Collecting and creating NFTs is a wonderful way to engage in the web3 digital economy. NFTs range from digital, art, music, memberships, proofs of attendance, profile pictures and much more. While NFTs are typically safe to buy, store, and trade due to records of ownership and authenticity residing on the blockchain, it is always important to be security conscious and adhere to a few key safeguards to ensure you maintain custody over your digital assets.
NFT enthusiasts, collectors, creators, and beyond should follow this non-exhaustive list of security recommendations to stay safe from loss or theft of their collectibles.
DYOR
You may already be familiar with the acronym DYOR (do your own research), this is particularly key in the cryptocurrency and NFT space. Please be aware that any transaction you do make is final, and immutable, and cannot be refunded. It is important to recognize that the NFT you purchase may be illiquid with no guarantee of being able to sell it after purchase. Therefore, it is important to be prudent with your NFT buying, and trust that you are content with your decision to mint, bid on, or buy the NFT.
Phishing attempts
Phishing is whereby a user unknowingly clicks a nefarious link, allowing the phisher to access the user’s private keys, thus draining their wallet of both NFTs and other cryptocurrency holdings. Here’s how it might work:
- The fraudster sends the user a link to a fake website via a text message, email, or Discord.
- The illegitimate website looks like the real website, causing the user to let their guard down.
- The user is asked to provide the wallet recovery phrase.
- Once the user reveals their seed phrase, the attacker gets complete control over the encrypted wallet and all its holdings.
Another widespread phishing attempt is when attackers pretend to be support or offer to help users. Please note that Gamma will never ask you for your seed phrase — if we do, it’s probably a phishing attempt. Please report this immediately to support@gamma.io or on Gamma Support Twitter.
Tips to avoid being a victim of a phishing attempt:
- Never click on links you receive in DMs from strangers (we suggest limiting DMs on Discord to friends only).
- Always double check the legitimacy of a link. If it smells fishy, it probably is.
- Most NFT projects will never drop a stealth or exclusive mint — be cautious if you see this.
- Check that URLs of known sites are spelled correctly.
- Never send your seed phrase to anyone — Gamma Support and all legitimate NFT projects will never ask you for your seed phrase.
Remember to keep your seed phrase backed up and offline. We recommend keeping a few copies on hand just in case.
A note on Stacks security for some peace of mind:
Stacks’ design principles have security at the forefront. With a novel feature called “post conditions,” Stacks transactions must include limitations on what assets are transferred from your wallet or they will automatically abort (e.g. You will transfer no more than 100 STX and receive exactly 1 NFT or your transaction will roll back). If a phishing attempt tries to bypass post conditions, you will see a clear warning indicating that all of your tokens can be stolen.
For this reason, be sure to always read your transaction details to be sure you know what you’re signing. Think about it — you wouldn’t sign a contract in real life without knowing what it’s asking you to do — the same principle applies here.
Passwords
It’s imperative to use a robust password. When you create a wallet, you’ll often create a password that unlocks the wallet for your convenience. Never share this with anyone!
Tips for creating a strong password:
- Do not use the same password across different platforms.
- Use a strong password which includes a mix of upper and lower case letters, numbers, as well as special symbols.
- Avoid taking screenshots of photos of your recovery phrases.
- Do not store your seed phrase/passwords online.
Use Two-Factor Authentication
Using two-factor authentication aka 2FA is a good way to protect yourself, your NFTs, and all your internet accounts from un-authorised usage. Setting up 2FA will alert you of any attempts at logging in, providing you protection from hackers who may have guessed your passwords. Using apps like Google Authenticator or devices like Yubikey are a great way to add an extra layer of security.
Hardware Wallets
Most NFT marketplaces require/allow you to use a software wallet (hot wallet). Although hot wallets are in your own custody, they’re still connected to the internet, which exposes your private keys to some level of risk. However, they are commonly used to make regular transactions on dApps or NFT marketplaces thanks to their ease of access.
A hardware wallet (cold wallet) such as a Ledger or Trezor device (among others), stores your private keys offline and allows you to sign transactions from the privacy of your own device. For extra security, you can connect your hot wallet to a cold wallet so that if someone gets access to your hot wallet, they need your cold wallet to sign transactions. While it may be tedious to connect a hardware wallet every time you make a transaction, we recommend using one if you have large amounts of assets that need to be secured.
The Web3 and NFT space is a terrific world full of opportunity, fun, and community. While it’s important to make friends and build your community, it’s just as important to be cautious and remember to verify, not trust. Make sure you’ve taken the necessary precautions above to ensure your safety and security.
P.S. It’s important we remind you that this article was created to be educational content only and should not be taken as official guidance or legal or financial advice. We’re happy to chat about these topics, but you should always consult a lawyer, accountant, or tax advisor for any official needs.
