Web3 security is web2 security with higher stakes

When I started writing this, my goal was explaining how to have peace of mind about your crypto wallet(s). Bad news: you probably, uh… shouldn’t. We’re not there yet. You can minimize risks, but if you handle significant funds onchain, keeping them safe will be a bit stressful.

What you can have is stoic acceptance. Know the common threats, do what you can to reduce your exposure, and then live your life. Perfect invulnerability to any conceivable attack is impossible — and “nearly invulnerable to most attacks” is still pretty inconvenient.

Fortunately, security is not an all-or-nothing deal. Every additional layer adds some protection. Do as much as you can manage to properly maintain.

It’s achievable to protect your wallets from all but the most motivated thieves, and you’re probably not targeted by the most motivated thieves. If you’re a legit celebrity or a political dissident, the advice below may be insufficient. But if you’re a regular person who tweets about crypto occasionally, following these steps will get you close to peace of mind.

Here’s what you need to do.

General security hygiene#

Web3 security is actually just web2 security with higher stakes and a few more bells and whistles. Start by doing the responsible things you already know you should be doing. The key principles:

• Your computer and phone should both be login-gated with biometric authentication and/or a password or passcode.
• Update your operating system and workhorse software applications on a regular basis.
• Be careful what you download, especially software, especially when requested by someone else.
• Use a password manager religiously, including the function to generate strong passwords.
• If you need to memorize a particular password for manual use (e.g. your computer password), follow “correct horse battery staple” methodology.
• Enable multi-factor authentication on every platform that allows it.
  • Always configure MFA with hardware keys (like YubiKeys) and/or an authenticator app, never with SMS.
  • Redundant MFA whenever possible, in case you lose a hardware key or your phone gets stolen.
• If you’re on iOS and you have crypto on your phone, or just seem like you might, your iCloud account is a valuable target. Lock it down with a recovery key — Apple provides the ability to self-custody your iCloud account, so to speak.
• If you’re on Android… good luck?

Extra credit: Review this primer on “minimum viable security” and “16 Steps to Securing Your Data (and Life).”

Wallet best practices#

Follow the Three Address Protocol, sequestering your most valuable assets away from the internet. Actually, if you’re not selling NFTs, two addresses is probably enough:

• Cold storage vault wallet, preferably multisig
• Hot wallet for everyday use, containing limited funds

This setup is also frequently described as “treasury and operating wallet.”

Extra credit: Read through “Best Practice Setup For Normal People (Ethereum edition).”

Not all wallets are created equal. You’re looking for some combination of “industry leader,” “community trusted,” “open source and audited” — ideally all of the above. You want a name brand run by a company with enough money to hire serious infosec people who are passionate about protecting users and have their own independent reputations to uphold. For example, Safe fits the bill, as does Coinbase Wallet (note: distinct from the exchange wallet).

Extra credit: Read “The ‘Non-Custodial Fallacy’” to understand why it’s crucial to choose a wallet that deserves the trust you place in it.

Seed storage#

“When saving your seed phrase you need to protect against two things: other people and yourself,” Phil Mohun wrote in his excellent, straightforward guide to wallet security:

Protecting against other people means storing your seed phrase offline, typically written in pen on a piece of paper. This reduces that chance that malicious software or a phishing link can gain access to your seed phrase and associated wallet.

Protecting against yourself means actually remembering where you put the piece of paper. You would be shocked how often people forget this step. They write down their seed phrase and stick it into their wallet or purse. 6 months later they clean it out and it accidentally gets thrown away with a dozen receipts and old business cards. Don't do this.

Store your seed phrase somewhere safe and hidden at home or another secure location. To prevent the chance that you misplace it, send an email to yourself with a surreptitious reminder of where you stored it and include a keyword that you can easily find by searching.

Some wallets allow you to generate 24 word seed phrases for improved security. If you're using a 24 word seed phrase, consider writing down sections of it and storing them with trusted friends or family. You can do this by giving them each a shard on an index card like this:

In the event that you need to recover your wallet, you can contact two of the shard holders to recover the seed phrase. If you die, they will likely gather and recover the shards themselves, in which case your assets will be available as part of your estate planning.

Multisig wallets offer similar advantages to distributing seed shards. However: “Make sure that if you include other people on your multisig they cannot achieve quorum without you,” Phil cautions. “For example, don't have a 3-[of]-6 multisig where 3 of the wallets do not belong to you. A typical setup is a 3-of-5 multisig where 3 accounts belong to you and 2 belong to trusted friends or family.”

Social recovery#

This option is not available broadly, but it’s intriguing. In 2021 Vitalik advocated for social recovery:

A social recovery system works as follows:

1. There is a single "signing key" that can be used to approve transactions

2. There is a set of at least 3 (or a much higher number) of "guardians", of which a majority can cooperate to change the signing key of the account.

The signing key has the ability to add or remove guardians, though only after a delay (often 1-3 days).

At the end of last year, Safe launched RecoveryHub:

Users can recover access to their accounts through designated recoverers, which can be personal backup devices, family members, friends, and collaborators, in a process known as ‘social recovery.’ In addition, trusted third-party service providers like Sygnum, a Swiss-regulated bank with over USD 4 billion assets held in institutional-grade custody, and CoinCover can also be designated as recoverers to facilitate recovery.

Importantly, even with a custodial recovery setup, Recoverers are given control by the user only in case of a recovery event and are trusted to recover access for users. In all other times, users retain full control through veto rights to cancel any recovery attempt.

Something to consider.

It doesn’t have to be like this (forever)#

Vitalik wrote last year:

[T]he whole point of digital technology, blockchains included, is to make it easier for humans to engage in very complicated tasks without having to exert extreme mental effort or live in constant fear of making mistakes. An ecosystem whose only answer to losses and thefts is a combination of 12-step tutorials, not-very-secure half-measures and the not-so-occasional semi-sarcastic ‘sorry for your loss’ is going to have a hard time getting broad adoption.

Welp. Here we are anyway.

Thankfully this convoluted, cumbersome state of affairs is changing. Vitalik pointed out the solution: smart wallets, the development and adoption of which is underway. At Splits we’re creating a best-in-class smart accounts system for onchain teams. However, smart accounts writ large are not at the level where no one needs “normal” wallet anymore, so it’s still important to secure your EOAs.

As for the future, Jesse Pollak of Base said it well: “we need to build wallets so smart that people can be dumb.”

In addition to the resources linked above, our thanks to Transient Labs for sharing their internal guide to web3 security with Splits.