Greetings blockchain traveler. A lot’s happened in the crypto world in the past few weeks. If you want to read a brief piece on the company’s stance on recent events, check out this post.
This is the Ultimate (and simple) Self Custody Guide, by Webacy. Read on.
Webacy is the protection layer for self-custody. We build safety and security tools that provide the extra mile of protection you need for your web3 wallets.
Before we Begin
Remember: you can build up an empire in cryptocurrencies, but nothing matters if your seed phrase and private keys are compromised. Keeping these safe is your number one priority in blockchain.
Two Definitions of Two Ways You Can Access and Control Your Wallet
- A seed phrase is the 12 or 24-word phrase that is associated with a crypto wallet.
- A private key is one half of asymmetric cryptography and is also associated with access to a crypto wallet.
You may have heard of your public key. That is perfectly fine and often necessary to share; but keep in mind that all of your wallet’s activity is still publicly viewable through block explorers. This is the nature of the transparency of blockchain.
In general: It’s recommended that you never store your seed phrase or private keys anywhere close to the internet. Keep it away from your devices, your iCloud accounts, or anything that touches the internet. If you have a physical version of your seed phrase stored, make sure that it’s in a place that nobody else is able to access, and it may be beneficial to have multiple copies in case one is lost or destroyed in unforeseen circumstances.
Now, let’s dive in.
Custody vs Self-Custody, Custodial vs Non-Custodial: What Does it all Mean?
You’ve probably heard the phrase “not your keys, not your crypto.” This phrase is a good one to assess the risk of any scenario where your crypto is stored. The best way to differentiate what kind of account you're dealing with is whether or not you know the seed phrase / private key to that account.
Take Coinbase main, for example. If a user has an account on Coinbase, they have a username and password login. They can view their assets in “their account” as well as buy, sell, send, and receive crypto of all kinds. However, they don’t really own that account - they don’t have the seed phrase. Coinbase has the ability, as your custodian, to move around funds and assets and to even lock access if they deem a security risk. You won’t be able to access those funds unless they allow you to.
On the other hand, Coinbase has Coinbase Wallet, which is a non-custodial wallet. When you first set up Coinbase Wallet, you’re shown your seed phrase, and you can access your private key. If Coinbase was to ever freeze accounts, assets in your Coinbase Wallets are still under your control.
Centralized vs Decentralized, CEX vs DEX
Taking one step further, let's discuss the difference between a centralized exchange (CEX) vs a decentralized exchange (DEX).
Broadly, ‘centralization’ is when the decision making power and access is controlled by a ‘central’ entity. ‘Decentralization’ is when the decision making power and access is distributed among multiple entities.
You’ve probably heard of centralized exchanges (CEX) - they’re the ones falling like dominoes in the news. FTX, Coinbase, Gemini, and Binance are some of the big names. On these platforms, you can create an account and buy, sell, and trade crypto. Some even manage your crypto and try to make gains with your funds (through lending, staking, swapping, bridging, mining, and more). If these companies fail, these accounts may get locked, which means a user is unable to withdraw their funds. Since the user does not have the seed phrase or private key, they are unable to truly access their assets. While a centralized platform is convenient for security, ease of use, and potential financial gain, there is a risk associated with the company itself.
Decentralized exchanges (DEX) are peer-to-peer platforms where crypto holders make the trades themselves, without ever handing over assets to an intermediary. Instead of a centralized commingled account(s) of funds, they use smart contracts to function as an automated market maker. Some of the biggest platforms include Uniswap and dYdX. On these platforms, users connect their non-custodial wallets, which they hold the seed phrase and private keys to. If a DEX were to ever go down, the user still owns their wallet, and all of the assets within it.
Hot Wallets vs Cold Wallets, Browser Wallets vs Desktop Wallets vs Hardware Wallets
When it comes to picking a wallet, you’ve got a lot to consider.
You may have heard the terms ‘hot wallet’ and ‘cold wallet’ - we’ll be brief in definition here, but if you want a full article, check out this piece on CoinDesk.
A ‘hot wallet’ is a wallet connected to the internet. They’re typically user-friendly, free to use, and convenient. However, hot wallets are much more vulnerable to security flaws and hacking, and require a connection to the internet.
A ‘cold wallet’ is a wallet not connected to the internet, or more formally, where the private keys are offline. It’s not technically required for a cold wallet to be a hardware wallet, but that typically tends to be the case. Cold storage wallets are more secure as the private key is much more difficult to access - but it isn’t completely immune to regular vulnerabilities or human error. Cold storage wallets may also be more expensive, and it tends to be more cumbersome to move assets.
There are many different wallet providers to choose from, with more being built every day.
Some wallets sit directly into your browser as an extension: Metamask, Coinbase Wallet, and Phantom are all examples of a browser wallet. These wallets are convenient, and allow you to easily explore all that web3 has to offer. Most would categorize these as ‘hot wallets.’ They also happen to most easily fall pretty to hacking, phishing, wallet draining, and other vulnerabilities - simply by the nature of being the most convenient mode of wallet-connections by being right there when you need it when you’re clicking on links or being active in the ecosystem.
Desktop wallets live on your device itself. These wallets only connect to the internet when necessary, and the private key lives in the computer hard drive itself. While a desktop wallet provides different types of security, it is also vulnerable to the same kinds of security flaws as a hot wallet, depending on how you use it. Some of the most popular are Exodus and Atomic Wallet.
Finally, hardware wallets are physical devices that keep the private key offline, directly in the physical device. They are most commonly associated with cold wallets. Hardware wallets tend to be the ‘most secure’ by nature, but can still be vulnerable to the same attacks - again, depending on how they’re handled by the user. The most popular hardware wallets include Ledger, Trezor, Arculus, and more.
It goes without saying that every person will have different needs when it comes to their own operational security. What works for one person may not work for you, so please take the time to consider your options and create a system that will keep you secure for a lifetime.
At the most basic level, you should have at least two wallets: one hot wallet and one cold wallet.
Typically, the hot wallet could be a browser wallet like Metamask or Coinbase Wallet. The cold wallet could be a hardware wallet like a Ledger or Arculus.
- Use a hot wallet to interact with the web3 ecosystem - this is the wallet that you connect with, you mint with, and you interact with. You should keep as few assets in this wallet as possible. These wallets are the most vulnerable to drainage and vulnerabilities, as they may be connecting to malicious or unknown websites. Transfer anything important to your cold wallet immediately.
- Your cold wallet should be your storage. Ideally, you should never connect your cold wallet to the internet. Being disciplined in the use (or non-use) of your cold wallet is the best way to keep your assets safe.
This basic system is a pretty simple setup. There are many ways to make your crypto security more sophisticated. Below are some diagrams that display some options for systems to keep your crypto secure. If you know the source of the first image, please let us know! We were unable to trace it back to the true creator.
No self-custody guide is complete without some basic security recommendations and reminders:
- Never connect your wallet to an unknown or untrusted website (check the URL - if it looks phishy, avoid. No small amount of money you can make from a quick mint is worth your compromised security)
- Always check the url of the website you are on
- Do not click links in DMs on social sites like Discord and Twitter
- Regularly check the approvals on your wallet through Etherscan
- Always double check the address to which you are transferring items (even look them up on Etherscan to make sure they have not been flagged)
- Always double check the permissions a transaction is asking for
- If possible, verify the smart contract you are interacting with by reading an audit (just search if a publicly available Security Audit report exists for that service)
- Do not leave a large amount of assets in your hot wallet, transfer some in when necessary, and transfer it out when finished
- Get notified of your wallet activity through wallet notification services (see Webacy below)
Additional Self-Custody Topics
Once you’ve covered the above sections and set up your systems, you should have a general handle of self-custody. However, there are still vulnerabilities in the space, so it’s worth it to look at some additional topics for that final mile of crypto security.
As mentioned in the beginning, Webacy is the protection layer for self-custody. We have a suite of tools and services that integrate (Webacy is not a wallet, vault, or custody solution) with your chosen non-custodial wallet solutions, all without the need for your seed phrase or private keys. We have a Backup Wallet solution if you ever lose access to your wallet, a Panic Button for immediate transfer of assets in case of hacks and scams, a Crypto Will, and so much more (including a Wallet Notification service called Wallet Watch that we are launching shortly). Already, Webacy has saved hundreds of thousands of dollars worth of value of user assets from loss.
There are some wallets that are built with security in mind. Argent is a crypto wallet that incorporates secure practices from the get-go. Brave is a wallet built directly into the browser, incorporating security in the entire online experience. There are also browser extensions like Wallet Guard and Pocket Universe that act like a barrier between links and your browser wallets. New technologies and services are being launched every day - with the vision of a safer web3 for all.
Your journey in web3 will take you far and wide, but we hope that you’ll stay safe along the way.
If you’re reading this, take a moment to review your current crypto wallet setup, and make adjustments with security in mind.