Web3 can be all fun and games, but it can quickly turn into a nightmare if you fall victim to scams or hacks. In 2023, nearly $1B in crypto assets have been lost or stolen through security exploits, with Q3 being reported as the quarter with the highest losses from security incidents, so far — a harsh reminder that securing your crypto assets is not something to be taken lightly. But, here's the good news: there are security practices and tools you can use to keep your crypto assets secure.
Your first line of defense
We’ve seen common scams such as phishing attacks, rug pulls (aka exit scams), counterfeit NFT listings, and deceptive token swaps that can easily catch you off guard. Flash loan and oracle manipulation attacks are other security incidents you might have read about. Your first and most crucial line of defense is simply being aware.
Forta
Forta purports to be the “largest network of security intel in Web3”, specializing in security monitoring for smart contracts. Thousands of security-monitoring bots created by Web3 developers and security experts form the network, spotting and reporting possible threats. As a decentralized monitoring network, Forta's core focus is to detect suspicious activities in real time and instantly share alerts throughout its network.
Forta's scam detector. Source: Forta
Imagine the Forta Network as a massive security system for public blockchains, keeping an eye out for anything unusual or suspicious. It consists of two essential components: detection bots and scan nodes.
Each bot has a specific job set by its developer. Some bots keep an eye on certain activities, like large transactions, while others are skilled at uncovering complex scams and vulnerabilities.
Chains supported: Ethereum, Polygon, BSC, Avalanche, Arbitrum, Optimism, and Fantom
Harpie
While Forta focuses on real-time threat detection, Harpie offers a different way to protect your crypto assets: monitoring pending transactions, especially for any potential attacks. If it senses trouble, Harpie securely moves your funds away from vulnerable wallets, with the goal of preventing theft.
Harpie theft detection Scanner. Source: Harpie
Whether you're involved in yield farming, hold valuable NFTs, or just casually explore the crypto world for fun, Harpie can provide a protective shield for your assets. If you mistakenly send tokens to the wrong destination or fall prey to an attack, Harpie intervenes to halt the transfer. It’s designed to protect against a spectrum of threats, spanning from social engineering to website intrusions and private key theft.
Here's how works: You set up a "trusted network" consisting of protocols and peers you trust. If your wallet tries to send tokens to anyone outside this network, Harpie steps in and blocks the transaction. Even if a malicious transfer is already underway, Harpie has a mechanism to swiftly move your funds to safety before the attacker can access them.
In the event of an attack, Harpie employs a Transferer contract that moves your assets to a noncustodial “Vault”. Only you possess the authority to withdraw your assets from the Vault; there's no admin key that could jeopardize your security.
Chains supported: Ethereum
Gatekeep
Similar to Harpie, Gatekeep relies on smart contracts and an interception system that operates 24/7.
Gatekeep intercept module. Source: ProductHunt
Here's how it works: You select specific addresses that you trust. If a transaction is headed towards an address you haven't marked as trustworthy, Gatekeep intervenes to stop it.
Like Harpie, it’s an extra layer of protection for your assets. If a theft attempt is detected, Gatekeep teams up with user-deployed contracts to swiftly move the at-risk assets to a secure wallet before the thief's transaction gets confirmed on the blockchain.
Chains supported: Ethereum
ChainAegis
Now, let's talk about another useful crypto security tool: ChainAegis. This platform comes with a range of features to make your crypto assets more secure. It can track and label addresses, helping to better understand what's happening in various digital assets. This way, it becomes easier to spot things like fraud and ransomware on public blockchains and similar decentralized networks.
ChainAegis Risk Warning dashboard. Source: ChainAegis
Dispatch
Another tool to consider for your security arsenal — whether you’re a founder, developer, community member or trader — is Dispatch: an easy, fast and flexible tool to create alerts for wallets, smart contract events and functions that might be an indicator of malicious or unintended activity.
- transferOwnership or OwnershipTransferred: Unless the team or dev initiated an ownership change of a contract, seeing these events and functions can be a red flag
- AdminChanged: Indicates a change in the administrator or owner of a proxy contract. Make sure these events were intentional
- grantRole: Get alerted about role assignments by actors outside the team that could lead to unauthorized access to your smart contracts
- revokeRole or RoleRevoked: Notify the team if an unauthorized entity unexpectedly revokes or removes roles or permissions from team or dev addresses
- Pause or Unpaused: Make sure your smart contracts are being paused or unpaused unexpectedly
Setting up smart contract monitoring for potential security incidents using Dispatch
Dispatch's user-friendly, no-code interface makes managing and sharing wallet alerts and smart contract events across your product, team, and communities a lot easier and faster. It automatically pushes notifications to your favorite channels — webhooks, Discord, Telegram, email, and more. So, whether there's some unexpected action in your smart contracts or a surprise twist, Dispatch can help you react quickly.
Chains supported: Ethereum, Polygon, Base, and Arbitrum
Here's a video on just how easy it is to set up alerts in Dispatch:
Interested in Dispatch? 🚀
If you're looking for simple point-and-click smart contract and wallet monitoring, sign up to join the free beta.
Worried about the possibility of losing your valuable crypto assets with a single click? Pocket Universe is a browser extension designed to function as a transaction checker, aimed at helping you mitigate this risk.
Example Pocket Universe mint protection popups. Source: Pocket Universe
Pocket Universe provides up to $2,000 in coverage for customers falling victim to scams that Pocket Universe failed to warn about. It also enhances the transparency of every transaction you make. You can review the assets involved, ensuring there are no surprises along the way. Whether it's fake NFT listings, deceptive DEX orders, or those notorious ETH-stealing contracts masquerading as airdrops, claims, mints, or other standard transactions, Pocket Universe provides you with clear warnings to help you stay informed.
Chains supported: Ethereum, Polygon, BSC, Arbitrum, and Optimism
CertiK
If you’re a smart contract developer or working on a Web3 project, you’ve probably seen CertiK around. Their specialty is finding potential security vulnerabilities in smart contracts — vulnerabilities that could cost your community or team dearly. They’ve been in the game since 2018 and claim to have audited over 4,000 projects, and you’ll commonly see their security reports in Web3 project whitepapers and on news sites. As a developer, you may want to consider them to audit your project’s contracts. As an investor, you may want to look for CertiK reports on projects you’re considering interacting with.
CertiK Dashboard. Source: CertiK
Their process includes in-depth manual code inspection and review, evaluating project designs, spotting potential issues, and providing detailed reports with recommendations to help enhance contract security. Additionally, CertiK publishes industry reports with analyses of security incidents that happen every quarter.
CertiK 2023 industry report links:
- Exploits, hacks and scams stole almost $1B in 2023: Report — Cointelegraph
- Hack3d: The Web3 security quarterly report - Q3 2023 — CertiK
Chains supported: Ethereum, BNB Chain, Polygon, Avalanche, Arbitrum, Fantom, Polkadot, and more
MythX
If you're a developer, this one's right up your alley. When it comes to safeguarding Ethereum and EVM-based smart contracts, developers need a dependable partner in the quest for reliability—a good one is MythX. MythX assists developers in identifying vulnerabilities and strengthening the integrity of their smart contracts. With its arsenal of checks and analyses, MythX can dive into your code.
MythX security verification. Source: DreamLab Technologies
One of the great things about MythX is its versatility. You can easily integrate it into popular development tools like Truffle and Remix. If you prefer a more hands-on approach, MythX offers a direct API for code analysis. According to MythX, the more code you allow the tool to examine, the better it becomes at detecting vulnerabilities. It presents you with a comprehensive report pinpointing potential weaknesses and provides specific details about where they're lurking in your code. And if you're a fan of extra security (who isn't?), MythX lets you team up with the experts from ConsenSys Diligence for a deep smart contract audit.
Chains supported: Ethereum, Quorum, Vechain, Roostock, TRON, and other EVM-compatible chains
