How to Secure Your NFTs with a Hardware Wallet & Vigilance
In the crypto and NFT world, there are tons of bad actors, phishing sites, rug pulls, and other scams. This doesn’t mean there are no good actors in crypto or that the whole thing is a scam, just that when there’s money on the line, people will always look for ways to take advantage of others.
Eventually, as crypto grows up, the user interface for NFTs will improve substantially, and we’ll have better standards, norms, and protocols, which should make it harder for bad actors to succeed.
My bet is that the user experience for NFTs will eventually get so good that once NFTs go mainstream, most people won’t even know they own a blockchain asset.
In the meantime, if you want to play around with self-custody digital assets, you take a ton of risk and must remain vigilant to protect your assets. While we wait for the user experience to improve, I’ll give you five tips to protect your NFTs. Keep in mind, I’m not an expert in cryptography or a developer, but I’ve managed thousands of dollars successfully (so far), and I’ve been around this industry for many years.
1. Protect your seed phrase
A secret recovery phase (also known as a seed phrase) is a 12-24 word combination that protects your private key. This phrase can be plugged into hundreds of different wallet providers or apps and your assets will come with you.
The only time your seed phrase is needed is for the initial setup of your wallet. When you're setting up your wallet, always double-check the URL bar or the app store reviews to make sure you're on the correct app or site. There are tons of phishing sites that attempt to look like the real wallet providers.
Your seed phrase is for your eyes only. If someone requests that they need your seed phrase, you’re being scammed.
Where to store seed phrase
I don’t recommend screenshotting your seed phrase or typing it out on a notes/documents app because if your device is poorly password protected, and your device becomes compromised or another person has access to it, your phrase is at risk.
If you insist on storing your phrase digitally, it’s best to opt for a password manager like 1Password or Apple's iCloud. Just make sure you’ve got a strong password for your password manager. Wallet providers like Coinbase Wallet and Rainbow can automatically upload your phrase to iCloud password manager if you let them.
Most secure storage
The most secure way to store a seed phrase is to write it down with a pen and paper and put it away in a safe. It’s not a bad idea to make a second copy to give to a trusted family member who lives in a different location.
The downside of this method? You can potentially forget where your paper’s stored or the ink from the pen could fade away over time.
I can't help you remember where you put your paper, but if you’re worried about the ink fading, you can engrave your seed phrase into a metal plate. Here’s a list of all the companies that provide metal plates with grades of how well they withstand heat and corrosion. (I bought this one: Black Seed Ink.)
2. Buy a hardware wallet
A hardware wallet is a device that stores your seed phrase and plugs into a computer, sort of like a flash drive. I highly recommend using one if you have more than if you have more than $1,000 of crypto assets.
The two main hardware wallet manufacturers are Ledger and Trezor. In my experience with both devices, Ledger devices are a bit more user-friendly and more compatible. If you plan to do your crypto interactions with a computer via a USB cable, I recommend the Ledger Nano S Plus. If you want the option to use your phone, I recommend the Ledger Nano X.
Benefits
Your seed phrase is stored on your hardware wallet, which is never directly connected to the internet. Your seed phrase remains cold. If one of your devices is compromised there’s no way for the attacker to access your crypto.
It allows you to follow this simple principle: never type your seed phrase. Just enter your phrase into your hardware wallet using the tiny screen interface for initial setup. You literally type it with a keyboard.
It adds friction to transacting with the blockchain, which increases your security naturally because you have more time to process your actions. When using a hardware wallet with Metamask, you first sign the message on MetaMask, then you need to unlock your hardware wallet with your pin, then sign the transaction with your hardware wallet. It’s three steps, rather than one.
If you lose your hardware wallet or it breaks, it's not the end of the world as long as you’ve properly stored the seed phrase because you can boot up unlimited hardware wallets using your seed phrase. I keep a new and sealed Ledger device around so that I’m prepared if my hardware wallet stops working.
Drawbacks
Signing a simple message is cumbersome and takes three steps rather than one. And it’s even more annoying if your hardware wallet is in a different room than your computer.
You'll need to transfer your assets from your old hot wallet to your new address (that one that’s associated with your hardware wallet), which can cost a lot in gas fees. On the Polygon blockchain, it’s not a huge deal, but if you have a bunch of Ethereum NFTs, it can cost anywhere between $1-$10 per NFT, depending on how busy the network is. I recommended weekend mornings for the cheapest Ethereum gas.
Misconceptions
I bought a Ledger hardware wallet back in 2018, but I was so intimidated that I let it sit in my closet for two years. I didn't understand how it worked and was terrified that I'd accidentally lose all my bitcoin. The setup is fairly simple and Ledger has great walkthroughs, but let’s go over two things that NFT newcomers often get wrong to clear up basic confusion.
Firstly, it is important to know that NFTs are not stored in a regular or a hardware wallet. A hardware wallet is not a USB drive. Every NFT is stored on the blockchain. A wallet with a private key just gives you control and allows you to manage the assets that you own on the blockchain.
Secondly, you should not reuse an old seed phrase from a previous wallet because that defeats the purpose. Your old phrase has already been on the internet--it’s hot. You must create a new phrase that has never seen the internet or been used before.
3. Know what you’re signing
After you’ve logged into a site with your wallet, to perform an action, you’ll often get a message that requires a wallet signature to go further.
While MetaMask and other wallets have made interface improvements, these messages can be intimidating. And if you sign one malicious contract, your assets are gone.
First, let's go over gas-less signatures.
Gas-less signatures
You might need to sign a message to prove you own a specific asset to gain access to a Discord, a whitelist, or something else token-gated.
For example, in my Discord server, to get access to all of the channels, you’ll need to use an app called Collab.Land and sign a message that proves that you own the Collector Club NFT, which gives you access to our entire server.
Another gasless signature example is to access your OpenSea profile or watchlist, you’ll need to sign a message that proves you’re the owner of your wallet.
As a general rule of thumb, you can’t get scammed if you don’t first pay gas. A simple gasless sign message is safe in any scenario.
Signatures that require gas
Anytime you interact with the blockchain, you’ll need to sign a message, which costs gas because you’re writing to the blockchain.
There are two scenarios where you’d sign a message that are universally safe: sending someone crypto or buying an NFT on a trusted marketplace.
Minting an NFT and claiming an airdrop can be safe, but it’s important to read what the prompt is before signing. If you see the word “mint” on the MetaMask prompt, you should be safe. But if you’re unsure, check its legitimacy by typing in the suspicious site into the Twitter search field to see if it’s being talked about.
Sometimes bad actors create a page that appears to be for a mint, but when you interact with a contract, it’s actually a “set approval for all” command message, rather than a mint, which is the most dangerous thing you can sign. If you sign this message and pay for gas, the bad actor is given permission to do whatever they want with your tokens, like transfer them to their own wallet.
So why does this “set approval for all” message even exist if people can just steal your assets?
“Set approval for all" is used all the time in a non-malicious way, like when you want to list your NFT on a marketplace. Approving your tokens to a marketplace contract will allow the marketplace to take your NFT from you and give it to the buyer after the buyer pays for an NFT. As long as you use a trusted marketplace, there’s nothing to worry about.
Always be sure to check the URL bar to see that you're on the proper site. Memorize the TLD extensions to your favorite marketplaces (Opensea.io, Looksrare.org, Blur.io) or bookmark them to avoid using legit looking phishing sites.
Playing it safe
If you just want to be extra careful, you can use a site called: https://revoke.cash/
Just connect your wallet, and it’ll display your assets, and which contracts (sites) you’ve given permission to use your assets. If you see a site that you don’t trust on your token approvals, pay a small gas fee to remove their permissions.
Most importantly, if you think you’ve been compromised, move your assets to a fresh wallet (with a new seed phrase) immediately because you’re in a race against the scammer.
4. Use multiple wallets
Due to the risks of minting, use a hot wallet for minting, then transfer your assets to your hardware wallet once you’re done. I don't always utilize this strategy myself because I feel confident in what I'm signing and I don’t mint often, but it’s a smart move.
The upside to using this multi-wallet strategy is that none of your assets from your hardware wallet are on the line if you were to accidentally approve your tokens to a malicious contract. Two wallets running simultaneously inside the MetaMask wallet is easy to set up and switching wallets takes seconds.
The downside is that the two-wallet-system will cost extra money. Moving assets from your hot wallet to your hardware (cold) wallet will cost a gas fee and transfers can’t be batched together. You may also run into a problem where you need assets from your hardware wallet in order to mint something. There are multi-wallet solutions in the works, where a hot wallet could sign for a cold asset, after you’ve given it permission to do so cryptographically.
5. Disable DMs on Discord and Twitter
Social engineering is how most people get scammed in the crypto world. Often someone will pretend to be someone that they’re not to trick you. Or sometimes the person you’re talking with has been sim swapped.
The simplest solution is to disable DMs on Discord and Twitter from people that you don’t know to keep impersonators out of your DMs.
If a friend asks you to do something, and it doesn’t feel right in your gut, always message your friend on a different platform to make sure that they haven’t been compromised.
It’s not always the case, but greed is typically the main thing that leads to people losing their assets. The big projects like Bored Apes, Doodles, or Azuki aren’t doing a surprise mint and you’re not going to make money from it. Think through your actions.
Wrap Up
Eventually, we’ll have a more user-friendly experience for NFT users, but in the meantime, if you want to play in the wild west, you need to bring your A-game. I’m hoping that I’ll look back at this post in five years and laugh at how ridiculous these precautions are.
To summarize, take the storage of your seed phrase seriously. And if you have more than $1,000 dollars of crypto assets, consider getting a hardware wallet, like Ledger.
If you want to get fancy combine a MetaMask hot wallet with your cold storage hardware wallet. You can mint with your hot wallet where the stakes are low, then later transfer your good assets to your hardware wallet.
And finally, take a deep breath before big transactions and think through every click and signature. The old adage, "if it's too good to be true, it probably is" has never been more true than in the crypto ecosystem.