel: t.me/chadsverify