Security Special Issue 03 | OKX Web3 & WTF Academy: From Vigorous Online Activities to Being Hacked in an Instant?

Introduction | OKX Web3 Wallet has specially planned the “Security Special Issue” section to provide special answers to different types of on-chain security issues. Through real-life cases that happen to users, we collaborate with security experts or organizations to share and answer questions from different perspectives. This helps users understand and summarize secure transaction rules from shallow to deep, aiming to enhance user security education and help users learn to protect private keys and wallet assets from themselves.

As a frequent user of on-chain interactions, security is always the top priority for users.

Advertisement – Continue reading below

Today, the two major “Pitfall Avoiders” in the on-chain world will share their security protection strategies.

This issue is the 3rd edition of the Security Special Issue. We have invited renowned industry security expert 0xAA and the OKX Web3 Wallet security team to explain the common security risks and preventive measures for frequent users.

WTF Academy: Thank you very much for the invitation from OKX Web3. I am 0xAA from WTF Academy. WTF Academy is an open-source university for Web3 development. This year, we incubated a Web3 rescue project called RescuETH, which focuses on rescuing the remaining assets in users’ stolen wallets. So far, we have successfully rescued more than 3 million RMB worth of stolen assets on Ethereum, Solana, and Cosmos.

OKX Web3 Wallet Security Team: Hello everyone, we are very happy to participate in this sharing session. The OKX Web3 Wallet Security Team is mainly responsible for various security capabilities in the Web3 field, such as wallet security capability construction, smart contract security audits, on-chain project security monitoring, etc. We provide users with multiple protection services for product security, fund security, and transaction security, contributing to the maintenance of the entire blockchain security ecosystem.

Table of Contents
Toggle
Q1: Please share some real-life risk cases encountered by frequent users.
Q2: What are the common security risks and protective measures for frequent users in on-chain interactions?
Q3: Summarize classic phishing types and techniques, and how to identify and avoid them?
Q4: What are the security considerations for professional users when using various tools?
Q5: How can frequent users securely manage multiple wallets and accounts compared to single wallets?
Q6: What are the protective recommendations for transaction slippage and MEV attacks related to frequent users?
Q7: Can users use monitoring tools or professional methods to regularly monitor and detect abnormal wallet accounts?
Q8: How to protect on-chain privacy security?
Q9: What should users do if their wallet accounts are stolen? Have efforts been made or mechanisms established to help stolen users recover assets and protect user assets?
Q10: Can you share some cutting-edge security technologies, such as using AI to enhance security protection?

WTF Academy: Please share some real-life risk cases encountered by frequent users.
One major security risk for frequent users is the leakage of private keys. Essentially, the private key is a string of characters used to control encrypted assets. Anyone who possesses the private key can fully control the corresponding encrypted assets. Once the private key is leaked, attackers can access, transfer, and manage users’ assets without authorization, resulting in economic losses for users. Therefore, I will focus on sharing several cases of private key theft.

Alice (alias) was induced by hackers to download malicious software on social media, which led to the theft of her private key. Currently, there are various forms of malicious software, including but not limited to mining scripts, games, meeting software, bot scripts, etc. Users need to increase their security awareness.

Bob (alias) accidentally uploaded his private key to GitHub, which was then obtained by others, leading to asset theft.

Carl (alias) trusted a fake customer service who proactively contacted him in the official Telegram group of a project and disclosed his mnemonic phrase, resulting in the theft of his wallet assets.

OKX Web3 Wallet Security Team: There are many such risk cases, and we have selected several classic cases encountered by users during frequent interactions.

The first type is high-quality account publishing fake airdrops. User A saw an announcement of an airdrop activity when browsing a popular project’s Twitter. They clicked on the link in the announcement to participate in the airdrop, which turned out to be a phishing attempt. Currently, many phishers use high-quality official accounts and post false announcements below official tweets to lure users. Users should be careful and not take it lightly.

The second type is the hijacking of official accounts. The official Twitter and Discord accounts of a certain project were attacked by hackers, who then posted a false airdrop activity link on the official account. Since the link was posted through official channels, user B did not suspect its authenticity and clicked on it, only to be phished.

The third type is encountering malicious project teams. When user C participated in a mining activity of a certain project and wanted to earn higher rewards, they invested all their USDT assets into the project’s staking contract. However, the smart contract was not rigorously audited and not open source. As a result, the project team used the backdoor reserved in the contract to steal all the assets deposited by user C.

For frequent users who often have dozens or even hundreds of wallets, it is crucial to protect wallet and asset security. They need to remain vigilant and raise their security awareness.

WTF Academy: For frequent users and all Web3 users, the two common security risks are phishing attacks and private key leakage.

The first type is phishing attacks: Hackers usually impersonate official websites or applications and lure users to click on them through social media and search engines. They then redirect users to phishing websites to induce them to trade or sign transactions, thereby obtaining token authorization and stealing user assets.

Preventive measures: First, we recommend that users only access official websites and applications through official channels, such as links in the official Twitter profile. Second, users can use security plugins to automatically block some phishing websites. Third, when entering suspicious websites, users can consult professional security personnel to help determine if they are phishing websites.

The second type is private key leakage, which has been covered in the previous question and will not be elaborated here.

Preventive measures: First, if a user’s computer or phone has a wallet installed, they should avoid downloading suspicious software from unofficial channels. Second, users need to know that official customer service will not proactively private message them, nor will they ask users to send or enter private keys and mnemonic phrases on fake websites. Third, if a user’s open-source project requires the use of a private key, they should configure the .gitignore file to ensure that the private key is not uploaded to GitHub.

OKX Web3 Wallet Security Team: We have summarized the five common security risks encountered by users in on-chain interactions and listed some protective measures for each risk.

1. Airdrop scams
Risk description: Some users often find a large number of unknown tokens in their wallet addresses. These tokens usually fail to trade on common DEX platforms, and the pages prompt users to exchange them on their official websites. When users authorize the transaction, they often grant the smart contract the permission to transfer their assets, which ultimately leads to asset theft. For example, the Zape airdrop scam, many users suddenly received a large amount of Zape coins in their wallets, worth tens of thousands of dollars. This made many people mistakenly think that they accidentally made a fortune. However, this is actually a carefully designed trap. Since these tokens cannot be queried on legitimate platforms, many users eager to cash out will find the so-called “official website” based on the token name. After connecting their wallet as instructed, they think they can sell these tokens, but once authorized, all the assets in their wallet will be immediately stolen.

Protective measures: To avoid airdrop scams, users need to remain highly vigilant, verify the source of information, and always obtain airdrop information from official channels such as the project’s official website, official social media accounts, and official announcements. Protect private keys and mnemonic phrases, do not pay any fees, and use communities and tools to verify and identify potential scams.

2. Malicious smart contracts
Risk description: Many unaudited or non-open-source smart contracts may contain vulnerabilities or backdoors, posing a risk to the safety of users’ funds.

Protective measures: Users should interact only with smart contracts that have been rigorously audited by reputable audit companies or check the project’s security audit report. Additionally, projects with bug bounty programs usually have better security guarantees.

3. Authorization management
Risk description: Over-authorizing contracts may result in fund theft. Here are two examples: 1) If a contract is upgradable, leaking the private key of privileged accounts allows attackers to upgrade the contract to a malicious version, stealing the authorized user’s assets. 2) If a contract has unidentified vulnerabilities, over-authorizing can allow attackers to exploit these vulnerabilities to steal funds in the future.

Protective measures: Users should only authorize the necessary amount to interact with contracts and regularly check and revoke unnecessary authorizations. When signing off-chain permit authorizations, users must clearly understand the target contract/asset type/authorization amount and think twice before proceeding.

4. Phishing authorizations
Risk description: Clicking on malicious links and being induced to authorize malicious contracts or users.

Protective measures: 1) Avoid blind signing: Before signing any transaction, make sure to understand the content of the transaction to be signed and ensure that each step of the operation is clear and necessary. 2) Be cautious with authorization targets: If the authorization target is an EOA address (Externally Owned Account) or an unverified contract, extra caution is necessary. Unverified contracts may contain malicious code. 3) Use wallet plugins with anti-phishing protection: Use wallet plugins that have anti-phishing protection, such as OKX Web3 Wallet, which can help identify and block malicious links. 4) Protect mnemonic phrases and private keys: All websites or applications that ask for mnemonic phrases or private keys are phishing links. Do not enter these sensitive information on any website or application.

5. Malicious faucet scripts
Risk description: Running malicious faucet scripts can lead to the insertion of trojans into computers, resulting in the theft of private keys.

Protective measures: Be cautious when running unknown faucet scripts or faucet software.

In summary, we hope that users maintain a high level of vigilance and raise their security awareness when engaging in on-chain interactions.