Web3 basics 101 - Your seedphrase is something you want to protect at ALL cost. If you hand out your seedphrase - it's game over for that wallet (+subwallets).

Here’s a🧵about companies entering web3 and not properly putting disclaimers up for user security.

#SaferNFTs 1/10
I chose @Stepnofficial as an EXAMPLE for this🧵, applies to all others.

For those unfamiliar with #STEPN - they are essentially onboarding people to web3 to earn crypto through their app while being active / moving / running. Which - as a concept is a cool idea.

#SaferNFTs 2/10
STEPN launched on $sol originally, expanded to $bnb and now added $eth. Different chains are referred to as realms. Basically = servers, if you're familiar with MMORPGs. Solana Realm, BNB Realm and APE Realm.

Ok, onto the security part already @Wii_Mee!

#SaferNFTs 3/10
So what's the security issue you mentioned in the OP?

STEPN basically is used in-App only - which means, users complety new to crypto will be able to create a new wallet (receiving a seedphrase) for whatever 'realm' they want to participate on.
Here's the BUT:

#SaferNFTs 4/10
BUT because users can create a wallet inside the @Stepnofficial app -

This also means they are given the option to RESTORE their wallets / accounts within the app - by importing their seedphrase. 🚨
Here's where it gets careless from Stepn themselves.

#SaferNFTs 5/10
For the seasoned NFT / web3 users - all alarm bells should be ringing here.

But put yourself in the shoes of someone new to crypto or web3 in general.

Would they know they shouldn't put their seedphrase that they're using for NFTs / funds too in here?

#SaferNFTs 6/10
At the very least (!) I'd expected a big warning like the one I filled inside the box. @Stepnofficial you got to do better than this.

Yes, I know we're entering a seedphrase into MM or other software wallets too. But they're specialized to this sphere. Is STEPN?

#SaferNFTs 7/10
I hope no one in the right mind EVER would think about entering their cold storage seedphrase into a 3rd party app btw. 😱

Now to wrap this 🧵up, let's look at why you should NEVER enter your seedphrase into a 3rd party app.

#SaferNFTs 8/10
Transmitting your seedphrase digitally into apps / websites opens up every door for vectors to steal your assets and funds.

No matter how cautious YOU are, you can't rely on another party to keep your seedphrase safe. That's what hardware wallets are for!

#SaferNFTs 9/10
TLDR;

- STEPN lets you recover an account inside the app by entering seedphrase
- Use BURNER wallets with 3rd party apps (if at all), WITHOUT assets in them
- DON'T trust 3rd party apps to keep your keys safe
- For your valuable assets, get a HARDWARE wallet✅

#SaferNFTs 10/10

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with WiiMee.eth 🛡🦺

WiiMee.eth 🛡🦺 Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @Wii_Mee

Jul 8
Most of your answers said: #2. 🥁

Yes, you didn't see the Origin - which would've made it too easy for y'all! 😂

Here's your answer (dont click the quoted tweet, lol):
💡Solution:

Actually all these 3 screenshots were from @opensea while interacting with the new Seaport protocol.

Correct answer (with known Origin): 2!

1 by 1 screenshot explanation below ⤵
#1
"Set Approval For All" txn would be a 🚩 and a sign to run away as fast as you can.

Interacting with a marketplace you have to give out the approval for the first listing of a collection, so they can execute a transfer on your behalf if your NFT sells.

A: Blind signing in #3
Read 8 tweets
Jul 7
#SaferNFTs 🛡🔒

❓Web3 security quiz❓

Which of the following 3 request is (probably) the safest to approve, and why?

Drop your learnings below ⤵ Image
Will reveal the answer tomorrow or so, so me liking your tweets doesn't mean you're right necessarily. ☝️
Read 4 tweets
Jul 6
Now I had everyone's attention with the wallet hygiene 🧵:

Time to compare:
etherscan.io and / or revoke.cash to revoke permissions you gave to your wallet address?

Had split the video, because I'm 🇪🇺 and still can't use Twitter blue.

1/2

#SaferNFTs
How to use etherscan.io and / or revoke.cash to revoke permissions you gave to your wallet address?

Had to split the video cause of time limit.

🎶: Calming In The Sun - Alex MakeMusic on Pixabay

Lion animation by: @VonUnruhDesign

2/2

#SaferNFTs
.@RoscoKalis might be some good food for thoughts for @RevokeCash here.
Read 4 tweets
Jul 3
Why wallet hygiene will become more important!

After discovering a recent scam method, were the attackers don’t get you to sign an approval for all txn – rather then just stealing your signature to buy all your approved NFTs for free – here’s a 🧵& video on it.
1/12 #SaferNFTs
This scam attack isn’t new (was used in Feb 2022 when Opensea changed their protocol to V2) but was found on a site called imposters(dot)in – video to see what it does at the end of this thread, so you don’t have to visit an connect anything to the site.
2/12 #SaferNFTs
Red flag #1 🚩: The site prompts you to connect your wallet before you can do anything on there.
Red flag #2 🚩: After you connected the wallet, it will immediately request a signature, here’s where it gets DANGEROUS. Good thing: We can read the EIP-712 code.
3/12 #SaferNFTS
Read 13 tweets
Jul 1
#SaferNFTs 1/2

🚨 A recent scam that popped up is an counterfeit to @PlayImpostors.
Website: imposters(dot)in - immediately prompts you to connect your wallet (1), after connecting it asks for your signature (2) which signs an approval for collections! ImageImage
#SaferNFTs 2/2

🚨 The transaction doesn't ask for an approval for all, shows method name "0xf191a7cd" if signed in txn history.

The contract is already marked as Phish / Hack on etherscan.io - Wallet Name being renamed to "Fake_Phishing5816".

etherscan.io/address/0xde61… ImageImage
Referencing to scam contract:
0xdE6135B63dEcC47d5A5D47834A7dD241fE61945A

To make it easier to find this tweet searching for that contract.
Read 5 tweets
Apr 13
Here we go again - #SaferNFTs.
I want this to be the only thread 🧵you'll ever need to not get scammed in the wild wild #NFT west.
Do me a favor and share this with everyone you know that needs advice. One wallet saved is worth it! Let's start: 1/13 Image
"Never enter your seedphrase" - this 1 is easy. There's only 1 occasion where you enter your seedphrase, and that is to reset / restore a hot wallet or a hardware wallet. YOU prompt that restore, nobody else. Save the seedphrase offline (paper) NO digital files (photos, txt) 2/13
"Get a hardware wallet" - Yes, do it. Right now! Buy a @Ledger, @Trezor, bitbox02 or an alternative. Only purchase hardware wallets from the vendor themselves and check that your delivery is sealed without any pre-filled seedphrases in it. 3/13
Read 14 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(