Session #1: Wallets & Interaction with DeFi
Presented by 0xKB [8 September 2022]
Summary, organization and additional detail by DigitalSoul.x
Part 1: What are crypto wallets?
A normal wallet in your pocket holds your credit cards, ID, cash, etc. Your crypto wallet is not exactly the same; it doesn’t actually hold anything. Instead, it grants access to a personalized experience. However, your wallet does contain information in the form of public and private keys. These are cryptographic terms that allow one to buy and trade cryptocurrencies or NFTs. It’s important that as a beginner in the space you understand a little about how public and private keys work without getting too deep into the math. These are common terms, and actually the same technology is used to secure the connection between your web browser and a website.
First, you have a public key that you can share broadly, hence the name. This is also called a crypto address. On Ethereum, a public key begins with ‘0x’ followed by a very long string of letters and numbers. Similarly, on IOTA your public key will begin with ‘IOTA1’ and on Shimmer your public key will begin with ‘SMR1’. Public keys are actually computed through some fairly complex math. Your public key can be freely given to others; it is quite literally like your bank account number. So, if you want to receive crypto from someone you would give them your public key.
Your private key actually signs the transactions when you spend crypto assets or sell NFTs. The private key allows you to transfer crypto that’s associated with this public key to another public key. That’s why private keys must remain exactly that: private. While the math is really complex, the public key is actually computed from the private key. It’s very difficult if not impossible to go back the other way. The private key is generated from a seed phrase: a string of 12 to 24 short English words, each four to six characters long. The seed phrases actually generate a very long string of letters and numbers, even longer than what you see for the private key. In Firefly, your private key is the 24 words that are displayed that you must verify when setting up your wallet.
The takeaway here is that your public key, by its name, can be shared, while your private key must always remain private.
Also, you should never share your private key or seed phrase with anyone. You will unfortunately encounter a lot of scams where people will say, “If you just send me your private seed phrase or private key, I can help you make money,” or “I can help you recover coins that were lost by a Nigerian prince,” etc. All of these types of comments are scams! Never share your private key or seed phrase with anyone. No reputable company will ever ask you for your private key. When you’re working with your wallet, if you have a particular problem and you reach out to someone publicly you can guarantee you’ll have scammers getting in touch. If they ask for your private key or seed phrase, it’s a scam.
- A wallet doesn’t actually hold anything; it is simply a pair of cryptographic signatures called a public key and a private key that are used to prove that you own the crypto.
- Your Public key is like your bank account: it can be shared freely with those you wish to transact with.
- Your Private key signs your crypto transactions and you should NEVER share your private key or seed phrase with anyone!
Part 2: Types of crypto wallets
Custodial (hosted) wallets vs. Non-custodial wallets
Custodial wallets are wallets that are essentially controlled by others. In a custodial wallet, the private keys are actually managed by someone else on your behalf. This could be Coinbase, Crypto.com, etc. Whatever jurisdiction you’re in, there is a probably a crypto exchange that has a fiat on-ramp. This allows you to convert your local currency and into crypto assets. Typically, a user’s first interaction with crypto will be through a custodial wallet. The best thing about a custodial wallet is that it’s a very easy on-ramp. It manage your keys and you login to the wallet using a username and password. If you forget your password, there are ways to recover and access your account. And while there are a lot of advantages to custodial wallets, particularly for beginners, the account can be drained if the exchange is hacked since it is hosted by others. This has happened, and it will continue to happen. As we see more regulation in the space, more of these exchanges are being held to a certain standard in terms of making their customers whole. But still, even in recent months we’ve seen exchanges going broke. Since they’re not part of the traditional banking system, you are using these custodial wallets at your own risk.
The counterpoint here is non-custodial wallets. These are wallets in which you control the private keys. Two examples are Firefly and MetaMask. With these wallets, you are provided your seed phrase and you’re entirely responsible for your own security. If you lose the private key your crypto is gone forever! You’ve probably heard sob stories about people losing their private keys. There’s a recent one in the UK about a guy trying to raise money to go through a landfill, to look for a hard drive that contains the private keys to hundreds of millions of dollars worth of bitcoin. That’s the level of desperation people will go through to try and find private keys that they have lost. There’s a saying in crypto: “Not your keys, not your crypto.” This means if anyone other than you controls your private keys, they can easily drain your accounts. If they get hacked, you just got hacked. On the other hand, if your private keys are only in your possession, then the responsibility lies with you. This is both a good and a bad thing: it’s good if you understand the risks and employ good security practices, but bad because if something goes wrong, you’re on your own.
- Custodial wallets: Your private keys are managed by someone else. Your account details may be recoverable. You gain convenience but give up some security.
- Non-Custodial wallets: You manage your private key. If you lose your private key, you lose your assets. You give up some convenience but gain much more security.
Hot wallets vs. Cold wallets
Hot wallets are called ‘hot’ because they’re connected to the internet. They might be browser extensions, desktop apps, mobile apps, etc. Firefly and MetaMask are examples of hot wallets but new wallets are coming out all of the time. The problem with hot wallets is that because they are connected to the internet, they are vulnerable to hacking or phishing. We hear about these phishing scams all the time. Quite often, people will lose the contents of their hot wallet because they were tired, it was the end of the day, they clicked on some link, and all of a sudden they’ve granted access to their wallet. At the same time, hot wallets are very convenient because they’re connected to your web browser or your phone and that’s all you need to issue transactions. This makes them ideal for people handling small amounts of crypto or making frequent trades since there’s just less friction. The takeaway with hot wallets is that you are giving up some security to gain convenience.
The counterpoint to hot wallets are cold wallets. A cold wallet contains or literally is the private key that allows you to sign transactions. Two types of cold wallets are paper wallets or hardware wallets. If you have that private key on a piece of paper stored in a safe somewhere and a second copy of it in a bank safe deposit box that’s probably as secure as you can get. Since a cold wallet is not always connected to the internet, the only people who can access it are the people that have access to your safe or safe deposit box. These wallets cannot be hacked, but you can imagine how inconvenient it is if every time you want to make a transaction you have to go to your safe, pull out the piece of paper and type in the very long string of letters and numbers. Hardware wallets like Ledger or Trezor make the cold wallet approach much easier. These wallets don’t sign the transactions directly; they sign an intermediate transaction. When using a hardware wallet, first you plug the device into your computer and unlock it by clicking buttons on the device. When making a crypto transaction you click the buttons on the device to verify the address. In this way, the hardware wallet is the middleman and grants access to your private key. While they are a little less convenient, there’s less risk of hacking because they are not plugged into the internet permanently. Because of this, they are much more secure. The ideal use case for cold wallets is if you have a substantial amount of cryptocurrency or you’re storing it for a long time.
- Hot wallets: Connected to the internet, so potentially vulnerable to hackers / phishers. Convenient for beginners or those dealing with small amounts of cryptocurrencies, but less secure.
- Cold wallets: Not connected to the internet, so cannot be hacked. Not as convenient, but much more secure. Hardware cold wallets do cost $100 or more, so they are more appropriate if you hold substantial amounts of cryptocurrency or value security over convenience.
Part 3: How do you choose a wallet?
Before choosing a specific wallet and funding it, a good piece of advice is to only use cash that you can afford to lose. Even though the crypto experience is much better now than it was two or three years ago, there’s still a lot to learn and many scams out there.
When you are just getting started in the space, the sums you are dealing with are presumably relatively small and convenience is a consideration. Therefore, a hot or custodial wallet would probably be appropriate. These types of wallets also don’t require an upfront purchase of hardware. If you make a mistake it’s not the end of the world because the amounts are small and you are gaining experience in how to use a wallet. Once you start holding larger sums, it is strongly recommended to consider utilizing a cold wallet.
A common practice is use several different types of wallets for different purposes — you don’t need to choose just one. Assuming you gain some experience and start holding larger quantities of crypto, maybe you keep the bulk of your assets in a Cold wallet. You do a bit of trading or buy NFTs from time to time, so you keep a smaller amount of crypto in a Hot wallet. You dollar cost average and buy a bit of crypto on a local exchange every time you get paid via a Custodial wallet. Now you see how all of these can be used together to provide you with the ultimate personalized experience.
One consideration to think about is the user-friendliness of the wallet. When using the wallet, do you like the look and feel? It’s an important consideration because you’ll be using it every time you do transactions.
Some wallets are chain-specific or only support a few chains, so be sure the wallet supports the chains you expect to interact with. Wallets are a huge space for innovation in crypto because they represent the window into the crypto world. Once an individual chooses a wallet, they typically stick with it.
Another interesting consideration relates to backups and private key recovery options. There are some wallets that offer the ability for you to split your seed phrase into three or four different groups of words and share those groups with different people. While these people do have a part of your seed phrase, they never have your entire seed phrase and they don’t know who the others are, so they can’t collaborate to learn your private key and drain your funds. Some wallets even have functionality to help you recover your private key if you happen to lose it. The downside is that if there is the possibility of someone recreating your private key, then that means it’s an attack vector for hackers as well. In the end, if you have good security practices and you know what you’re doing, then almost certainly you’re going to have your own non-custodial wallet, probably a cold wallet. You’ll also be maintaining the security of your seed phrase in a very secure, offline way. By doing so, you’re essentially hack-proof.
Longevity / reputation is also important to think about. Since this is a huge space for innovation at the moment, the downside is that some wallets probably won’t have the best security practices. A new wallet could have security flaws that have not been reported by users yet. A wallet that has been around for awhile without serious security breaches is much safer than a newly-released wallet.
Lastly, make sure you get your wallet from the official source! If you’re buying a hardware wallet like a Ledger or a Trezor, buy it directly from the official site. There are stories where people have bought cold wallets second-hand (for example, from eBay) and those devices have been compromised. As a result they’re not secure anymore, so you need to make sure that you buy or download your wallet from the official source. This really can’t be emphasized enough!
Part 4: Using your wallet
There are many different wallets out there, and the use of each one is a little different. Most custodial or hosted wallets will have videos you can watch to get up to speed on how to use the wallet. In the same way, many hardware wallets also have videos or tutorials online regarding the use of their products. Just make sure to make sure that the video comes from the official source of the wallet and it’s not some scammer trying to gain access to your crypto!
When using your wallet there are a few things to to keep in mind. First, double check the address you’re sending cryptocurrencies to. When you copy that public key address, paste it into the field and hit send, there’s usually no going back. This is of course different if you set an expiration time in the Shimmer Firefly wallet, but most exchanges don’t support this feature yet. Good practice is to check the first five or six characters and the last five or six characters of the public key address at a minimum. Never manually type it in if you can avoid it, because it’s easy to confuse some characters or make a typo. If you do, your coins are gone. It’s also a good idea to clear addresses from your clipboard after use. There is malware out there that basically scans your clipboard for addresses. If you don’t clear these, the malware can send the clipboard addresses to hackers.
Another tip to help secure your wallet is to use a strong password and lock it when not in use. All wallets have passwords and they also allow you to lock them when you’re finished so that they can’t be loaded by someone else if you click a phishing link. If you lock it every time after you finish using it, then you have to unlock it before it can be used by any website that you access.
Also, don’t store your seed phrases online. If you store something online, then it can be hacked. There are password manager tools out there that store your seed phrases. Even though these tools are super-convenient and your seeds are encrypted, they are a prime target for hackers. One better option is to store your seed phrases on Crypto Steels. These are physcial plates that can be engraved or stamped with your seed. If stored in a safe, the only way that the Steels are accessed is if someone physically opens the safe. The point can’t be overstated: don’t ever share your seed phrase or private key!
To mention a practical way to keep your wallet safe, there’s a website called revoke.cash. They have an extension that works in Chrome, Brave or other Chromium browsers. Revoke.cash is a really great tool that checks the permissions you’ve granted through your wallet and allows you to revoke those permissions. It’s particularly useful for checking the permissions granted with your MetaMask wallet. After you’ve connected, you can choose between tokens or NFTs. If there were transactions that you need to revoke they will populate on a list. At the end of the list you are given the option to disconnect your wallet. This is a great operational security practice. Check revoke.cash from time to time just to be sure that any lingering permissions that you’ve granted no longer have access to your wallet. Similarly, if you use Google Apps and you use Google to sign into different projects, every now and then it’s good practice to go in and revoke the permissions for projects you’re not using anymore. Revoke.cash works the same way.
FOMO or Fear Of Missing Out is a real thing in crypto. Maybe you hear about this new NFT project and it’s got everyone really excited about it. The Discord is going crazy, they’re about to do a mint and someone pings you. Maybe there’s a chance to get on the whitelist or there’s an opportunity to mint it right now. This is one time when bad decisions are made, so just check your FOMO. It does make you do risky things and there might not be recourse if something goes wrong. Double check before signing anything!
If you’re using an open Wi-Fi hotspot and doing some crypto transaction with an exchange or between different wallets, always use a VPN. The risks here are probably small but worth mentioning. A VPN or Virtual Private Network essentially masks the traffic between your computer and the internet. The actual contents of the traffic are no longer visible as well as the source and the destination of the traffic. It adds an extra layer of security that makes it too hard for the average hacker to overcome. The risks of using an open network are much greater if you were to go to NFT NYC; it’s literally a huge conference with thousands of people in the crypto space. In this situation you should always use a VPN because there will be a ton of hackers there.
Lastly, it’s important to follow some basic computer best-practices, like keeping your software up to date. This includes your wallet software / firmware. Also, make sure to back up your seed phrases safely. Crypto Steels and a safe is one option but even if you just write it down on paper and split it across different locations this would suffice. Just be sure that you can access it if you need to and it’s not stored on the internet.
Following these basic, routine computer maintenance tips will go a long way to helping secure your cryptocurrencies in the wallets you choose while providing a safe, smooth user experience.