Security in Web3

Never share it. We cannot stress this enough.

Tricking web3 denizens into handing over or exposing their SRP is one of the most lucrative ways scammers operate. Always be extremely wary of anyone that asks you for it. MetaMask certainly won’t.

By no accident, the other main attack vector also involves capitalizing on the risks of self-custody. It revolves around how you use your MetaMask wallet to give permissions to decentralized applications (dapps) you interact with.

As we explored in the What is a Crypto Wallet lesson, your wallet is fundamentally a tool for managing your identity and permissions. Once you’ve used your wallet to sign permissions over to a third party, they have your immutable consent to do whatever it is they requested. This is why you should be very, very careful when handing out permissions.

One of the most common permissions you’ll sign in MetaMask is a token approval. These transactions come in many forms, but generally give the requesting dapp permission to access a given number of tokens or NFTs. Infamously, long hexadecimal numbers and code are not particularly human-readable, which gives scammers a foot in the door: it’s easier to compel you to approve a malicious transaction if you don’t understand what it entails. Another common tactic is to ask for unlimited access to a token, so once approved, the dapp can remove as much as it pleases from your account since technically, it was granted permission to do so. If the dapp is malicious, your account is drained.

Approvals and permissions are a complex, developing topic. However, if there’s one thing you should remember, it’s this: never approve a transaction proposed by a suspicious dapp, and if you’re unsure, don’t give them unlimited access to a token.

To read up more on token approvals, see the resources under Dive deeper.

Self-custody means you need to implement your own security. No one else can do that for you. No one can back up your account if you lose access to it or retrieve your funds for you if your tokens are stolen. Just you and whoever else has access to your Secret Recovery Phrase (SRP). It’s a big responsibility, but one you have the honor of learning about and experiencing as web3 takes root worldwide.

MetaMask prioritizes user security above all else; you can see this in the usage of the wallet itself, where warnings are provided when you’re about to do something dangerous; in the development of tools like LavaMoat, ensuring the safety of the code itself, and educational efforts like this one. There are additional options available, as well, that add another layer of security between you and the bad guys.

Enter hardware wallets—physical devices outside of your computer that secure your accounts’ private keys. They are disconnected from other online things you typically do on your phone and laptop like check your email, download apps, and browse the internet for funny cat videos.

You can connect these hardware wallets with MetaMask for flexibility while you conduct web3 activities. Browse dapps with MetaMask, and sign transactions on your hardware wallet.

Combining hardware wallets with MetaMask (a software wallet), allows you to enhance security as you wield more responsibility in your self-custody journey.

Strengthen your practical security knowledge and gauge your understanding of hardware wallets in this informative Ledger Quest.