CRYPTO SECURITY: How To Stay Safe When Minting New Projects
The Nonfungible token space moves fast.
Everyday there is a new project that pops up and apes and non-apes alike quickly top off their wallets and begin minting without much due diligence or research.
This is a high risk, high reward game that nearly everyone in the space is participating in.
But in order to mint these new projects, users typically have to sign an agreement before processing their order.
Everyone just hits accept and never thinks about it again. But this begs the question, what did you just sign?
The Bored Ape Gazette sat down with Twitter User RMD_41 AKA Bored Ape #9449 to discuss the minting process and how to stay safe when ape-ing into a new project.
RMD_41 has been deep into ETH for about a year and purchased his first crypto currency in 2017. RMD_41 has never personally had an issue with any scams and he credits that to the safety measures he has taken to protect himself.
Check out our interview with RMD_41 below:
Question 1. Is it safe to mint off project websites?
RMD_41: When you mint a project off of a website or connect to a DAPP in defi it’s possible you are giving that smart contract full rights and unlimited access to your wallet, unless the developers of that project have written the contract to only grant the access needed.
There are often ease of use reasons that developers grant themselves full access to your wallet. This will make much more sense when you read & understand bonus tip #2, but by giving unlimited allowances you are taking on smart contract risk for sure.
Just to be clear, there are multiple different standards for a token on Ethereum. ERC 20, ERC 721, etc. Every token type has different rules and works differently. Most NFTs are ERC 721, but some are other token types. The type of token matters to determine the rules around what can and can’t be done with that token & the authorizations that can be granted from your wallet to their smart contract.
Question 2What are we agreeing to when you connect your Metamask to random sites?
RMD_41: When you connect your wallet to a random site without reading the smart contract, you kind of don’t have a clue what you are agreeing to. (not to mention I’m pretty sure all of us just click the metamask stuff way too fast without reading)
It’s very possible for a “NFT company” to build a website & hide some unlimited ERC20 token allowance in their contract & then a bunch of people “ape in” to the NFT & then all get rugged from the unlimited token allowance. In fact that has already happened in defi once. Just google the Unicats incident.
3. What information do you give the website when you mint? What can they do with it?
RMD_41: When you mint you are giving the website access to interact with your wallet. You are giving the contract permission to do business with your wallet & whatever stuff is in that code, whatever kind of allowances they have. You are accepting them. Having an ERC 20 unlimited token allowance section of code in an NFT project would be abnormal, but this is crypto. Crazier things have happened.
4. How can apes stay safe when minting new projects?
RMD_41: The best way to stay safe is to use a Metamask wallet to buy and interact and then transfer and hold your NFTs long term in a cold storage wallet that is not connected to any applications, as well as continually clean up the permissions of your wallet.
Due diligence can avoid a lot of heartache. Reading the website, checking activity on twitter and joining the discord are all things that one may want to consider before jumping into a new project. After you have done your due diligence and are ready to make the purchase. Think about connecting your hardware wallet to your Metamask.
This will allow you to interact via Metamask as a front end to your hardware wallet. Another added layer of security is having a browser dedicated to crypto transactions. Do your internet browsing, google searching, and email from another browser. Copy and paste only known websites into your ‘crypto browser’. It doesn’t take much to click on a site with jscript that can wreck major havoc.
5. How can apes tell which sites are safe to connect to their Metamask and which aren’t?
RMD_41: Unfortunately you can’t really tell unless you can read smart contracts. The absolute best thing to do would be to start educating yourself now & study daily to continue to learn. This is a fast moving space & you are your own bank. You have to take your security very seriously.
6. Do you have any tips or advice for apes prior to giving sites permission to connect to Metamask?
RMD_41: The best advice I can give is to use two different wallets. A hot wallet and a cold wallet. This is the absolute safest method to ensure your NFTs and tokens stay safe. Other good tips can be found below.
If one were to hold two hardware wallets they could have a transacting hardware wallet connected to Metamask, but also cold storage wallet that *does not* transact but only sends and receives. By connecting your hardware wallet to your Metamask you will be required to approve transactions without approval there is no transaction.
Do you have any other bonus tips for apes to stay safe when minting new projects?
RMD_41: Bonus Tip 1: Removing connected sites from Metamask
Another important thing to do on a regular basis is to remove old token allowances using a service like ethallowance. You will need to connect your hot wallet to this service & it will query the blockchain and see what allowances you have granted. (Be prepared to be mortified) You will likely have contracts that have unlimited token allowances to your wallet.
Protecting your seed phrase is great and all, but if you are giving contracts unlimited allowances to your wallet, you are basically handing over your seed phrase to them. Be careful out there. Crypto is a dangerous world and understanding token allowances & wallet security will put you in the top 10% of users in the space.
Cold storage. Having a hard wallet to stash your crypto and NFT’s is one of the most secure ways to custodian your assets. However, you can also leverage tools like gnosis to set up multi signature wallets to add additional layers of security by requiring multiple signatures to move assets.
Another option if cold storage seems too complex for you is a multi sig smart phone smart contract wallet like Argent.