Your Web3 Wallet Could Rob You! How To Protect Yourself

By Michael @ CryptoEQ | CryptoEQ | 29 May 2024


You are reading an excerpt from our free but shortened abridged report! While still packed with incredible research and data, for just $40/month you can upgrade to our FULL library of 60+ reports (including this one) and complete industry-leading analysis on the top crypto assets. 

67cbbf4723857b85c151585aa280e6d940346c501cef75bafd7dea02b44b24c9.png

Becoming a Premium member means enjoying all the perks of a Basic membership PLUS:

  • Full-length CORE Reports: More technical, in-depth research, actionable insights, and potential market alpha for serious crypto users
  • Early access to future CORE ratings: Being early is sometimes just as important as being right!
  • Premium Member CORE+ Reports: Coverage on the top issues pertaining to crypto users like bridge security, layer two solutions, DeFi plays, and more
  • CORE report Audio playback: Don’t want to read? No problem! Listen on the go.

80343245d23a711b72048b03337fca33602c226a79a46fcef047b46dc3354102.png

 

Intro to Smart Contract Wallets

Smart contract wallets are specific types of wallets that store assets in a smart contract (typically on the Ethereum blockchain). They allow for programmable features that enhance security and ease of use compared to regular Ethereum accounts (EOAs). These features include transfer limits, bundle transactions, and fee reductions. With smart contract wallets, the possibilities for innovation are vast, and the wallet provider can choose to implement various features to improve the user experience. Two popular implementations are Argent and Safe.

Argent

Argent is a smart contract mobile wallet designed to help users recover lost or forgotten private keys. According to a report by Chainalysis, 20% of bitcoins in circulation in 2021 were lost because the owners couldn't remember their private keys. This is a common problem, not just for bitcoin but across all blockchains. To address this issue, Argent has a feature called "social recovery."

With social recovery, users list a "Guardian" or a trusted public address upon creating an Argent account. Guardians are trusted third parties designated by the wallet owner to help maintain control of the wallet. If a user does not feel comfortable custodying their private keys 100% by themselves, they can elect a Guardian as a “backup.” This is akin to giving your mom or significant other a password in case you forget the password. With the use of Guardians, Argent provides an added layer of security and trust for the wallet owner's digital assets.

If a user loses their private key, they can request the Guardians to help recover their wallet by sending them a notification. The Guardians will then have the option to accept or reject the recovery request. If at least half of the Guardians approve, the wallet will be unlocked in the mobile app, and the user will receive a code to unlock it through their phone or email. It's important to note that social recovery in Argent requires a mobile phone number and email address, which may compromise decentralization and anonymity compared to other wallet captions.

In the beginning, Argent was the most popular smart contract wallet with more users than competitor Safe but then Ethereum gas fees became prohibitively expensive for Argent. This is due to the differences in how gas fees are paid in Argent compared to other smart contract wallets (like Safe). With the deployment of a Safe wallet, users pay their own costs. However, Argent operates a relayer service that listens for off-chain communications signed by users and then encapsulates them within a transaction to be placed on-chain. When L1 rates became expensive, Argent ceased paying for gas on behalf of their wallet users. 

safe wallet users 2022 Source: Delphi Digital

Safe

Safe (previously known as Gnosis Safe) is another widely-used smart contract wallet in the Ethereum blockchain, but rather than catering to retail and mobile users like Argent, it focuses on teams, corporations, DAOs, and multisig setups. It currently holds over $30 billion in assets and is considered to be the leading multi-sig on Ethereum. 

Over time, the number of active Safes on the mainnet has increased significantly, and with the growth of Layer 2 solutions, this number continues to grow. The biggest disadvantage of smart contract wallets on Ethereum is the gas fees, as every transaction must originate from an EOA, leading to added costs for daily usage, especially on Layer 1. The lower transaction costs of an L2 make Safes a viable option for most users again.

Coinbase Smart Wallet

Coinbase unveiled its latest innovation in February 2024: the Smart Wallet. This product stands out as it adheres to the ERC-4337 standard for smart contract wallets, introducing a suite of features designed to enhance user experience and security in the cryptocurrency domain.

One of the hallmark features of the Smart Wallet is the integration of Passkeys. This modern authentication method is set to replace the traditional username and password system. It operates by generating a public key that is stored by an application or domain to identify users, while a private key is securely generated and stored on the user's device. This system is particularly compatible with biometric authentication methods, such as Apple’s FaceID, allowing users to authorize transactions swiftly and securely through biometric verification.

coinbase smart wallet

Another innovative feature of the Smart Wallet is its support for cross-chain transactions. Traditionally, updating smart contract wallets across different blockchain networks requires executing the same transaction on each network. However, the Smart Wallet simplifies this process by enabling a single transaction to be replicated across all networks where the user’s wallet is active. This functionality not only streamlines the management of multi-chain assets but also significantly enhances the user experience by reducing the complexity and time involved in managing cross-chain transactions.

Perhaps the most distinctive feature of the Smart Wallet is Magic Spend. This feature addresses a common challenge faced by smart wallet users: funding the wallet for on-chain transactions. With Magic Spend, users can directly utilize funds from their standard Coinbase account to cover on-chain transaction costs. This integration effectively bridges the gap between a user's Coinbase balance and their on-chain activities, allowing for a seamless transaction experience without the need to pre-fund or top-up their smart wallets.

The introduction of Magic Spend is particularly noteworthy for its potential to tap into Coinbase’s substantial user base. As of 2022, Coinbase reported having 9 million monthly active users. By enabling these users to effortlessly engage with on-chain transactions through their Coinbase accounts, Magic Spend opens up a vast new market of crypto-holding retail users to the on-chain ecosystem. This feature represents a significant step forward in making on-chain interactions more accessible and convenient for a broader audience, potentially driving increased adoption and engagement within the cryptocurrency space.

 

Additional Safety Measures Beyond Simply Using a Smart Contract Wallet

Locating the Official Website

To avoid downloading fake wallets, identifying the official website is crucial for engaging in Web3 projects. Here are steps to ensure you find the correct official website:

  1. Twitter Verification

    While Twitter can be a useful tool, it is important to be cautious. Users can search for the project on Twitter and evaluate its authenticity based on follower count, registration time, and verification badges. However, these indicators can be misleading. Following security companies, industry experts, and reputable media can help verify the account's authenticity.

  2. Cross-Verification

    After identifying the official Twitter account, further verification is necessary as even official accounts can be compromised. Compare the website link provided on the Twitter profile with links from reputable sources like DefiLlama, CoinGecko, or CoinMarketCap:

  3. Bookmarking

    Once the official website is confirmed, save the link to your bookmarks. This practice reduces the risk of accessing a fake site in the future.

Using Official App Stores

Downloading wallets from official app stores, such as the Apple Store and Google Play Store, can mitigate the risk of fake applications. Before downloading, verify the developer's information to ensure it matches the official developer’s identity. Additionally, check the app's ratings and download counts for further assurance.

Verifying the Official Version

To confirm the authenticity of the downloaded wallet, users can perform a file integrity check by comparing the file's hash value. This involves using a file hash verification tool to generate the hash value (e.g., MD5, SHA-256) and comparing it with the official hash value. If the values match, the wallet is genuine; if not, it is fake.

Actions to Take if You Download a Fake Wallet

  1. Extent of the Leak

    If you download a fake wallet but have not entered your private key or mnemonic phrase, delete the app immediately and download the official version from the verified website.

  2. Compromised Private Key/Mnemonic Phrase

    If you entered your private key or mnemonic phrase into the fake wallet, assume your credentials are compromised. Download the official wallet from the verified website, import your private key/mnemonic phrase, and create a new address to transfer your assets swiftly.

  3. Stolen Cryptocurrency

    In the unfortunate event of stolen cryptocurrency, seek community assistance for case evaluation. Submit a form according to the incident type (funds stolen, scam, ransom). Provide the hacker’s address to the InMist Threat Intelligence Network for risk control.

Most of these below, as well as much, much more, can be found here.

  • Use 2FA (not SMS-based): 2-Factor Authentication (2FA) is used to ensure accounts are protected by more than a password but need an additional randomly generated code or device to grant access.
    1. How to Set Up Google Authenticator
    2. How to restore access to your accounts if you lose/destroy your device w/ Google Authenticator (2FA)
  • Whitelisting of addresses is often used by businesses to ensure funds can only be sent to previously approved addresses. This forces a hacker to gain access to both the wallet and the mechanism that manages this list.
  • Bookmark your favorite/most frequented sites
  • Use a password manager
  • Use burner wallets/addresses, especially when interacting with a new protocol for the first time
  • Geographical distribution of these keys and/or participants to protect against physical attacks
  • Cold storage
  • A crypto vault has a built-in, predetermined delay when you try to move funds. This is also known as a timelock. It prevents cryptocurrency from being moved until a certain amount of time has passed.
  • Yubi keys or other security hardware

By following these steps, users can significantly reduce the risk of downloading fake wallets and protect their digital assets from malicious actors.

How do you rate this article?

63


Michael @ CryptoEQ
Michael @ CryptoEQ

I am a Co-Founder and Lead Analyst at CryptoEQ. Gain the market insights you need to grow your cryptocurrency portfolio. Our team's supportive and interactive approach helps you refine your crypto investing and trading strategies.


CryptoEQ
CryptoEQ

Gain the market insights you need to grow your cryptocurrency portfolio. Our team's supportive and interactive approach helps you refine your crypto investing and trading strategies.

Send a $0.01 microtip in crypto to the author, and earn yourself as you read!

20% to author / 80% to me.
We pay the tips from our rewards pool.