Wallet security

• Remember: Wallets store keys, not coins. Private keys in particular should be understood and guarded like cash.

Hottest of wallets (those connected to the internet)

• Web-based wallets: Private keys are stored on the hard drive and readily accessible by a web browser or extension.
• Desktop wallets: Private keys are stored as a computer file.
• Mobile wallets: Private keys are stored in phone storage. Generally less susceptible to malware, but comes with similar vulnerabilities as Desktop wallets.
• These wallets can be helpful for those new to the space, those who cannot afford a cold solution, or those in need of high levels of convenient access to funds.
• Ideally these wallets are avoided in favor of hardware wallets for any significant amount of funds, and especially for any funds that are being held onto longer term.

Coldest of wallets

• Hardware wallets: Private keys are stored on a dedicated device with intermittent or no connection to the internet. Generally accepted as best-practice for security amongst cryptocurrency community.
• "Air-gapped" hardware wallets offer an additional layer of protection by having absolutely no means of connecting directly the internet, wired or wireless.
• Read more about digital signatures
• Paper wallets: Private key is stored on physical paper, or comparable medium. Coldest form of storage if key is generated/printed securely, however comes with massive inconvenience to utilize any funds, and cannot be guarded with additional pass phrase. Not recommended, as there is a high probability of losing access to these funds for a variety of reasons.

The double-edged sword of a permanent immutable decentralized ledger

• Once a signed valid transaction is transmitted to the network and included into a block, the state of the network has been permanently changed, therefore...
• Transactions are irreversible
• ALWAYS double check the address you are sending to
• NEVER give out your private keys
• Protect all wallets with a PIN, password or ideally pass phrase (make it strong)

Dapp security

• Always check url bar when using a dapp. Scammers often use domain names that are very similar to well-known products like `metamsk.com` or `cwrve.fi`

Social media and community platforms

• When it sounds too good to be true, it usually is
• YouTube scams are abundnant, and come in many forms
• Vitalik and other members of prominent crypto companies will never ask you for ETH or endorse "giveaways" of any kind

Asymmetric Giveaways

• Any claim that free ETH is being given away should be met with extreme scrutiny.
• Asymmetric giveaways are a common means to trick users into sending a certain amount of ETH to an address with the promise that you will get double or triple that amount of ETH in return.
• These are often conducted by hacking legitimate, well established YouTube accounts, and rebranding it as a forgery of a prominent community organization to give the appearance of legitimacy.
• Sending ETH is irreversible, and there are no centralized authorities that can change this. Sending your ETH to one of these addresses will result in permanent loss of funds.

The Trusted Expert

• YouTube comments are littered with scammers trying to get you to talk to them off the YouTube platform, and pray on people who have lost crypto in some form or another in the past.
• Comments claiming that they, or an "expert" they know, can get your lost funds back, or teach you how to trade your way to success, are almost certainly being dishonest, as nobody is capable of returning lost funds except the recipient who now possesses the private keys.
• Common setup: A cryptocurrency related YouTube video will have a comment that has surfaced to the top by the algorithm, because a disproportionate amount of people have upvoted the comment. These are dummy accounts by the same person, creating the illusion of a comment being trusted by the community. This comment is usually fairly long, and is followed by several comments, which will mix in dummy accounts claiming they have lost money, and someone else claiming they can help. This is all orchestrated to gain your trust and give the illusion of legitimacy. Inevitably a phone number is offered, usually broken up by spaces to avoid YouTube from spotting it. Never contact such numbers.

Eth2 and staking

• Staking security begins when you generate your seed phrase (mnemonic) using the deposit contract tool
• Staking should only ever go through the official launchpad product.
• Always double check the contract address.
• Most common cause of slashing: Double votes. Host your validating keys in one place! Running a backup validator with a copy of your validator key can result in a slashable event, loss of a portion of your ETH stake, and ejection as a validator.
• Secure your 24-word seed phrase! This is the most critical piece of information to keep private and safe, and gives you full access to your staked ETH.
• Avoid staking too much. ETH will not be withdrawable until at least Phase 1.5 which is estimated as early as 2022.

Testnet Practice

• Practice first on a testnet! When setting up a validator for the first time, spend at least 1 month on the public testnet and focus on maintenance until you feel comfortable. Use this time to learn from the challenges you encounter and any mistakes you made, to maximize your chances of mainnet success!
• Try different clients. Increased client diversity increases the security of the entire network, but it also helps limit impact/penalties with client related issues. Target the 2nd or 3rd more popular client and learn how to migrate between them.

Be aware of a few basic attack vectors

• Programs running on your computer that can do malicious things. The solution to this is to only run the required software packages and nothing more.
• Port security: malicious network actors can try to connect to open ports on your machine.

Ways to reduce this attack surface

• Don't install unnecessary programs on your staking server. These programs may accept incoming connections and expose a vulnerability.
• Use a LAN firewall. These are very common and you probably already have one if you don't know it. This isn't necessary, but it can protect your network. You should only open a few ports in your LAN firewall. In the case of staking, common ports are 9000, 12000, 13000, and 30303.
• Set up a firewall on your staking machine. The most common firewall is ufw (uncomplicated firewall). It is good practice to use a firewall for your whole LAN and a firewall on each computer in that LAN.
• Change the default SSH port and/or don't open your SSH port for remote access. On an otherwise secured machine, remote SSH access is the biggest vulnerability. While SSH can be safely administered and secured, the best practice is simply not to open the SSH port for remote access through your home firewall. This means that machines on your local network can connect through SSH, but machines on the Internet will not be able to connect to SSH.

Strong Passwords

• DON'T pick your own words or numbers (humans are poor at generating randomness)
• DO use a password manager to generate as long and random a password as allowed, and save it for you
• Use a password manager that has browser integration and syncs to all required devices. Utilize auto-fill or copy/paste techniques whenever possible.
• Protect this password manager by one strong master password
• Since this is the only password you should need to enter manually and regularly, it should be human readable and easy to remember, while maintaining a proper level of protection against attack. A custom mnemonic phrase is a recommended solution.
• This mnemonic is completely separate from a wallet mnemonic, but uses the same principles to create a strong and memorable pass phrase that is still difficult to attack.
• Even 4 truly random words simply separated by spaces can produce enough entropy to keep a dedicated computer busy guessing your pass phrase for well over 100 years, yet you'll be able to quickly and confidently memorize these words after you enter it a few times.

"Password Strength" - xkcd (reformatted/shared under CC BY-NC 2.5)