We recommend bookmarking this post and using it as a key resource that you can come back to if you need it, and also share with friends.The main reasons why we believe it’s so crucial to implement these steps at the start of your journey, is because the advice we give will be more effective to prepare yourself with foresight, than react when the damage may have already been done.
We hope to equip you with the tools and knowledge to safely explore this fast evolving space.
Here you’ll find practical steps to take so you can prepare for exploring web 3.
We’ll warn you about some dangerous scams, and teach you the kinds of things you’ll need to do in order to avoid getting your precious digital assets stolen or lost.
Many of these tips will also be applicable to those that are not using NFTs or cryptocurrencies yet.
Practical tips for a smoother web 3 experience:
We’ll begin with some tips on how to be safe even before you’ve started to do anything involving web 3.0. This section will ensure you’re safely using the internet and setting yourself up for a safe browsing experience.
Using a VPN means you are protected from people wishing to spy on the networks you use when online. This could be particularly relevant if you use public WIFI such as at airports, hotels or an Internet cafe. Even on private networks such as using WIFI at home, it's possible for people to track certain data on your network and you can be susceptible to devices on your network being hacked. VPN makes it impossible to see where you have connected to the network by encrypting the data that you share from using websites and apps.
VPN’s do this by creating an encrypted tunnel that’s completely secure.
Using a VPN ensures your location stays private and your data is encrypted which grants you anonymity when serving the web.
You know deep down that MickeyMouse99 or Password123 aren’t strong enough. But 7JuE9o0Byyz.1GGa looks way harder to guess right?
We know it's so much easier to just have one password across all sites and not give it much thought, but once that password is accessed… that’s all your socials, blogs, dating sites, banking apps, Koblamo. Done. Gone.
A password manager will alert you to strengthen a password. It also gives you a place to store them together so you’re not checking your notes app on each device you’ve ever owned.
Because of how many sites that ask for a log in now, you’ve probably made a hefty number of passwords so far, and that’ll keep going up. The chances of you being tempted to reuse a memorable one is very likely.
Once you’ve got a password manager, you won’t have to change them all in one go, just each time you log into one of these accounts, you can get a more secure password set up and added to your secure password collection. All in one safe place; phew.
Try ‘ Lastpass’ to secure your accounts.
Now we’ll start with the most important part of web 3 to get right from the beginning, that’s learning about crypto wallet safety.
When using sites involving the blockchain, you’ll often need to sign in by using your wallet. This is the wallet that you’ll store your digital assets such as cryptocurrencies and NFTs.
There’s many types of wallets and they all have different levels of security:
Metamask: This is widely considered the most user friendly wallet so far and is definitely the most popular. It’s used for interacting with many different blockchains, most notably the Ethereum blockchain. Many users enjoy how easy it is to use when accessed via a chrome extension. This enables users to browse sites and when you’re prompted to, a pop up will come up for you to sign in via your wallet password.
While this is not considered the safest of wallets, once you’ve taken the security steps we suggest, this will be a good wallet to create to use for browsing sites and exploring the web 3 space freely.
The first thing to know when you set up your crypto wallet is if you are given a seed phrase; you should never, ever , EVER send it to anybody, online or offline. You should write it down on one or multiple pieces of paper, and hide it somewhere safe.
If you lose your seed phrase. That will be the only way to regain access to your wallet if you ever lose access, so we would recommend you set up another wallet and send it to that one as soon as you realise you’ve lost the seed phrase.
One crypto wallet set up we propose would be having 3 separate wallets. Each will serve their own unique purpose and together form a chain that separates your assets depending on what they are and which platforms you're using to log in with these wallets.
There will be one wallet that is not going to be connected to any platforms. Its only purpose is to hold your most valuable and precious assets. One way to ensure that this is the safest wallet is by using a Multi-sig wallet (more on that later). The reason why this triple wallet system will work, is because this first wallet will not connect to any platforms that could be compromised and thus lead to access to your wallet. Instead this first wallet will only ever have digital assets move between the first and the second wallet.
This will act as the transitional wallet. What does that mean? It means it will be the buffer between your least safe wallet and your most safe wallet. It will help to prevent your most important wallet (wallet 1) from being breached, even when wallet 3 is completely compromised.
Your transition wallet will be connected to platforms such as NFT marketplaces. However these will only be sites you trust and have bookmarked (so you’re not using dodgy links sent to you through DM’s) Of course you’ll always try to be safe when using web 3 links, it's important to note that this wallet will be reserved for making transactions on platforms you’re familiar with and you know you can trust. When you purchase an NFT, it will be moved from this wallet to wallet 1 and only sent back to wallet 2 when you’re ready to sell it. Wallet 2 is not for storing important assets for long periods of time.
This will be the least safe wallet. When we say this, we don’t mean that you won’t have to worry about keeping this one safe, in fact quite the contrary, this is the wallet that will be most likely to be compromised, so it’s important to keep an eye on this one, as it will be used for accessing platforms you’re unfamiliar with. If someone recommends a new marketplace and it’s your first time using it. Use wallet 3. This won’t have many funds or tokens inside of it, perhaps just enough to use for gas fees. There’s so much to learn and explore in web 3 that we don’t want to discourage you from trialling new platforms, but simply want you to do so safely. Once you’ve deemed the marketplace safe enough, you can use wallet 2 for transacting on that given marketplace.
We recommend using Metamask for wallet 3, as this will grant you access to a wide range of places with ease.
There’s many different set ups you can use and while this may sound like a lot of work; once you’ve set up the three wallets and move your assets where they need to be, you’ll then be much more resistant to losing your assets, and you can feel more confident in yourself when exploring this newly emerging space.
A multi-sig wallet is one of the safest ways to store your digital assets. This wallet will require multiple signatures in order to access it. These are particularly helpful for DAOs where they have a number of people needing access to a shared treasury. To prevent one given party from accessing the treasury and moving funds elsewhere, without consent from the others, a multi-sig wallet would require more than one DAO member to confirm transactions in or out of the wallet. If one of these DAO members had their wallet compromised, it would mean the hacker would not be able to access the treasury without gaining access to another DAO member’s wallet. This could be 6 wallets for example, reducing the chance of the treasury being hacked massively. This idea is decentralisation in practice, one of the core fundamentals of cryptocurrency.
One of the most popular wallets for those that really take security seriously is the hardware wallet. This stores your crypto and NFTs offline in a physical wallet. Think of this like a hard drive or USB stick. It’s also possible to continue to stake your crypto while using these offline wallets, making it much more secure whilst also practical. You can also use a hardware wallet to add a second layer of security by using it as a 2 factor authenticator. This is considered safer than using your email, phone or a mobile app for authenticating logging into an account.
Crypto wallets that are connected to crypto marketplaces ie: Binance; and are considered less safe, which is why Coinbase offers their own ‘Coinbase wallet’ which stores the crypto separate to Coinbase. This means you are solely responsible for the keys to that wallet and therefore is not centralised (non-custodial) which makes it a more secure way to store cryptocurrency and NFTs. While this Coinbase wallet is an example of a hot wallet, it's considered less centralised than using the wallet assigned to you when you sign up to Binance. So in order of how safe the wallet is, binance (least safe), Coinbase wallet (decentralised but can still be vulnerable from hacks) and then ledger wallets (cold wallets, your assets are stored offline)
Not sure where to start? Perhaps try this list of 20+ different wallets to point you in the right direction.
Know that transactions on most blockchains are not private. Anyone can look up what Is in your wallet and where you send these (there are certain ways to avoid this but most commonly, it’s easy to see where your money is moving)
While this is often a good thing, it can also make you a target. This means by not posting your wallet address everywhere (on socials, websites, blogs, forums) it’ll make it harder for people to see who owns that wallet and how much you have. Some may not have anything to hide and that’s great, however keep in mind if you have a lot of crypto or valuable NFT’s, this could make you a target for scammers and hackers.
One rule of thumb for web 3 safety, if it’s too good to be true, it probably isn’t a good decision to buy into it. It’s normally best to ignore it and carry on with your day.
An example of this is something that most people in the NFT space will be very familiar with; giveaways. These are common on twitter, discord and other social media/messaging sites that promote free NFT drops if you retweet, follow or click on the link to sign up. While there’s many examples of giveaways of free crypto, free NFTs and more that are legitimate and winners have received their giveaway, it’s also something to be extremely cautious of. This is because the smart contract that you sign in order to receive this giveaway, may contain some malicious details in the coding meaning that once the contract is signed, your wallet can be sucked dry of any assets they want to take. This has happened before and it will happen again, so make sure you check the history of previous giveaways from the person claiming to give out free tokens. Because once again, if it’s too good to be true, it probably isn’t true.
One of the advantages to using blockchains for transactions is that they are often trustless. What does that mean? It means you do not always have to know/trust the other party involved in the transaction for it to go successfully, because the smart contract is what you can rely on instead of the other person holding up their end of the deal. This is also why you should pay attention to the contract you sign. When using social media in the web 3 space try and incorporate a similar mindset, don’t trust anyone.
Unfortunately there’s cyber-attackers, hackers, pumpers and dumpers, so it's safer to trust nobody. A great example of this is the reason why members of Autonomies have turned off DMs on Discord and Twitter. If any of the Autonomies.io social media accounts gets hacked and sends you a suspicious message asking for money or your seed phrase, you’ll know that WE WILL NEVER ASK YOU FOR THAT PERSONAL INFORMATION AND WILL NEVER CONTACT YOU THROUGH DMs.
We recommend you opt out of Dm’s on Discord like shown in the image above, and if you insist on using DM’s, make sure to be cautious when someone (especially a stranger) sends you a message containing a link. They may use tactics such as promising you something in return for doing a task, chances are this is a scam.
One way to check this, is to hover over the link and on the bottom left of your web page the URL will come up. Look up the real website URL and check to see if it matches the site they are directing you too. For example someone may invite you to their NFT project on Opensea but once you click the link it takes you to another site entirely, or a fraudulent copy of the site you think you’re on.
So when using these platforms such as Discord, Twitter and Telegram, be careful because even when messaging someone you think you can trust, their account may be compromised and you may be talking to a hacker instead.
Literally 10 minutes after writing this section a friend of mine asked me to send them some ETH. I asked them a question only they would know, to make sure it was them. Fortunately it wasn’t a hacker but it’s always best to assume it is before sending money anywhere.
Slippage/faulty transactions/gas fees:
Depending on which blockchain you're using when making transactions, there’s normally some gas fees involved. When using platforms built on the Ethereum network, there’s normally high gas fees, these can sometimes be even more expensive than the thing you're buying, so make sure you visit the (gastracker on Ethereum) to check the gas price when making the transaction.
There’s also a chance of slippage. What’s slippage you ask? It’s the price boundary you set that determines how wide the margin is for the price of gas to go up and down in the time it takes to finish making the transaction. When the price of ETH fluctuates, and the amount of transactions on the blockchain changes rapidly, this will affect how much you pay on your gas fee. If this slippage percentage is too low, there’s a higher chance of an unsuccessful transaction, which leads to you paying the gas fee but the transaction doesn't go ahead. This happens when the gas price slips out of that allocated price boundary in a short space of time.
After a faulty transaction there’s no refunds. So be sure to double check your price slippage and remember, in order to have a successful transaction, it may cost more, but this probably won’t cost more than needing a second transaction.
Other blockchains require extremely cheap gas fees which is one of the reasons why Autonomies.io chose to build on the polygon network, find out more on that here.
https://tac.dappstar.io/#/ is a valuable resource designed for users to have greater control of their token approvals. This is based on a problem known as the ‘unlimited approval problem’. This is an issue that leaves smart contracts vulnerable to hackers. This essentially means that by granting approval for one transaction, in order for the user to not have to grant access over and over again, the contract can often grant unlimited permissions. So when you use this resource you can check which contracts you’ve given unlimited approvals for and which ones you can revoke. By revoking them you’re closing an entrance into your wallet. Be wary of contracts you are not entirely sure are safe and use this resource to protect yourself.
Another good practice for general web 3 browsing is to regularly check connected sites on your Metamask wallet. You can disconnect them manually by dragging them into the trash can icon like shown in the example below.
This is similar to staying signed in on a website. After using your wallet on web 3 platforms, disconnect them from your Metamask, or at the very least, disconnect those that you’re not entirely sure are safe or official.
Because transactions are visible to everyone, this makes it easier to check if the NFT creators are sending them to their friends, or another wallet they own, if they are, then this could be a sign of them artificially inflating the price, which is a big red flag. Check the transactions of their NFTs (by using sites like etherscan.io) and you might find some serious NFT collectors or crypto whales along the way.
When checking an NFT, find out if it’s on a marketplace that’s curated or not. Curated platforms have at least a small amount of vetting when users sign up to make NFTs on their platform. This will help to prevent scams and people wishing to misuse the platform in some way. Autonomies and Superrare are examples of NFT platforms that are heavily curated to make sure only exceptional artists are selling NFTs on their platform.
Don’t believe the hype. In the web 3 space, particularly on social media; you’re bound to come across someone claiming that this project is the next big thing and that it’s going to the moon… Chances are, it’s not. Try not to be lazy and take someone's word for it, take this info with a pinch of salt and find out more about it to build a more balanced opinion on the project. That shouldn't stop you from finding some experienced and trustworthy people in the web 3 space that you value their opinion. There’s plenty of great voices and influential figures that are working hard to share what they’ve learnt in the web 3 space. Try checking who Autonomies.io follows on twitter if you don’t know where to start.
Doing this could help you identify if an NFT project is right-click and saving another creator's image to sell as their own fraudulent NFT project. Not only will this mean you don’t invest into a project that gives funds to someone that didn't create that image, but it also increases your odds of only investing your money in projects that will not be rug pulled.
A rug pull or being ‘rugged’ is when a project, normally with an anonymous or mysterious team, advertises an NFT or crypto project, takes the funds that have been invested into it by collectors, and then abandons the project. Often leaving investors with nothing to show for it besides a worthless token sitting in their wallets.
Due to the nature of decentralised platforms and DAO’s, at the moment it can often be the case that there is less customer service help than most organisations in the web 2 system. We believe this will definitely improve as the web 3 space matures.
While this is still the case, we encourage you to do some research (try Twitter, Medium articles, Reddit or friendly Discord servers) that look at the platform you're using, the wallets you use and any currencies/tokens you hold in your wallet or are thinking of buying. This can prevent rug pulls, higher gas fees, scams, technical issues and many other problems. We’re confident this will improve, but at the moment we need to band together and help each other out.
Regulation is clearly needed in some way as this is one of the biggest reasons why there’s so many scammers, and opportunities to be taken advantage of in the web 3 space. Until those regulations are implemented, it’s extremely important to be able to navigate your way through these markets that are often referred to as ‘the wild west’. We hope to equip you with the tools and knowledge to safely explore this fast evolving space. If you need guidance on anything Autonomies or web 3 related, we’ll try our best to fix the issue or point you in the right direction. You can contact us by dropping a question in our Discord server where you’ll find a specific channel that the Autonomies community can use to share web3 safety resources. Thanks for reading, and stay safe out there.
Contact us in our Discord server - https://discord.gg/evKQk3gF3S
Or reach out to our social media channels - https://linktr.ee/autonomiesio
www.ledger.com has a great deal of informative content so you can learn about information on wallet types, security and how the wallets work. Particularly these pages.
Essential twitter accounts to follow for web 3 safety content:
_PPMan_ - Spoke about the triple wallet set up in detail on
Punk6529 - Made a tweet here that explains the 3 wallet method.
OhhShiny - Very much on the pulse when it comes to NFT related information
serpentAU - A great twitter account that gives advice for safety in the web 3 space. Also creator of sentinelwtf which has a brilliant thread here explaining how NFT discord servers have been compromised.
@aaronrferguson - A valuable contributor to the NFT space and has made a web 3.0 thread that we suggest you read.
@Rugpullfinder - An account dedicated to researching suspicious crypto projects and alerts you of recent scams. Consider following them so you can be more aware before investing.
Articles to read:
Lukas Schor writes a great article explaining the gnosis safe
https://www.altcoinbuzz.io/nft/keep-your-nfts-safe-with-these-tips/ - This link no longer works but we promise it did, and it recommended using these 4 sites listed below, to verify assets before you purchase them.
A helpful resource that explains VPN really clearly
Thanks to Jennifer van der Kleut from NortonLifeLock, for writing this article to help us learn about 2 factor authentication.
Pcmag has a bunch of NFT related articles, we found these three particularly insightful: