After the large-scale theft of DEXX, re-reading the Blockchain Dark Forest Self-Help Manual.

CN
Foresight News
Follow
5 hours ago

In the dark forest world of blockchain, please remember two major security principles: Zero Trust and Continuous Verification.

This article serves as a guide, with the complete content available on GitHub.

Original Title: "SlowMist Production | Yuxian: A Self-Rescue Manual for the Blockchain Dark Forest"

Author: Yuxian, Founder of SlowMist Technology

Originally published on April 12, 2022

Blockchain is a great invention that has brought about changes in certain production relationships, partially addressing the precious issue of "trust." However, the reality is harsh; there are many misconceptions about blockchain. These misconceptions have allowed bad actors to easily exploit loopholes, frequently reaching into people's wallets and causing significant financial losses. This has long been a dark forest.

Based on this, Yuxian, the founder of SlowMist Technology, has passionately produced the "Self-Rescue Manual for the Blockchain Dark Forest."

This manual (current V1 Beta) contains approximately 37,000 words. Due to space limitations, only the key directory structure of the manual is listed here as a form of guidance. The complete content can be found on GitHub.

We chose GitHub as the primary platform for releasing this manual because it facilitates collaboration and allows for viewing historical updates. You can Watch, Fork, and Star it; of course, we hope you will also contribute.

Alright, let's begin the guide…

Introduction

If you hold cryptocurrency or are interested in this world, and may hold cryptocurrency in the future, this manual is worth reading repeatedly and practicing with caution. Reading this manual requires a certain knowledge background, and we hope beginners need not fear these knowledge barriers, as much of it can be "played" out.

In the dark forest world of blockchain, always remember these two major security principles:

  • Zero Trust: Simply put, it means to remain skeptical, and to always remain skeptical.
  • Continuous Verification: If you believe, you must have the ability to verify your points of suspicion and make this ability a habit.

Key Content

1. Creating a Wallet

Download

  1. Find the correct official website
  • Google
  • Industry-recognized listings, such as CoinMarketCap
  • Ask some trusted individuals
  1. Download and install the application
  • PC Wallet: It is recommended to perform a tampering check (file consistency check)
  • Browser Extension Wallet: Pay attention to the number of users and ratings on the target extension download page
  • Mobile Wallet: The judgment method is similar to that of extension wallets
  • Hardware Wallet: Purchase under the guidance of the official website, and be aware of any signs of tampering
  • Web Wallet: It is not recommended to use this type of online wallet

Mnemonic Phrase

When creating a wallet, the appearance of the mnemonic phrase is very sensitive. Please ensure that no one is around you, including cameras or anything that could lead to peeping. Also, check if the mnemonic phrase appears random enough.

Keyless

  1. Two main scenarios of Keyless (this distinction is made for ease of explanation)
  • Custody, i.e., custodial method. For example, centralized exchanges and wallets, where users only need to register an account and do not own private keys; security relies entirely on these centralized platforms.
  • Non-Custodial, i.e., non-custodial method. Users uniquely hold the power similar to private keys, but it is not the direct cryptocurrency private key (or mnemonic phrase).
  1. Advantages and disadvantages of MPC-based Keyless solutions.

2. Backing Up Your Wallet

Mnemonic Phrase / Private Key Types

  1. Plain text: Primarily 12 English words.

  2. With password: Adding a password to the mnemonic phrase will yield a different seed, which will then be used to derive a series of private keys, public keys, and corresponding addresses.

  3. Multi-signature: Can be understood as requiring multiple signatures from different individuals to authorize the use of target funds; multi-signature is very flexible and can set approval strategies.

  4. Shamir's Secret Sharing: The Shamir secret sharing scheme, which splits the seed into multiple shares; to recover the wallet, a specified number of shares must be used.

Encryption

  1. Multiple backups
  • Cloud: Google/Apple/Microsoft, combined with GPG/1Password, etc.
  • Paper: Write down the mnemonic phrase (in plain text, SSS, etc.) on paper cards.
  • Device: Computer/iPad/iPhone/external hard drive/USB drive, etc.
  • Brain: Be aware of the risks of memorization (memory/unexpected events).
  1. Encryption
  • Regularly verify backups.
  • Partial verification is also acceptable.
  • Ensure the confidentiality and security of the verification process.

3. Using Your Wallet

AML

  1. On-chain freezing.

  2. Choose reputable platforms, individuals, etc., as your trading counterpart.

Cold Wallet

  1. How to use a cold wallet
  • Receiving cryptocurrency: Use alongside wallet observation tools, such as imToken, Trust Wallet, etc.
  • Sending cryptocurrency: QR Code/USB/Bluetooth.
  1. Risks of cold wallets
  • Lack of user interaction security mechanisms like "what you see is what you sign."
  • Users may lack relevant knowledge background.

Hot Wallet

  1. Interacting with DApps (DeFi, NFT, GameFi, etc.)

  2. Malicious code or backdoor exploitation methods

  • While the wallet is running, malicious code may directly upload relevant mnemonic phrases to a hacker-controlled server.
  • While the wallet is running, when a user initiates a transfer, the wallet backend may secretly replace the target address and amount, making it difficult for the user to notice.
  • Compromising the entropy of random numbers related to mnemonic phrase generation, making these phrases easier to crack.

What is DeFi Security?

  1. Smart contract security
  • Excessive permissions: Add time locks (Timelock)/use multi-signature for admin, etc.
  • Gradually learn to read security audit reports.

  1. Basic blockchain security: consensus ledger security/virtual machine security, etc.

  2. Frontend security

  • Internal malfeasance: The target smart contract address in the frontend page is replaced/injected with authorization phishing scripts.
  • Third-party malfeasance: Supply chain attacks/frontend pages introducing malicious or hacked third-party remote JavaScript files.
  1. Communication security
  • HTTPS security.
  • Example: MyEtherWallet security incident.
  • Security solutions: HSTS.

  1. Human security: such as internal malfeasance by project parties.

  2. Financial security: cryptocurrency prices, annualized returns, etc.

  3. Compliance security

  • AML/KYC/sanctioned area restrictions/securities risk-related content, etc.
  • AOPP.

NFT Security

  1. Metadata security.

  2. Signature security.

Be Cautious with Signatures / Counterintuitive Signatures

  1. What you see is what you sign.

  2. Several well-known NFT theft incidents on OpenSea.

  • Users authorized NFTs (listed) on OpenSea.
  • Hackers phished to obtain relevant user signatures.
  1. Revoke authorization (approve).
  • Token Approvals.
  • Revoke.cash.
  • APPROVED.zone.
  • Rabby extension wallet.
  1. Counterintuitive real cases.

Some Advanced Attack Methods

  1. Targeted phishing.

  2. Broad-spectrum phishing.

  3. Combining techniques like XSS, CSRF, Reverse Proxy, etc. (e.g., Cloudflare man-in-the-middle attacks).

4. Traditional Privacy Protection

Operating System

  1. Pay attention to system security updates; act immediately when there are security updates.

  2. Avoid downloading random programs.

  3. Set up disk encryption protection.

Mobile Phones

  1. Pay attention to system security updates and downloads.

  2. Do not jailbreak or root unless you are doing security research; otherwise, it is unnecessary.

  3. Do not download apps from unofficial markets.

  4. The premise for using official cloud synchronization: you are confident that your account security is not an issue.

Network

  1. In terms of networking, try to choose secure options, such as avoiding connecting to unknown Wi-Fi.

  2. Choose reputable routers and service providers; do not be tempted by cheap options, and hope that there will be no advanced malicious behavior at the router or service provider level.

Browser

  1. Update promptly.

  2. Do not install extensions unless necessary.

  3. Multiple browsers can coexist.

  4. Use well-known privacy protection extensions.

Password Manager

  1. Do not forget your master password.

  2. Ensure your email security.

  3. 1Password/Bitwarden, etc.

Two-Factor Authentication

Google Authenticator/Microsoft Authenticator, etc.

Scientific Internet Access

Scientific internet access, secure internet access.

Email

  1. Secure and well-known: Gmail/Outlook/QQ Mail, etc.

  2. Privacy-focused: ProtonMail/Tutanota.

SIM Card

  1. SIM card attacks.

  2. Defense suggestions.

  • Enable well-known 2FA tools.
  • Set a PIN code.

GPG

  1. Distinctions.
  • PGP stands for Pretty Good Privacy, a commercial encryption software that has been around for over 30 years and is now under Symantec.
  • OpenPGP is an encryption standard derived from PGP.
  • GPG, short for GnuPG, is open-source encryption software based on the OpenPGP standard.

Isolated Environment

  1. Adopt a zero-trust security mindset.

  2. Maintain good isolation habits.

  3. Privacy is not something to be protected; privacy is something to be controlled.

5. Human Security

  • Telegram.
  • Discord.
  • Phishing from "official" sources.
  • Web3 privacy issues.

6. Blockchain Malicious Behaviors

Theft, malicious mining, ransomware, dark web trading, C2 relay of Trojans, money laundering, Ponzi schemes, gambling, etc.

SlowMist Hacked Blockchain Hacking Archive.

7. What to Do If You Are Hacked

  • Stop losses first.
  • Protect the scene.
  • Analyze the cause.
  • Trace the source.
  • Close the case.

8. Misconceptions

  • Code Is Law.
  • Not Your Keys, Not Your Coins.
  • In Blockchain We Trust.
  • Cryptographic security equals security.
  • Being hacked is embarrassing.
  • Update immediately.

Conclusion

After reading this manual, you must practice, become proficient, and apply what you've learned. If you have your own discoveries or experiences later, we hope you can contribute them. If you feel sensitive, you can appropriately desensitize or remain anonymous. Additionally, thanks to the maturity of legislation and law enforcement related to security and privacy worldwide; to all deserving cryptographers, engineers, ethical hackers, and everyone who contributes to making this world a better place, including Satoshi Nakamoto. Finally, thanks to the contributors; this list will continue to be updated, and if you have any thoughts, we hope you will contact us.

免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。

Share To

Related Articles

avatar
avatarOdaily星球日报
3 hours ago
Founder of DeFiance Capital: It may be his integrity that has led to his success today.
avatar
avatarPANews
3 hours ago
PA Daily | On-chain trading terminal DEXX was attacked and over 100 million yuan was stolen; Gary Gensler may announce his resignation in early January after Thanksgiving.
avatar
avatar深潮TechFlow
4 hours ago
TONX API joins hands with 20 major partners in the ecosystem, co-building the TON developer ecosystem with Blum, Catizen, CoinGecko, and Google Cloud.
avatar
avatarPANews
4 hours ago
The Ethereum ecosystem gathers in Bangkok, reviewing the latest developments of mainstream projects during the Devcon conference.
avatar
avatarPANews
4 hours ago
Opinion: How to solve the liquidity problem of BGT?
APP

X

Telegram

Facebook

Reddit

CopyLink