Fairside Logo
Fairside Logo
Fairside Logo
BLOG
BLOG/Self Custody 101: What!? Why!? How!?

9th May, 2023

Self Custody 101: What!? Why!? How!?

Andrew Hogue

Andrew Hogue

blog thumbnail

Welcome to FairSide’s comprehensive educational series on self-custody, crafted to equip you with the knowledge and tools necessary to safeguard your digital assets. In this series, we’ll tackle the subject of self custody head-on by discussing why it’s important, exploring the multi-faceted challenges that come with it, and providing a holistic defense strategy to help you overcome those challenges.

At FairSide, we understand that the intricacies of self custody can be overwhelming. But we firmly believe that with straightforward guidance and support, anyone can learn to effectively safeguard their funds. Our mission is to empower you with the knowledge and tools necessary to fully grasp the complexities of self-custody and secure your cryptocurrency with confidence.

Not your keys, Not your crypto!

In the traditional financial system, consumers are accustomed to having a certain level of protection for their money. If their credit card is stolen, the bank will typically refund any unauthorized charges. This protection is made possible by the bank’s infrastructure and resources, including insurance policies and specialized fraud departments. In the world of cryptocurrency, however, the landscape is very different. Without a centralized authority or intermediary, users are responsible for managing their own security and taking personal measures to protect their assets.

The most common way for consumers to purchase cryptocurrency is through an online marketplace such as Coinbase, Binance, or Gemini. In many ways, the users are conditioned to feel as though it is similar to having a bank account. Users can connect their bank account directly to the marketplace, view their transaction history, and monitor the performance of their investments. A consumer may feel subconsciously that there’s some level of protection here – that if one’s assets are stolen in any way or lost, or if there’s any issues with the company, the money is fully insured and simply will be returned to us. Unfortunately, this is not the case. There is no centralized authority or insurance policy that can guarantee the safety of your assets on these marketplaces, and if your assets are stolen or lost, or the exchange has issues, there may be no available recourse. The reality is, the level of protection that consumers experience in the traditional space simply does not exist in cryptocurrency.

While it can be tempting to believe that catastrophic events such as marketplace failures could never happen to reputable and established exchanges, countless stories of individuals losing their life savings prove otherwise. The truth is that all centralized marketplaces are vulnerable to unexpected events, and relying on popularity and reputation alone is not enough to safeguard against the risk of catastrophic loss. It’s difficult to fathom that an event so cataclysmic could occur and it’s completely reasonable for an consumer to assume that an exchange that has high levels of adoption would not suddenly have an issue. It may also feel like there will be ample time to pull out your money and put it somewhere safe if anything shady is discovered. Unfortunately, that is not the case. Similarly, one might assume that only sketchy, off-the-radar exchanges would have issues, but that’s not true either.

In 2014, Mt. Gox, the world’s top Bitcoin exchange, at one time accounting for 70% of Bitcoin transactions worldwide, suddenly halted withdrawals. Less than a month later, the CEO announced that 750,000 of its customers’ Bitcoin were, quite simply, “gone”. This nearly half a billion dollar hack was a shock to the entire community, and birthed the mantra in the cryptocurrency space, “Not your keys, not your crypto”.

In cryptocurrency, the owner of the assets in a wallet is determined by possession of the private keys. The private key is essentially a secret code that enables the owner to access and control the funds associated with the corresponding public address on the blockchain. The entity that holds the private keys has complete control over the cryptocurrency funds associated with that address. If those keys are stored on a centralized exchange or custodial wallet, then the owner is fully entrusting this private entity to safeguard these assets. If those funds become compromised, whether that’s through a hack or through the incompetence of a CEO, the money can fully be gone. Gone, gone. Thus, the above mantra perfectly encapsulates the point that exchanges are not and were never meant for the custody of your funds.

Flash forward eight years after the collapse of Mt. Gox, and the cryptocurrency market has evolved significantly, with wider scale adoption, more regulation and institutional buy-ins. The third largest cryptocurrency exchange enters the game and is led by someone with an impressive track record. There are countless celebrity endorsements, the CEO’s face is on the cover of Forbes and VC’s are publishing indulgent write-ups hailing him as a genius. The company even owned the naming rights to the Miami Heat sports stadium. Consumers were lulled into a sense of security to keep funds on his exchange through all of the company’s marketing. During the Super Bowl ad starring Larry David, the ad stated, “It’s FTX. It’s a safe and easy way to get into crypto," as it was broadcast to millions of potential customers.

Six months after the Super Bowl ad aired, FTX’s tragic multi-billion dollar collapse serves as a painful reminder that entrusting private keys with private entities carries significant risk. This collapse differs from Mt. Gox in that it was not a sophisticated hacker that brought down the exchange, but rather the complete incompetence of its founders. However, the results remain the same: its customers’ funds are now completely gone, with little to no possibility of recovery. The mantra rang through the entire cryptocurrency community yet again, and a million users lost their funds. If, however, one was utilizing self custody, they still had their funds. They were safe… Safe, at least, from the incompetence of exchanges.

Okay, Okay! My keys! My crypto! …My insomnia!?

To create an effective defense strategy for self-custody, it’s crucial to understand the various types of hacks and thefts that can occur. While exploring the countless ways users have lost their funds while utilizing self-custody may be anxiety-inducing, basic education and proactive security measures can help alleviate these concerns. It’s important to remember that after employing proper measures, self-custody is unquestionably safer than holding funds on a marketplace. This is not just the empty appearance of safety that a marketing company attempts to convince you of, but instead represents legitimate and verifiable security.

If you’ve ever tuned into crypto twitter, you likely have seen a daily occurrence of someone having their wallet “drained”. These range from more casual users who lost a couple of hundreds dollars due to a hacked mobile Metamask from connecting to an insecure network (less common), to more sophisticated social engineering phishing scams (more common) leading to millions of dollars lost.

The reality is that a large-scale marketplace attack like Mt. Gox is rare due to its complexity and risk, and many scammers have found success through simpler tactics like creating fake social media accounts or phishing links. The scammer may view attacks like this as having less risk due to the fact that larger marketplaces often have the resources to recover their funds through proper channels if an attack were to occur. Meanwhile, many individual users who are scammed lack the knowledge, time, energy, or resources to track down hackers and recover their stolen funds. This, in combination with the decentralized nature of cryptocurrencies, lack of intermediaries, and complex technical infrastructure make the space a prime target for hackers. Large sums of money can be transferred with little friction and full anonymity, and the technical complexity of cryptocurrencies can be difficult to understand for the average user, increasing the risk of human error and vulnerability to attacks.

Many believe that the most common “hack” is what we’ll refer to as a “cyber attack”. This type of hack often involves exploiting vulnerabilities in software or operating systems to gain unauthorized access to a device or network. It can be done using a variety of techniques, such as malware, keylogging, or exploiting software vulnerabilities. This also includes exploits found in the security of a product or contract that you are interacting with. However, in the world of self-custody, the most common attack is likely ones that have to do with a user voluntarily giving permission to their assets over to a stranger. They may sign a malicious contract, or fall for a social engineering scam. It’s a common occurrence for someone who had their wallet drained to be convinced that their device was hacked, however, on the contract level, auditors have gone in and confirmed that most of the time, the user unknowingly signed a malicious transaction.

In order to truly build a truly robust defense, it’s essential to take a multi-pronged approach.

The comprehensive solution

There’s no “one size fits all” for security, and that’s by design. We should not trust one source for the security of all of our assets. There’s several steps you can take to have an immediate impact on your security. First, cover the technical measures you can take.

  1. Split your funds into multiple wallets on multiple browsers or computers.
    • This way, if you sign a malicious transaction on a wallet, the only assets that are at risk are the assets within that individual wallet. Distributing your funds distributes your risk.
  2. Utilize a hardware wallet.
    • The industry standard for wallets at this point in time is Ledger or Trezor. Storing your cryptocurrency on a hardware wallet requires that you have physical access to the device in order to sign and approve transactions, which significantly reduces the risk of online hacks and other cyber attacks. Additionally, hardware wallets are isolated from the internet and other potential vulnerabilities, further enhancing their security.
  3. Protect your seed phrase properly.
    • Make sure to never store your seed phrase digitally. It is recommended to hand write your seed phrase and to keep it somewhere you will never lose place of. You can handwrite a second version to keep in another location. Remember: in cryptocurrency, access is ownership. If someone were to find this seed phrase, they have access to full control over your wallet, so many have even gone so far as writing half the seed phrase in one safety deposit box, and the other half in a separate safety deposit box at another bank.
  4. Sort your wallets into three (or more) different categories.
    • Cold Wallet: your cold wallet should be a hardware wallet. This wallet holds assets that you are intending to vault. You are sacrificing ease of use for maximum security. You may be holding for short, medium, or long term, where you want certainty that they will be safe, and ideally, you will not sign a single allowance to any contract. Even if you recognize all of the allowances you’ve signed, you could have one slip-up where you accidentally sign a gasless transaction that exploits those permissions. If you would like to sell anything that is high value from this wallet, it is recommended that you get an additional cold wallet that you transfer these assets into, thereby utilizing step 1 of “distributing your risk”. If you sign any permissions to this wallet, it is recommended that you revoke these permissions after use (we’ll cover this later).
    • Hot Wallet: this is a type of wallet that is solely online. You utilize this for ease of convenience to execute purchases or trades, and it ideally acts as an intermediary between putting assets into cold storage. With this wallet, you connect solely to verified, trusted sources, and it is best for holding lower value assets that you do not intend to hold for a long period of time.
    • Burner wallet: this is a type of wallet that traders may use for quick transactions with minimal funds. It’s best suited for signing transactions that you’re not entirely certain of. For example, if you come across an NFT project by an anonymous team that you heard about on Twitter, it’s best to use a burner wallet for minting the NFTs. Remember that scams are sophisticated and always happen unexpectedly, so you should only keep cryptocurrency or NFTs in this wallet that you can afford to lose.
    • Utilize a mult-sig wallet.
      • Utilize a multi-sig wallet for enhanced security. A multi-sig wallet is a type of digital wallet that requires multiple signatures or approvals from different wallets or individuals before a transaction can be completed. Unlike traditional wallets that rely on one “key person” to manage and secure the assets, a multi-sig wallet distributes the responsibility among multiple parties. Safe (formerly Gnosis Safe), one of the most trusted brands in the industry, offers a highly secure multi-sig wallet solution. While a minority may choose this option for personal security, it is most often used for DAOs or corporate accounts.

After you have taken proper technical security measures, the other line of defense we need to build is a psychological one, as many of these scams are preying upon and exploiting human emotion, and have consistent red flags. There are a number of trackable, common tropes that thus make scams fully avoidable with proper education. This topic warrants an entire article on its own, so stay tuned for our next article where we will be going on a deep dive on all of the types of social engineering scams (and exploits in general) that exist in the space thus far, and the ways in which you can avoid them. However, the solution can be summarized in a newer mantra circulating the crypto community “Don’t trust. Verify.” Always triple check your links, and be cautious when acting under a sense of urgency and FOMO.

Now that you’ve implemented some of this line of thinking, it’s always best to update to the latest version of your software, and you have the option of utilizing different dapps.

  • Always update to the latest version of your software.
    • Companies often release patches to fix vulnerabilities, so it’s important to install updates as soon as they become available. For example, MetaMask recently added new settings that can help detect phishing attempts, so updating to the latest version can give you an added layer of protection.
  • Revoking token approvals via Etherscan is a crucial step towards maintaining good wallet hygiene.
    • Revoke token approvals via Etherscan
      • To get started, navigate to etherscan.io and select “More” then “Token Approvals”. Connect your wallet to the site, and review all ERC-20, ERC-721, and ERC-1155 token approvals. Be sure to revoke any permissions that you no longer require to prevent bad actors from draining your wallet. Finally, confirm the transaction to revoke the approvals, which will incur a gas fee. In the event that you are experiencing a scam and your assets are being removed, act quickly by revoking the permissions immediately and saving what you can.
      • When you give approvals to a contract, you are granting permission to that contract to control your digital assets. These approvals can be unlimited, meaning the contract has full access to all of your assets. Unfortunately, bad actors can exploit these permissions to drain your wallet, even if the contract is with a well-known platform like Opensea’s Seaport. Therefore, it’s recommended to remove all allowances when using cold storage to better protect your assets.
    • Revoke Cash* is another free product that allows you to do the same task.
      • Though Etherscan’s “token approval” page is still in beta, Revoke.Cash has become a bit of a go-to industry standard for wallet hygiene.
  • Utilize anti-phishing plug-ins for your wallet
    • Wallet drains occur when the user signs a malicious transaction. Typically, this transaction is obstructed with an indecipherable arrangement of text and numbers, as many signatures are, and the user is simply trusting that the signature is doing what the front-end of a website told them it would do. This is where anti-phishing browser plug-ins come into play. These browser extensions run simulations to show the results of what you are signing. Some of them have excellent UI that make the risks associated with the transaction you are signing abundantly clear.
  • Delegate wallets using an app when possible.
    • While navigating the NFT space, you may join a community raffle to mint an NFT or find that the NFT you own makes you eligible for another NFT claim. To ensure the full safety of your original NFTs, it’s best practice to hold them in a separate wallet from the one you use for claiming or minting. This can be achieved through a process called “Delegation.” In simple terms, delegation involves connecting your wallet to a verified, trusted contract and signing a transaction that verifies you as the owner of a specific wallet. You then delegate another wallet, which you also own, for specific actions. This transaction grants no additional permissions beyond delegation. If you now mistakenly connect the secondary wallet to a fraudulent website, you ensure that your primary wallet has never connected, keeping your NFTs safe from risk.
    • Delegate.Cash* is an app leading the charge in this area for general usage, and PREMINT is a platform that has incorporated this option in all of its launches. Both solutions aim to greatly minimize potential risks for their user base, allowing you to enjoy the NFT space with added security.
  • Lastly, you can always look for coverage for your assets. We recommend that you do a deep dive and compare all of the different cover protocols that are out there, as some come with a considerable amount of risk. There are some coverage protocols that cover marketplace failures and some of the phishing scams that we will be going over in our next article.

*While many of these apps are recommended by the industry, we have not run a full audit and we advise that you use these at your own risk. For many of these tools, the source code is public on Github and can be audited by anyone who would like to.

Lastly, we would like to give a shoutout to ZachXBT and CoffeeZilla, two people out of many in the crypto community who have devoted an endless amount of time, energy, and creative genius to track down scammers and use their platform to hold these bad actors accountable. At times, their work was solely responsible for getting the stolen funds returned.

Thank you for taking the time to read this article and putting in the effort to stay safe. We understand that it can sometimes feel tedious to go through all the necessary steps to protect your assets, but we commend you for taking an active role in your own security. By utilizing these steps, you can greatly reduce the risk of falling victim to scams and attacks, and ensure that your cryptocurrency is well-protected.

Stay vigilant, stay informed, and remember:

Don’t Trust. Verify.