Coin theft incidents occur frequently. What do we need to know about the protection of crypto assets?

This article is approximately 2285 words,and reading the entire article takes about 3 minutes
Web3 coin theft incidents occur frequently. How to avoid hacker attacks?

Coin theft incidents occur frequently. What do we need to know about the protection of crypto assets?

How to identify fake wallet addresses? Why are cold wallets still at risk of being hacked? How do these attacks happen? What kind of people become targets of hackers? How to avoid such problems?

Recently, Web3 has frequently experienced theft of coins, especially the much-watched 1,155 WBTC theft incident, which has attracted widespread public attention. The protection of encrypted assets has also become the focus of everyones attention. In response to this incident, PoPP and OneKey jointly held a Space to share with the community issues about on-chain security, which was full of practical information and provided a popular science lesson for newcomers who lack awareness of prevention.


  • PoPP CTO: Neo

  • OneKey Eco head: Cavin

Host: JY

This Space mainly discusses the following issues:

1. How to identify fake wallet addresses?

2. Which is safer, storing Crypto in an exchange or in a wallet?

3. Why are cold wallets still at risk of being hacked? How do these attacks happen?

4. What kind of people will become the target of hackers? How to avoid trading pitfalls/share your experience?

5. Currently, PoPP has attracted many users. How does it ensure asset security?

1. How to identify fake wallet addresses?

Regarding how to identify fake wallet addresses, Cavin mentioned two methods. The first is to carefully check every number and letter when transferring money to avoid being counterfeited. Secondly, the current mainstream software wallets have this address library function, including OKX and OneKey Classic. You can put your frequently used addresses in this address library to quickly select the correct address. Remind everyone to ensure that the environment is safe before transferring money and avoid copying addresses from transaction records.

Neo made some other additions in his sharing. Neo shared a developer in their team who never believed in any hot wallets. He only used his own node wallet to transfer all funds and controlled it with a mini bank. Of course, ordinary people like us cannot do this. Ordinary people can take precautions from the following 4 aspects:

  • a. First, ensure a secure environment, including network, VPN, mobile phone and computer environment.

  • b. Secondly, choose a secure device, such as an Apple device or a hardware wallet.

  • There is no doubt that Apple devices are relatively safe, and then there are some hardware wallets. When we have to install other software on Android, it is recommended to use one or two mainstream wallets. If you need to import mnemonics frequently, avoid using the pasteboard. Remind everyone not to download too many wallets, and only update them in the APP.

  • c. In addition, develop a good habit of conducting a small test transfer before confirming the transaction. It is recommended that you transfer money to the other party by scanning the code, and confirm with each other before and after the transfer.

  • d. Finally, check the blockchain browser to confirm the transfer details after each transfer.

  • If you find that the amount is wrong or the target address is wrong, you can still take remedial measures immediately. You can also immediately initiate a new transaction with a higher gas fee to offset your previous transaction. It is still possible to recover, but if you successfully transfer the money out or click on a phishing software, there may be nothing you can do.

2. Is it safer to store crypto in an exchange or in a wallet?

Host JY:

Thanks to Neo and Cavin for sharing. I want to ask a question, which is safer, an exchange or a wallet?


From the perspective of security level, hardware wallets have the highest security level. Although the threshold for using hardware wallets and the difficulty of operation are higher than hot wallets, they are not as convenient as hot wallets.

Exchanges and hot wallets are less secure, but they are very practical. It is recommended to put a portion of your funds in a reliable exchange, such as Binance or OKX. There will be no major problems in the short term, but you cannot fully trust them.

It is recommended to place some funds in a reliable exchange, but not too much. For uncommon protocols, new hot wallets can be used for isolated management.


At the technical level, safety is always relative. There is no absolute safety; it is just a matter of cost.


If you keep it in your wallet and don’t touch the Internet, it is relatively safe. However, after you interact with other dApps and link frequently, your security index will continue to decline in the process.


Crypto is relatively safer in exchanges than hot wallets. There is no single point of failure in exchanges. You will not lose your assets when you trade, buy, sell, or transfer. And the advantage that exchanges can provide is the ability to compensate. Even if you lose your money in the exchange, the exchange can compensate you.

Moderator JY: For example, my wallet has many interactions and authorizations. When I complete the NFT sale, can I cancel the previous authorization?

Cavin: Yes. If you don’t have a habit of regularly checking whether the contract authorization has been cancelled, the risk will gradually increase.

3. Why are cold wallets still at risk of being hacked? How do these attacks happen?

Host JY:

Got it. I had a friend who lost 1.26 million USDT when he traded funds from OKX to OKX wallet. The staff said that it could be frozen for two hours, but then he mentioned that his money was previously in a cold wallet. Why is there still a risk of cold wallets being hacked? How do these attacks happen?


I think this has nothing to do with cold wallets, and there may be a problem during the transfer of funds. Hardware wallets usually ensure security by storing private keys or mnemonics in the chip. However, when using hardware wallets, you need to be connected to the Internet, and the private keys are stored in the browser cache or data files, so they are vulnerable to hacker attacks.

Hardware wallets must be used together with software wallets. The signing process is completed on the hardware wallet, and your private key will never touch the Internet.

In fact, this process is transferred to the physical device. It actually has a secure chip (Secure). The signature is completed by using the private key in the chip. After signing, it will pass the signature to the software wallet. After the software wallet obtains the wallet, it will send the transaction to the chain. So the signing process is completed on the hardware wallet without you being connected to the Internet.

If the hardware wallet is lost, you only need to import the mnemonic phrase into a new hardware wallet. However, there is a risk of social engineering attacks, and hackers may obtain the wallet unlock code to steal assets.

The design principle of hardware wallets is to add a second confirmation during the transaction signature process to increase security. Supply chain attacks and internal attacks are also risks, so it is recommended to purchase open source hardware wallets. Under the premise of ensuring that the hardware wallet has not been tampered with, even if the hardware wallet is lost, the assets are still safe.

Host JY:

Although hardware wallets require online signatures, they are not 100% secure. How can we avoid such situations as much as possible? Are there other identification methods?


OneKey products have obtained EAL 6+ certification and are highly secure. It is difficult for hackers to export private keys from hardware wallets, and brute force cracking is extremely difficult. Software wallets are vulnerable to network attacks, and hardware wallets can isolate this process.


Security is relative, and there are problems with the private key system. Be cautious when managing assets, and do not rely on a single device to store all your assets. Make backups, and do not trust any seemingly safe device. We will propose solutions on how to better manage assets.

4. What kind of people become targets of hackers? What conditions must be met?

Host JY: What kind of people become targets of hackers? What conditions must be met?


From the cases of 1,155 WBTC, we speculate that the hacker performed hash collisions and simulated addresses before launching the attack, casting a wide net, probably covering tens of thousands of addresses. The hackers habitual actions can be found through transaction meeting records. Users need to take protective measures, including fund management, isolating wallets in different scenarios, regularly checking address authorization, and developing good transfer transaction habits.


Hackers may indiscriminately steal assets by placing phishing links, including authorization methods, simulated transfer methods, and stealing private keys.

Hackers may also target individuals. When they find that there is a lot of funds on the chain, they will launch attacks and send you some links through social messages. Or they may ask you to buy USDT, send you emails, impersonate colleagues, and steal in many other ways. So be careful not to trust anyone and click on unfamiliar links.

For the project side, hackers may target the contract address for vulnerabilities and attack. The project side needs to do a good job of auditing and verifying user assets. In addition, hackers are likely to attack the customer service staff of the project side, invade the computer by adding friends, sending messages, etc., obtain intranet information and steal assets. Hackers are more likely to have organized and premeditated intrusions against enterprises and users with large assets. The team needs to be trained and establish effective preventive measures.

User A asked a question

How to identify and prevent phishing and link attacks?


First, whether on a mobile phone or PC, when you are not sure whether the link is valid, you can use Google Chromes privacy mode or incognito mode to open the link.

Second, when you need to install software on your computer, I would recommend using a collection like CMC. You can use privacy mode to access the projects Twitter or the public website of the aggregation platform. Second, use an empty wallet link. Use your naked eyes to identify the official address. Generally, the official domain name is not very complicated.


Added: You can also install some security plugins. Secondly, it is not recommended to search for project websites from Google.

User B asks a question

Is it safe to keep crypto assets or spot products on exchanges?


Any exchange is relatively safe. It depends on which exchange you put it in. Some exchanges have a certain ability to pay compensation. Even if you lose a small amount of assets, they can compensate you, such as Binance. However, the assets in the contract may disappear; the spot may be fine. It should be noted that it is normal for small exchanges to run away, and small exchanges may not be able to withstand hacker attacks and may be stolen. It is recommended to put it in a mainstream exchange with compensation capabilities.

5. Currently, PoPP has attracted many users. How does it ensure asset security?

Host JY: Currently, PoPP has attracted many users. How does it ensure asset security?


We put asset security first. Here are some key measures we have taken:

The first is the security management of the entire account system:

We currently use the MPC method to manage the account system, and in version 2.0, that is, Q2 and Q3, we will update it again. I personally think that there are certain problems with using EOA accounts as an asset management method, so a safer way is to make full use of EUA accounts and smart contract accounts and use private keys only for signing purposes. In addition, it is a more reasonable way to separate assets and operations. Hardware wallets and software wallets can improve the security of private keys. It is a safer way to put the security of funds in smart contracts. In the account system, we will use the MPC solution to divide the private key into three parts to increase security. (For example, if your own private key is leaked, or the platforms private key is leaked, you will not be able to complete the signing process. Because another part is given to the security agency.)

Smart contract accounts are divided into social accounts and virtual accounts. Social accounts use the ERC-6551 protocol to store social assets, and can perform multi-signature and verification during the interaction process. (When you are trading, if a private key is leaked, you can change your private key without losing your total assets.) Another popular ERC-4337 virtual account. Although there are not many usage scenarios at present, virtual accounts are a potential development trend that will gradually make the account system intelligent. At present, we mainly use ERC-6551 to support the smart contractization of your social accounts.

The second is the security of the interaction process:

We noticed that more asset losses occurred at the interaction layer, so in PoPP 2.0 we will release a social plug-in that can access project party information. When interacting, our social plug-in will identify projects that need to be whitelisted for authorization fees and issue early warning prompts. In addition, through built-in DEID and plug-ins, we provide an isolation layer in the interaction process to protect the users assets and social identity security.

Finally, our AI information source: PoPP will cooperate with security project parties and data parties to disclose whitelist and blacklist information to help users obtain security information. Through these three levels, we are committed to ensuring the security of users assets and social experience. Thank you for listening.

This article is from a submission and does not represent the Daily position. If reprinted, please indicate the source.

ODAILY reminds readers to establish correct monetary and investment concepts, rationally view blockchain, and effectively improve risk awareness; We can actively report and report any illegal or criminal clues discovered to relevant departments.

Recommended Reading
Editor’s Picks