Hash (SHA1) of this article: 05a781b25abc366c97599482bec90e2314d10a2e346db9fc2c29f9acd07fcb1c
No.: PandaLY Security Knowledge No.051
After November, BTC continued to hit new highs, and Solana's meme coin swept the crypto market. When the bull market came, on-chain projects, airdrops, and dogfights emerged in an endless stream. If you want to participate in them, you need to transfer assets from the exchange to the chain. It is very important that the assets in the exchange are just fields in the database and have nothing to do with the chain. The exchange endorses the security of the assets. After the assets are withdrawn to the real web3 wallet, the assets will not be subject to any supervision, and you must be fully responsible for the security of the assets on the chain.
Therefore, as your wallet becomes more and more valuable, the probability of being noticed by hackers will become higher and higher. How to choose from a wide variety of wallets and how to protect your on-chain assets from being violated in a bull market become crucial issues.
Wallet Type:
There are a dizzying variety of wallets on the market. Essentially, wallets can be divided into two categories:
- Hot wallet (software wallet)
A hot wallet is a crypto wallet that is always connected to the internet. It can be a web-based, mobile device, or desktop application. A hot wallet stores your private keys and users authorize and execute transactions through the wallet interface.
For example, the common plug-in wallets represented by metamask, exchange hot wallets represented by okx web3 wallet, node wallets, smart contract wallets, multi-signature wallets, and paper wallets.
- Cold wallet (hardware wallet)
A cold wallet is an encrypted wallet that does not interact with the Internet. The private key is stored in hardware. When the user needs to sign, he or she can pass the message to the hardware wallet by connecting to the computer and obtain the signed data.
For example, Ledger cold wallet and OneKey cold wallet.
Advantages and disadvantages of wallets:
Plugin wallet:
The plug-in wallet is the wallet we use most often, but it is also the wallet with the highest risk.
The plug-in wallet is famous for its convenience and speed. In any project, you only need to use wallet connect to connect the signature. Whether it is participating in airdrops, staking, or financial management, it is the most convenient choice.
But wallet connect is a double-edged sword. When we operate it frequently, we may ignore its authorization content and most of the time we just glance over it, which often leads to big mistakes.
Plugin wallets are also very easy to be monitored. When the plugin wallet is importing or generating private keys, it will be monitored by the implanted virus, which can easily get your private key from the clipboard or screen.
The untrustworthiness of developers is also an important issue. Although the codes of most plug-in wallets are open source, there is no way to completely rule out the possibility that developers have left backdoors or frozen accounts.
Exchange web3 wallet:
The wallet in the exchange will further improve security. First, because its application scenario is on the mobile phone, it eliminates the risk of wallet connect. You will not lose your key by clicking on certain websites easily. Secondly, most exchanges will have sufficient risk warnings in your upcoming signature to avoid losses as much as possible.
Although the web3 wallet in the exchange has advantages over the plug-in wallet, it still faces the problem of private key management.
For example, you cannot lend your mobile phone to others easily. If your mobile phone is lost, you must be prepared to lose your private key. Even your iCloud and Google cloud accounts in your mobile phone cannot be easily shown to others, because many App wallets will back up private keys in the cloud.
Cold wallet:
The cold wallet isolates the private key through hardware and completes the signing mode in the hardware, achieving complete private key security and signature security.
Compared with hot wallets, the advantages of cold wallets are obvious. You no longer have to worry about network attacks or the loss of private keys.
Cold wallets seem perfect, but they also have flaws. Cold wallets are not convenient. They are often the size of a USB flash drive or a mobile hard drive, which is very inconvenient to carry and transfer. If there is temporary work, it may not be able to complete it.
Similarly, cold wallets are also easy to lose due to their size. If lost, it means they will definitely be lost. Hardware wallets do not have any backup.
Multi-Signature Wallet:
Multi-signature wallets generally refer to wallets that require multiple key authorizations to sign. They are generally divided into two types: one is an off-chain solution, and the other is an on-chain solution. Some chains natively support multi-signature accounts, such as TRON and BTC.
The multi-signature scheme on the chain generally uses smart contract wallets, also called AA wallets. As the name suggests, it is a wallet that implements multi-signature on the chain through smart contracts on the chain. It specifies within the smart contract which EOA accounts or contract accounts can be used as part of controlling the AA wallet, which is also the n of m model.
The advantage is that it solves the single point failure problem, and the wallet is no longer controlled by a single private key. In addition, the program is on the chain in the form of a smart contract, which is public, stable, and tamper-proof. However, the disadvantage is that because it is on the chain, the transaction fee will be greatly increased when conducting transactions, which will be 10 times that of an ordinary EOA account.
Off-chain multi-signature wallets generally use cryptographic solutions to shard private keys, which is called MPC (Secure Multi-Party Computation) wallets. The MPC solution can eliminate private keys and eliminate the worry of managing private keys. It is mainly achieved through two specific solutions.
MPC-SSS
SSS (Shamir's secret sharing) successfully avoids single point failure by splitting the private key into n of m pieces, with a total of m pieces, of which n pieces are enough to complete the signature. As long as no more than n pieces are lost, the account can still sign. In addition, the SSS solution takes into account the characteristics of being light and fast. For example, the MPC wallet in OKX's web3 wallet uses the SSS solution.
However, the SSS mode has a fatal flaw. When signing, we need a place to reorganize the private key. This place or the server is a major risk point and must be kept safe.
MPC-TSS
TSS (Threshold Signature Scheme) successfully solves the defects of the SSS mode based on SSS, and truly realizes distributed key generation and distributed signature.
The same distributed signature will bring a lot of computing pressure, the signing speed and hardware requirements are very high, and signing on the mobile terminal becomes very difficult.
Some of the more well-known wallets include Zengo, Fireblocks, and Coinbase.
Conclusion
Every wallet has its own advantages and disadvantages. The most important thing is to understand the main function of each wallet and know what your needs are for a wallet.
The function of the plug-in wallet is to put in a small amount of money to participate in some short-term and fast-paced projects, as the forefront of the blockchain.
The function of the exchange wallet is to facilitate swaps, pledges, etc., and it will also be more secure, serving as an important transit station for the blockchain.
Cold wallets and multi-signature wallets are more for ensuring the security of funds. They are very suitable for storing large amounts of funds and serve as the back-end command post in the blockchain.
Making money in the cryptocurrency world is fun, but getting your wallet stolen is a disaster. The issue of fund security has to be listed as the top priority of all operations.