foreword
first level title
foreword
Blockchain is a great invention. It has brought about changes in certain production relations and partially solved the precious thing of trust. However, the reality is cruel, and there are many misunderstandings in peoples understanding of blockchain. These misunderstandings have led to bad guys easily taking advantage of the loopholes, frequently reaching into peoples wallets, causing a lot of financial losses. This is already a dark forest.Based on this, Yu Xian, the founder of SlowMist Technology, devoted all his efforts to output the Blockchain Dark Forest Self-Help Manual.)
This manual (current V1 Beta) is about 37,000 words. Due to space limitations, only the key directory structures in the manual are listed here, which can be regarded as a guide. (
Ok, the introductory reading begins...
Primer
first level title
Primer
In the blockchain dark forest world, first keep in mind the following two security rules:Simply put, it is to remain skeptical, and to remain skeptical at all times.
Zero Trust:Continuous verification:
first level title
key content
Download
first level title
a. Google
1. Create a wallet
1. Find the correct official website
b. Well-known collections in the industry, such as CoinMarketCap
c. Ask more trustworthy people
2. Download and install the app
a. PC wallet: It is recommended to do the verification of tampering (file consistency verification)
b. Browser extension wallet: Pay attention to the number of users and ratings on the target extension download page
c. Mobile wallet: Judgment method is similar to extended wallet
Mnemonic Phrase
d. Hardware wallet: Purchase from the source of the official website, and pay attention to whether there is any tampering
Keyless
e. Web wallet: It is not recommended to use this online wallet
When creating a wallet, the appearance of the mnemonic is very sensitive. Please pay attention to the fact that there are no people around you, cameras, etc. that can lead to peeping. At the same time, pay attention to whether the mnemonic appears randomly enough
1. Two major scenarios of Keyless (the distinction here is for the convenience of explanation)
b. Non-Custodial, that is, non-custodial mode. The user only holds the power similar to a private key, but it is not a direct encrypted currency private key (or mnemonic)
2. Advantages and disadvantages of the MPC-based Keyless solution
first level title
2. Backup wallet
mnemonic/private key type
1. Plain text: mainly 12 English words
2. With password: After the mnemonic is equipped with a password, you will get a different seed. This seed is used to derive a series of private keys, public keys and corresponding addresses
Encryption
3. Multi-signature: It can be understood that the target funds need to be authorized by multiple individuals before they can be used. Multi-signature is very flexible and approval policies can be set
4. Shamirs Secret Sharing: Shamirs secret sharing scheme, the function is to divide the seed into multiple fragments. When restoring the wallet, it needs to use the specified number of fragments to restore
1. Multiple backups
a. Cloud: Google/Apple/Microsoft, combined with GPG/1Password, etc.
b. Paper: Copy the mnemonic (in plain text, SSS, etc.) on a paper card
c. Device: computer/iPad/iPhone/mobile hard disk/U disk, etc.
d. Brain: Pay attention to the risk of brain memory (memory/accident)
2. Encryption
b. It is also possible to use partial verification
c. Pay attention to the confidentiality and security of the verification process
AML
first level title
3. Use wallet
Cold Wallet
1. On-chain freezing
2. Choose a platform or individual with a good reputation as your counterparty
1. How to use the cold wallet
a. Receive cryptocurrency: cooperate with observation wallets, such as imToken, Trust Wallet, etc.
b. Send encrypted currency: QRCode/USB/Bluetooth
2. Cold wallet risk points
Hot Wallet
a. What you see is what you sign is a lack of user interaction security mechanism
b. Lack of relevant knowledge background of users
1. Interact with DApps (DeFi, NFT, GameFi, etc.)
2. Malicious code or backdoor way of doing evil
a. When the wallet is running, the malicious code will directly package and upload the relevant mnemonic words to the server controlled by the hacker
b. When the wallet is running, when the user initiates a transfer, the information such as the target address and amount is secretly replaced in the background of the wallet, and it is difficult for the user to notice at this time
c. Destroy the random number entropy value related to mnemonic generation, making these mnemonics easier to crack
What exactly is DeFi security
1. Smart contract security
a. Excessive authority: increase time lock (Timelock) / multi-sign admin, etc.
b. Gradually learn to read security audit reports
2. Blockchain basic security: consensus ledger security/virtual machine security, etc.
3. Front-End Security
a. Internal evil: the address of the target smart contract in the front-end page is replaced/implanted with authorized phishing scripts
b. Evil by a third party: Evil in the supply chain/third-party remote JavaScript files introduced by the front-end page are malicious or hacked
4. Communication security
a. HTTPS security
b. Example: MyEtherWallet security incident
c. Security solution: HSTS
5. Human safety: if the project party does evil inside
6. Financial security: currency price, annualized income, etc.
b. AOPP
7. Compliance Security
a. Contents related to AML/KYC/sanction area restriction/securities risk, etc.
NFT security
1. Metadata Security
2. Signature Security
Signatures with care / Signatures against common sense
1. What you see is what you sign
2. Several well-known NFT theft incidents in OpenSea
a. The user authorizes NFT in OpenSea (pending order)
a. Token Approvals
b. Revoke.cash
c. APPROVED.zone
b. Hackers get relevant signatures of users through phishing
3. Cancel authorization (approve)
d. Rabby Extended Wallet
4. Real cases against common sense
some advanced attacks
2. Widespread phishing
3. Combining XSS, CSRF, Reverse Proxy and other techniques (such as Cloudflare man-in-the-middle attack)
first level title
4. Traditional privacy protection
operating system
1. Pay attention to system security updates, and act immediately when there are security updates
2. Do not mess up the program
3. Set up disk encryption protection
cell phone
1. Attach importance to system security updates and downloads
3. Do not download apps from unofficial markets
network
4. The premise of using the official cloud synchronization: you are sure that there is no problem with account security
1. In terms of network, try to choose a safe one, such as not messing with unfamiliar Wi-Fi
browser
2. Choose routers and operators with a good reputation, don’t be greedy for small gains, and pray that there will be no advanced malicious behaviors at the level of routers and operators
browser
1. Timely update
2. Do not install the extension if it is not necessary
3. Multiple browsers can coexist
4. Use privacy-preserving well-known extensions
password manager
1. Dont forget your master password
2. Keep your email safe
3. 1Password/Bitwarden etc.
two-factor authentication
Google Authenticator/Microsoft Authenticator etc.
science online
Scientific Internet, Safe Internet
1. Safe and well-known: Gmail/Outlook/QQ mailbox, etc.
2. Privacy: ProtonMail/Tutanota
SIM card
1. SIM card attack
2. Defense Recommendations
GPG
a. Enable well-known 2FA tools
b. Set PIN code
1. Distinguish
a. PGP is the abbreviation of Pretty Good Privacy. It is a commercial encryption software. It has been released for more than 30 years and is now under the umbrella of Symantec.
b. OpenPGP is an encryption standard derived from PGP
c. GPG, full name GnuPG, open source encryption software based on the OpenPGP standard
isolated environment
2. Good isolation habits
3. Privacy is not for protection, it is for control
Telegram
Discord
first level title
Fishing from the official
Web3 Privacy Concerns
first level title
Stealing coins, malicious mining, ransomware, dark web transactions, C2 transfer of Trojan horses, money laundering, capital disk, gambling, etc.
SlowMist Hacked Blockchain Hacked Archives
first level title
7. What to do if stolen
stop loss first
protect the site
traceability
close the case
Code Is Law
Not Your Keys, Not Your Coins
In Blockchain We Trust
first level title
Eight, misunderstanding
update immediately
Summarize
first level title
