In this article I will try to touch on all the security and privacy risks the subjects of The $GREED Experiment had to take on to be able to mint their tokens and explain how to implement better practices. In the future articles I plan to cover the aftermath, my personal thoughts about the experiment and interesting situations I was put in during that time.
Even though I think the biggest lessons from The $GREED Experiment have nothing to do with security or privacy, I also assume that explaining the exact security and privacy practices people should employ while navigating the crypto world might stick in readers minds for a longer time. So, even if there are way more important lessons on the psychological side of things, I first wanted to cover the “simpler” ones, and honestly, the ones that are way easier for me to write about.
The sea of risks
Crypto space, or how we like to call it recently to sound more sophisticated, web3, is filled with security traps on every step. There is nobody holding your hand, nobody who can help you recover your lost funds, nobody who will make sure you are properly educated before you dive in.
And the scammers know that. There is no easier and more lucrative group of people to scam than crypto users.
I’m sure you’ve all experienced it. Phishing attempts in your DMs on Twitter, discord and telegram. Send me 1 bitcoin, I send you back 2. My bitcoin is stuck. Fake links, Nigerian prince. It doesn’t even stop with DMs, even Twitter replies are swarmed with bots trying to make you click a link to a website designed to drain your wallet.
Other than simply trying to make you sign a transaction that “steals” money from you, there are other, more sophisticated methods how someone can get enough information to take advantage of you. This often involves collecting some private data to leverage at a later date.
All the risks greed made us take on
Putting all the social and psychological elements aside, let’s look at all the risks The $GREED Experiment walked their subjects through:
1. Clicking the unknown link
There is a lot of data that your browsers can share by just opening a website. Whoever sets up the website can collect tons of data.
The first thing that comes to mind is of course the IP. This reveals your ISP, and also gives someone a chance to quite accurately guess your location.
But there is a lot more data they can collect, including your operating system, what browser you’re using (and exact version), language, keyboard layout, content encoding, time zone, what site you came from, list of browser plugins, resolution, GPU card, installed fonts, and more.
If someone collecting all of the mentioned data doesn’t make you nervous already, it gets better: This sum of this data creates a fingerprint that might be unique to you. Which means that someone can recognize you on a different website even if you change your IP, actively use the VPN or use tracking and ad blockers.
To test how unique your fingerprint is, you can do so on a few different websites, the one I just checked works quite well and will give you an idea about how much data other than the IP are you sharing with every website you visit: https://amiunique.org/fp
2. Connecting with Twitter and giving out the permissions
The permissions The $GREED Experiment asked authorization for
Any website that asks you to log in using another platform’s account gets certain permissions on that account through the API. In most cases, these sites will ask for “read” permissions, and that by itself, even though it doesn’t sound dangerous, isn’t really so benign.
For example, Twitter base read permissions already allow the API to see Twitter “through your eyes”. This means someone can very much know exactly what your settings and preferences are, who you have notifications on, but also at all times know the exact content you’ve been exposed to. As I’m sure you can understand, this data can very much be used “against you” in many ways.
The permissions we asked for is the 2nd level, the write permissions. Already including the mentioned perms, this also includes making any changes to your profile and account settings, and of course the ability to post and delete tweets for you.
There is also a 3rd level Twitter can gain authorization for, which would also allow someone to read, send and delete your direct messages, on top of everything previously mentioned.
3. Connecting your wallet to an unknown site
This step is standalone not a security concern, but in this case where you already opened the website and connected your Twitter, purely connecting a wallet can link that wallet’s address to all of your previously collected data.
4. Signing an unknown transaction
This is the one that most of you already heard about, but I assume not a lot of people truly understand the risks and the fact there is no way you can be sure what the transaction is going to do, at least for an average user on Solana.
As soon as your wallet is connected, a malicious site knows exactly what assets you’re holding and can create a custom transaction that is supposed to transfer everything worth money from your wallet. Be it SOL, USDC, Samoyedcoin or NFTs, you can transfer dozens of assets in the same transaction.
And if you think checking the simulation helps you be 100% safe, think again. To try to explain this in the simplest terms: There are ways how you can make a smart contract execute a different transaction when you sign it, compared to the one that was shown in the simulation.
Implementing best practices
Now, after explaining all the risky situations we were facing, let’s try to see what’s the best we can do about it:
1. Clicking the unknown link
This is really not my strong suit and if there is anyone who can help make this more to the point, please contact me. Until then I will at least give it my best shot:
Use a VPN. Even if this doesn’t solve all the problems, it at least hides your IP/ISP/Location. Finding a good VPN provider that stores no data is a whole other beast and I recommend spending some time on it, there are some great reddit threads about it. The one I like and use collects zero data, doesn’t even use my email for log in and I’m topping it up with crypto.
Make sure your browser fingerprint is not unique. There are sites that can help you do that.
Open unknown sites in a dedicated browser, clear browsing data, install some extensions that block ads and tracking.
Sorry I can’t do much better than this, but if you listen to the mentioned steps, you are already quite OK.
2. Connecting with Twitter and giving out the permissions
This is a very easy one — simply don’t. If a site wants any permissions on your social media accounts, don’t do it if you don’t have to.
If you have to, use a burner profile if possible. Sites you connect to can collect your email and any other private data associated with that account, so that means you should also use a burner email when creating the burner profile in question.
If a site wants you to connect your main profile to access or prove something, go and yell at them and demand they do better. Consider putting more value on your privacy and don’t be too fast to give it up. Make sure you are completely aware what you’re selling your privacy for, and calculate if it’s really worth it. I would say it isn’t in most cases.
NOW GO AND REVOKE ACCESS TO ALL THE APPS YOU GRANTED PERMISSIONS TO!
My tweet explaining how to do this on Twitter:
But don’t stop there. Go check your google, facebook and all the other accounts you have. It should be easy to google “how to revoke app permissions on …” and check who had access to your profiles this entire time. Revoke everything you can.
3. Connecting your wallet to an unknown site
Not a lot to add here other than to always use a wallet address that you are ok having connected with all the other data someone is able to collect from you.
Creating burner accounts is easy, and even if you do it in the “stupid” way by funding your new burners from your other account, it’s still worth it as it makes it harder for any automatic data interpreter to connect them.
4. Signing an unknown transaction
This looks like the most complex part of the puzzle, but it actually has a very simple and straight forward solution.
There is really only one way to be completely safe signing a transaction that a 3rd party prepares for you:
ONLY ASSETS YOU SHOULD HAVE IN YOUR WALLET AT THE TIME OF SIGNING A TRANSACTIONS ARE THE ASSETS YOU EXPECT TO SEND IN THAT TRANSACTION.
It’s really that simple.
If you want to mint something that costs 2 SOL, your wallet should have no more than 2.01 SOL and nothing else in it at the time of you signing the transaction. No tokens, no NFTS, no domains. NOTHING ELSE.
If you are supposed to send 100 USDC, have exactly that and some lamports to cover the gas. And again, nothing else.
If you are supposed to be staking an NFT, make sure your wallet has nothing other than exactly that 1 NFT and some SOL dust for the gas.
Even if you want to stake 20 NFTS, start with 1. Let the other 19 wait safely in another wallet until you confirm the site does what it claims.
Even if you only ever use 2 wallets, one as your “bank” and the other as the one that connects and signs things around (and gets funded only before the signing), you are already doing better than the vast majority of crypto users.
Final thoughts
Even when something is super hyped or there is a well known person promoting it, you should not let your guard down. It doesn’t make things any less risky. They could have been hacked or just finally decided to “monetize” their influence.
Security is like a practice, habit. Even the big accounts get hacked, you’ve all seen it. Blindly trusting anyone or anything is how you get caught that “one time”. And one time is all it takes.
There is no way to warn you about all the possible ways bad actors will try to scam you. Even if you get warned about 100 different scam variations, there is always a 101st.
That’s why I feel we are more often than not approaching this topic in a wrong way. The way to maximize the chances of someone staying safe and employing all the best security practices isn’t to warn them about 100 different scam’s and a list of do’s and don’ts. The only way to achieve that is to teach them how things actually work and why something represents a risk.
It’s only when someone understands why he should be, or shouldn’t be doing something, that they are enabled to recognize the new risky situations and be ready to react.
But, teaching non technical people about a lot of these topics is extremely hard, attention span and motivations of majority of crypto participants works against you and you’re often going to get more praise if your advice is at short as possible. And of course, it’s very hard to pack a full ELI5 in a Twitter thread.
For some time now I have an idea how I can explain wallets on a blockchain to someone with zero technical knowledge, and I do finally think I have all the metaphors that would help.
That being said, for this article I clearly went against my theory and tried to give the DOs and DON’Ts. This is because this experiment showed we can actually benefit even from a quick fix as soon as possible.
I want to try explaining the “complicated” things to non-techy people in a way they can really understand how things work and can learn to recognize the risks themselves. If these articles manage to find an audience, I will circle back and give it a shot.
I also did promise to cover the aftermath of the experiment as well as the lessons on the psychological side, so that’s what you can expect first in the next articles.
Hope to see you in the next one.
