How To Avoid Web3 Security Pitfalls

On September 9, Vitalik Buterin's X (Twitter) account, with 4.9M followers, was hacked through a SIM-swap attack. Exploiting Vitalik’s account, the hacker shared a post for a "celebratory NFT" in collaboration with ConsenSys. His audience, unaware that his account was compromised, eagerly clicked the link to mint the NFT. Yet, instead of minting an NFT, malicious code drained their wallets. The total losses from this scam were estimated at $691,000.

What happened? The hacker disguised a malicious link as an NFT minting opportunity. Since it was shared from Vitalik's real Twitter account and directed users to a seemingly genuine NFT mint page, the scam was hard to discern. Those deceived by this phishing attack suffered irrecoverable asset losses, highlighting a pervasive issue in Web3.

The reality is Web3 is rifled with scams that seek to attack users’ wallets. To help you recognize common Web3 attack vectors and how to best protect yourself against them, SheFi hosted a livestream with three security experts:

• Maika Isogawa, CEO of Webacy, wallet monitoring & risk scoring for your wallet

• Brittany Mier y Terán, Head of Business Development at Harpie, an onchain firewall

• Karina Crooks, Head of Communications at Quantstamp, an audit firm that secures the decentralized internet

Below are some of the highlights from this timely and important conversation. Whether you are new to Web3 space or a veteran, security is paramount.

We encourage you to watch the conversation on YouTube:

Maggie: What are the common security risks Web3 users face?

Britt: The main risk is inadvertently relinquishing your assets. Most of the time, losses stem from individuals being tricked rather than from sophisticated targeted attacks. These usually manifest as broad phishing schemes. The most significant threat is deception, which underscores the importance of proactive security.

Maika: A lot of people see clicking links as a risk, and therefore, they give advice to not click any links. I don’t think that's a really smart way to use the Internet because you actually you need to use links, right? So I think more than clicking links, it's the speed and the intensity that people play upon, especially with phishing links and hacks like that. To combat moving fast and clicking a potentially malicious link, one can practice having the discipline to take a step back and evaluate the request.

Maggie: What is a phishing attack?

Britt: When you're being tricked, you're being fished. It’s kind of like catfish in the dating world. You're being phished or tricked into giving away your assets. It might be through a website that is highly convincing or it might be through an email you get that looks like it's coming from OpenSea.

Maggie: How can someone identify if they are being phished?

Maika: Most of the time phishing happens when people click on links from people or companies that they think they trust. If people are trustworthy, they're not going to ask you for money. They're not asking you to click on anything. These are like mental checks that we can all add to our toolbox to make sure to do so we don't fall victim to these kinds of things.

Britt: One of the best ways to identify a phishing attack is triangulating your information. So, typically not interacting with something based on the first time you see it. If you get a link to your email from a company, go check their company Twitter account to see if they’ve shared the same link. If you're in a Discord channel to go and check for an official announcement. Any of those places can get compromised, but it's less likely they'll all be compromised.

Maggie: What are some security best practices and strategies?

Britt: I'd always start with using multiple wallets designated for different purposes. If you are acquiring large amounts of tokens for saving and investing, those should be in a very secure wallet. Sharding your secrets is another strategy, which means placing parts of your seed phrase in different locations, like a relative’s house, to ensure access in case of any unforeseen events. We are responsible for our assets in the crypto space, unlike traditional banking where you can report any discrepancies.

Karina: Think about things before you do them because a lot of mistakes happen just because we're rushing or jumping into something you see might be an exciting opportunity. You want to like FOMO in like right away. And that's when you see like problems arise because it's basically like you're caught up in the moment, and you're missing all of those red flags.

Maggie: Why should people prioritize security?

Maika: There's this fallacy that security is boring or unsexy, but that's so untrue. Everyone wants to be that baddie, who's got it locked down and is unbreakable. We all have the tools and capabilities to do that. Security is actually super sexy, and it allows you to be free and worry less. It brings the peace of mind that was mentioned before and aligns with safety first in all aspects of our lives.

SheFi Summit Tickets Are Live 🎟️:

Join us for a transformative day of learning, networking, and discovery in Istanbul at Devconnect! Whether you're a seasoned expert or a curious newcomer, the SheFi Summit is the place to be to explore the limitless possibilities of onchain technology. The SheFi Summit takes place on November 12, 2023. Secure your spot below.

Get your tickets here: https://tokenproof.xyz/event/shefi-summit-istanbul

Thank you to our sponsors: PayPal, Zerion, WalletConnect, Lens, Rarible and ensō.

If you are a SheFi member, and you cannot access the member ticket, please fill out this form. There will be scholarship tickets and giveaways.

SheFi Tutorials: PayPal

SheFi is launching a new tutorial series to get more people onchain called “Onchain is the New Online”. Check out our first tutorial that covers purchasing crypto on PayPal.

Femme Funding Fall: SheFi x Nailwal Fellowship

SheFi is partnering with the Nailwal Fellowship to get more female founders into the program. Founded by Sandeep Nailwal, co-founder of Polygon and Symbolic Capital, the Nailwal Fellowship is a program providing capital to the brightest minds in web3. Every year, 10 selected Nailwal Fellows will receive $50k in grant money, a dedicated mentor from Symbolic Capital, and access to Symbolic's founder resources and internal directory in order to spend six months entirely focused on trying new ideas and building products in web3. Email [email protected] if you are a female founder in SheFi that is interested in this opportunity.

Community Happenings:

540 new SheFi members have joined us for Season 9, bringing our total community to 2,200 members from 50+ countries! Congrats to our new membership class on their journey to master frontier technologies.

10/15 NYC - Come hang with the SheFi NYC Crew. Pitch your ideas, foster connections, bring good vibes. RSVP here.

10/02 - SheFi Member Grace Guan, the founder of Unlonely App launches a dating show: "Love on Leverage". Register to view the show on Unlonely App here: https://lu.ma/loveonleverage

If you enjoyed this newsletter, please share with your colleagues and networks!