A few months ago I got a panicky DM on Twitter from the main developer behind an interesting project that I’d played around with months earlier and hadn’t thought much about since. The developer was apologizing profusely for funds lost in a hack – from my wallet.
Now it was my turn to panic. I quickly opened up my wallet to check. None of my major holdings had been drained. But my mind was racing.
It turned out that the project from months ago had a bug. The bug allowed attackers to grab funds from user wallets, assuming users had granted permission to the project’s smart contract to access the funds in the first place. I was an early user, and I’d granted the smart contract access to an unlimited amount of funds, though luckily only for a fun token I’d spun up as a project. Still, the attacker had managed to grab all of those tokens from my wallet, something I missed in my initial panic.
That experience was the first time I had been hacked and suffered losses in my nine years in crypto. It was unnerving, and it served as a reminder that crypto can be a daunting space for new and experienced users alike.
Since crypto security in DeFi and beyond is quite outside my limited technical knowledge, to learn how to keep this from happening again, I turned to one of the most experienced experts in the world on the topic. That expert is Shayan Eskandari, someone whose job once included auditing untested smart contracts before they were released into the wild.
Eskandari is now the chief technology officer at Ether Capital, a fund listed on the Canadian markets that buys and holds cryptocurrencies, but before that, he spent three years as a smart-contract auditor at Consensys Diligence, a unit of the sprawling Ethereum empire. His job at Consensys Diligence was similar to a forensic auditor at an accounting firm, but instead of reading financial reports, he read GitHub repositories containing smart-contract code from new crypto projects. Then he compared what the code actually did with what was promised in the projects’ plain-English “white papers.”
Here are Eskandari’s top tips for staying safe in crypto-land.
1. Know what kind of danger is lurking
There are lots of ways that things can go wrong. So, what’s the difference between a hack, an exploit and a rugpull? A hack is simply any unauthorized entry into a system. Smart-contracts are made of code, and code can have bugs. If a bug is abused, meaning the code is made to do something it wasn’t meant to do, then that’s an exploit. An exploit can be combined with other measures to hack a system.
A rugpull, meanwhile, is straight up fraud. It’s when someone is induced to invest capital under false premises. As an example, Eskandari points to a farcical NFT experiment where investors were indeed rugged – and had all their NFT images changed to a picture of a rug.
With that in mind, I asked Eskandari whether DeFi is more dangerous than a centralized exchange. He said they’re both potentially dangerous – but for different reasons. “There’s a different paradigm,” says Eskandari.
A centralized exchange might have lots of safeguards and a security team to look after your funds, but the downside is you don’t really know what they’re doing. You might not even know if they’ve been hacked, if they don’t choose to tell you.
With DeFi, the moment a project is hacked, the community takes notice and rapidly mobilizes. It’s very difficult to cover up a hack on Defi.
Exchanges can be like “a black box,” Eskandari says, whereas with DeFi “when the hack happens the community knows within seconds.” He points to the recent massive Wormhole hack as an example: a document with details of the complicated hack appeared within hours of its taking place.
2. Get a hardware wallet
When your crypto wallet is on your computer, that’s also where your private keys live. Your private keys unlock your wallet.
To make things more secure, Eskandari says you should get a hardware wallet and have your private keys live there.
“It’s a hardware secure module that keeps your keys separate from any online device, so it won’t ever leave the hardware wallet,” Eskandari explains. “That’s why it’s more secure.”
3. Watch out for big token holdings in a new project
The great thing about blockchains is that all the information is public. Before buying into a project, check out how the tokens are distributed using a block explorer (Etherscan is the most popular one on Ethereum).
If you see tokens concentrated in one or two wallets, it’s probably a red flag unless there’s some explanation why.
“If it’s just one random person holding 50% of the tokens, just ask, why is that the case? Because that person can just dump everything in the market,” Eskandari says.
4. Don’t despair
If you do run into trouble, know that you’re not alone. Even the most conscientious user can lose their funds—just ask Eskandari. He lost several bitcoin when Mt. Gox, the granddaddy of bitcoin exchanges, went offline in the early days of the industry. He also got scammed once: He got an email on Black Friday offering him 20% off a hardware wallet. It was Black Friday, so he clicked the link and completed the order, paying in bitcoin.
“Right after that I was like, something is off,” he said. “I looked at the email again and I saw that it was a fake phishing email. I had paid in bitcoin. I couldn’t get it back.”
If I’ve learned anything from my own experience being hacked, and from talking to Eskandari, it’s that crypto certainly isn’t for everyone. But, maybe one day keeping your private keys safe will feel as natural as safeguarding your passwords or bank accounts: not entirely risk-free, but not impossible either.