1/ We were heartbroken last night over the attack on @kevinrose's wallet. Not only because we felt Kevin’s pain, but because of what it tells us about the state of security across the whole NFT ecosystem.
We would like to share some thoughts on staying safe in this thread 🧵👇
We would like to share some thoughts on staying safe in this thread 🧵👇
2/ This thread explains the basics of what blind-signing is, how @Ledger is trying to spread adoption of clear-signing as a more secure solution, and how you can help.
Additionally, it covers how to segregate your “vault” and "mint" wallets to avoid mistakes.
Additionally, it covers how to segregate your “vault” and "mint" wallets to avoid mistakes.
3/ First and foremost, what is “blind-signing”?
If a stranger came up to you on the street and asked you to sign a legal document, would you sign it without even reading it?
If a stranger came up to you on the street and asked you to sign a legal document, would you sign it without even reading it?
4/ When you bypass “⚠️ Blind Signing” on your Ledger, – you are signing an IMMUTABLE consent without knowing what it is you are signing! This is how scammers trick you into consenting for something you don’t actually want to sign.
ledger.com
ledger.com
5/ But let’s be honest, blind-signing is a daily reality for those of us who are “early” in interacting with Wallet-connected Applications*. This article on Ledger Academy gives you a list of things to double-check when you enable blind-signing.
ledger.com
ledger.com
6/ Often Wallet-connected Applications require smart contract approvals enabling future interactions w/ your wallet. It’s a powerful mechanism to do complex interactions with the protocol. But it’s equally dangerous. Attackers often leverage these approvals when tricking victims.
7/ Use Revoke.cash to revoke access to any open contracts and approvals you no longer want/need. Revoke all smart contract approvals that you don’t need NOW, and never allow any approvals on your vault wallet.
revoke.cash
revoke.cash
8/ Also, put your most valuable assets in a "vault wallet" and use a different wallet, a “mint wallet” when you interact with Wallet-connected Apps. Mint w your mint wallet and NEVER blind sign with your vault wallet!
ledger.com
ledger.com
9/ Ledger & partners have started to build dedicated apps for your #Ledger to maximize security when interacting with smart contracts.
The @LIDOFinance, @Paraswap or @1inch applications are already available and many more (@OpenSea, @ArtBlocks_io!) are coming.
The @LIDOFinance, @Paraswap or @1inch applications are already available and many more (@OpenSea, @ArtBlocks_io!) are coming.
10/ We are actively working with App-builders and wallets to increase our clear-signing coverage and make these applications more easily accessible – please ask the apps you use to provide an app for clear-signing on Ledger!
developers.ledger.com
developers.ledger.com
11/ I recently sat down with @P3b7_ to double-click on Ledger’s approach to security. It’s an important discussion about exactly how digital asset security works, how and why no software will ever make your insecure cellphone secure, and much more.
ledger.com
ledger.com
12/ Finally, we’re working on finalizing the Ledger Browser Extension which adds "Web3 Check", a check for scams and suspicious transactions. #MakeWeb3easy
get-connect.ledger.com
get-connect.ledger.com
13/ Why do we make these mistakes? Why do we leave approvals on for our collections and why do we blind-sign with our vault wallets? The answer is, “Because we are human.” We all make mistakes. Our job at @Ledger is to make these mistakes much more difficult to make.
14/ Please turn blind-signing OFF on your vault wallet and encourage all apps you use to create a clear-signing plugin!
15/ I hope you found this thread helpful.
If so, Like/Retweet the first tweet below and help keep the community safe(r):
If so, Like/Retweet the first tweet below and help keep the community safe(r):
Loading suggestions...