content.blockchainhq.xyz

Tag: Security

  • They Lost Millions by Clicking ‘Sign’ – Here’s How to Never Make That Mistake

    They Lost Millions by Clicking ‘Sign’ – Here’s How to Never Make That Mistake

    Picture this: You’re the treasurer of a major crypto exchange. Your phone buzzes with a notification – another routine transaction needs approval. You glance at your screen, see familiar addresses, and click “approve” without a second thought. Within minutes, millions of dollars vanish into thin air.

    This isn’t fiction. This exact scenario played out when Bybit, one of the world’s largest cryptocurrency exchanges, fell victim to a sophisticated hack executed by North Korean cybercriminals. The culprit? A signer who didn’t fully verify a transaction, leading to a critical Safe UI vulnerability that drained millions from their multi-signature wallet.

    The harsh reality is that even the most secure wallet setups can crumble with one careless click. But here’s the good news: these disasters are completely preventable when you know what to look for.

    Don’t want to be the next victim?

    Let’s walk through how to verify calldata, use multi-sig safely, and pick the right wallet for your level.

    The Wallet Hierarchy: Choosing Your Guardian

    Before diving into verification techniques, let’s address the elephant in the room: which wallet should you even use?

    Total Beginner with Small Amounts: Start with custodial wallets or keep funds on reputable exchanges. Yes, “not your keys, not your crypto” is true, but losing $100 to exchange risk beats losing $100 to your own mistakes.

    Beginner with Small Money: Browser wallets like MetaMask or Phantom work well. They’re user-friendly and perfect for learning the ropes with amounts you can afford to lose.

    Intermediate Users with Medium Amounts: Hardware wallets like Ledger or Trezor become essential. They keep your private keys offline and away from internet threats.

    Intermediate Users with Large Amounts: Combine multi-signature wallets with hardware wallets. This creates multiple checkpoints that hackers must breach simultaneously.

    Advanced Users with Significant Holdings: Multi-signature wallets with social recovery, or custom solutions. At this level, you’re building Fort Knox for your digital assets.

    For wallet comparisons and security audits, check out walletscrutiny.com – it’s like a Consumer Reports for crypto wallets.

    Hot vs Cold Wallets

    Hot wallets stay connected to the internet (MetaMask, Phantom, and mobile apps). They’re convenient for daily transactions but vulnerable to online attacks.

    Cold wallets remain offline (Ledger, Trezor hardware devices). They’re like keeping cash in a physical safe, much harder to steal remotely.

    Important:

    Even a cold wallet becomes hot if you connect it to a Safe multi-sig UI!

    Always be aware of when you’re online vs offline

    Verifying Simple Transactions: Your First Line of Defense

    When using MetaMask or similar wallets, you’ll sometimes see transaction details that look like gibberish. Don’t panic,  here’s how to decode them:

    Check These Three Things:

    1. Estimated changes – What’s actually moving in and out of your wallet
    2. The “to” address – Where your money is going
    3. Hash data – The first 4 bytes reveal the function being called

    For example, if you see “0xa9059cbb” in your transaction data, you can decode it using Cast (a developer tool):

    cast sig “transfer(address,uint256)”

    This returns the function selector you can compare against your transaction. If they match, you’re calling a transfer function. If they don’t match, stop immediately.

    To verify the specific parameters of a transfer:

    cast calldata-decode “transfer(address,uint256)”

    This shows exactly where your tokens are going and how many.

    Multi-Sig Transactions: Where Things Get Complicated

    Multi-signature wallets require multiple people to approve transactions before they execute. Think of it like a shared bank account where both you and your spouse need to sign checks for large purchases

    Critical Point: A signature request is NOT the same as a transaction request. You’re not sending money yet, you’re just adding your approval to a pending transaction.

    How to Verify a Multi-Sig Transaction

    Step 1: Install the Right Tools Get Cyfrin’s Safe_hashes tool from GitHub

    https://github.com/Cyfrin/safe-tx-hashes?tab=readme-ov-file#curl

    This tool decodes Safe transactions into a human readable format.

    Step 2: Run the Verification Command

    safe_hashes –address –network –nonce

    If no transaction appears, use –untrusted mode in above command

    Step 3: Manual Verification (Advanced) For complete independence from APIs, use Cast:

    cast calldata “approve(address,uint256)”

    Then verify with Safe hashes:

    safe_hashes –address –network –nonce 2 –data –offline –to

    The Golden Rules That Could Save Millions

    Never sign and execute simultaneously. Some wallets try to streamline this process, but convenience is the enemy of security.

    Watch for operation codes. If you see “operation = 1” in your transaction, you’re looking at a DELEGATECALL – essentially giving another contract permission to act with your wallet’s full authority. This is extremely dangerous and should only be used in very specific circumstances.

    Always verify these three elements before any signature:

    • The destination address (where is this going?)
    • The function selector (what action is being performed?)
    • The value or amount (how much is involved?)

    Why This Matters More Than Ever

    The Bybit hack wasn’t an isolated incident. Similar attacks happen regularly because people skip verification steps. The difference between a secure transaction and a devastating hack often comes down to spending 30 seconds to verify what you’re actually signing.

    Remember: in the world of cryptocurrency, there’s no “undo” button. Once a transaction is confirmed on the blockchain, it’s permanent. The few minutes you spend verifying could be the difference between protecting your assets and reading about your loss in tomorrow’s crypto news.

    The tools and techniques outlined here aren’t just for crypto professionals – they’re for anyone who values their digital assets enough to protect them properly. Start with the basics, build good habits, and gradually level up your security practices as your holdings grow.

    TL;DR

    1. Pick the right wallet for your level
    2. Always verify the transaction before signing, especially calldata
    3. Never trust the UI blindly
    4. Use Safe_hashes or Cast for decoding
    5. Multi-sig ≠ automatic safety

    One wrong click can empty your wallet. Take 30 seconds and verify,  your future self will thank you.

  • Meet Patrick Collins: Securing Web3, Educating and Onboarding Builders

    Meet Patrick Collins: Securing Web3, Educating and Onboarding Builders

    In the fast-changing world of Web3, some people really stand out. They bring clear ideas, deep knowledge, and a true passion for building a better digital future. Patrick Collins is definitely one of these important people. As a top smart contract engineer, a dedicated teacher, and a key leader at Cyfrin, he’s not just watching new digital technologies grow, he’s actively helping to shape them.

    Patrick’s path into Web3 shows how important it is to be curious, keep going when things are tough, and truly want to make this new area safer and easier for everyone to use. From his early days figuring out how to put information onto the blockchain to his current work leading the way in blockchain security and teaching, his journey offers valuable lessons for both experienced people and those just starting out.

    At Cyfrin, Patrick and his team are working on some of the biggest challenges in Web3 today. They make sure smart contracts are strong and reliable, and they help train the next group of skilled developers and security experts. Their work not only protects big companies in the industry but also helps individuals through thorough, often free, learning programs like Cyfrin Updraft.

    This interview is a special chance to hear directly from Patrick Collins. We’ll talk about his personal story, the important moments that shaped his career, and his honest advice for navigating the exciting but sometimes difficult world of Web3. Get ready to learn from someone who truly believes in the power of decentralized technology and is working hard to make it all happen.

    Meet Patrick Collins: Securing Web3, Educating and Onboarding Builders

    The Interview: Patrick Collins on His Web3 Journey

    1. Tell us a bit about yourself.

    Patrick Collins: I’m Patrick Collins. I’m from MA in the United States. I’m working on making Web3 more secure with security and educational initiatives as a part of Cyfrin.

    2. What were you doing before Web3?

    Patrick Collins: Before Web3, I worked as a software support engineer at an asset manager, and as a Devrel at a stock data company.

    3. How did you first hear about Web3?

    Patrick Collins: I heard about Web3 first when I had heard about Chainlink and how they wanted to “get financial data on chain” which sounded bizarre to me. At the time, crypto was just like “bitcoin” and it didn’t make sense to me to “put data into bitcoin.”

    4. What was your first step into the space?

    Patrick Collins: I went to the ETH Denver hackathon and spent the hackathon learning Solidity.

    5. What was one big challenge you faced early on?

    Patrick Collins: Getting started in general was confusing. I didn’t know who to trust, what was good vs bad Web3, there were so many competing narratives. One in particular was if using “send”, “transfer”, or “call” on moving ETH. Why are there 3 functions?

    6. What helped you push through?

    Patrick Collins: My curiosity more or less. I thought the tech was sooooo cool and I just wanted to learn more.

    7. What are you most proud of so far in your journey?

    Patrick Collins: Cyfrin. Everything we’ve done so far, and everything we are going to do. We not only secure some of the largest companies in the industry, but we onboard some of the best people through our security education, and make the whole industry better in safer ways.

    8. Any major failure or learning moment?

    Patrick Collins: I fail all the time. Get better and move on. One of my favorite learnings was, I had some feedback that my videos were obnoxious and ruining the brand of the product I was promoting. That I needed to be more boring ‘cuz “devs like boring.” So I made two videos of the same content, one “boring” and one ridiculous. To this day, the ridiculous one has performed over 20x better than the boring one.

    9. What advice would you give to someone just starting out in Web3?

    Patrick Collins: Go to Cyfrin Updraft, compete on CodeHawks, and you’ll be set up for success.

    10. Where can people find or follow your work?

    Patrick Collins: X – @PatrickAlphaC and @patrickalphac on YouTube.

    11. Any advice would you like to share with builders and learners?

    Patrick Collins: Understand why you want to do what you do. Write it down. So that when things get hard, you can remember why you’re doing it and push through.

    It’s truly inspiring to see how Patrick Collins started his journey in Web3. His dedication to sharing knowledge through educational resources has helped thousands of individuals kickstart their careers in Web3. Furthermore, his ongoing efforts are adding immense value to the Web3 space by assisting companies in making their products secure and, as always, helping many across the globe with Cyfrin Updraft’s educational initiatives.