Crypto Security and Web3 Safety

Recognize Scams, Rugpulls, and Phishing

TL;DR: The crypto world is full of opportunities, but it’s also a minefield of scams. Stay alert for rugpulls, phishing attacks, and shady projects that will drain your wallet faster than you can say “FOMO.”

What Are Rugpulls

A rugpull is a type of scam where developers or project creators build trust with investors, often through flashy marketing and promises of high returns, only to suddenly withdraw all funds from the project, leaving investors with worthless tokens. These scams are especially common in the DeFi and NFT spaces, where projects are often launched with minimal oversight or regulation.

How Rugpulls Work

Launch a project: The scammers create a new token, NFT collection, or DeFi protocol, often hyping it up with promises of huge profits.
Attract investors: They build a community on social media platforms (like Discord and Twitter), promising rewards, airdrops, or future utility for early backers.
Pull the rug: Once enough funds have been raised, the scammers either withdraw all the liquidity from the liquidity pool, leaving investors unable to sell their tokens, or they abandon the project entirely.

Red Flags of Rugpulls

Anonymous Teams: While not all anonymous projects are scams, it’s a major red flag if the team behind a project cannot be verified or refuses to disclose their identities.
No Audits: If a project claims to be handling large sums of money but hasn’t undergone any security audits by reputable third-party firms, be cautious.
Unrealistic Promises: If a project promises guaranteed returns, especially extremely high ones, it's likely a scam. No legitimate crypto project can guarantee profits.
Lack of Liquidity Lock: In many DeFi projects, the developers can withdraw liquidity at any time if it’s not locked. If there’s no clear statement about locking liquidity, proceed with caution.
FOMO Tactics: Be wary of projects that aggressively push you to invest quickly to avoid "missing out" on huge gains.

Example of a Rugpull

In 2021, Squid Game Token surged in popularity, capitalizing on the fame of the Netflix show. The token saw massive price increases, but when investors tried to cash out, they discovered that they couldn’t sell their tokens. Shortly afterward, the anonymous developers vanished, and the token’s price collapsed to zero.

Recognize Phishing Attacks

Phishing is one of the most common scams in crypto and involves tricking users into giving away their private information—such as their private keys, seed phrases, or login credentials—by pretending to be a legitimate service or platform.

How Phishing Works

Fake Websites: Scammers create a website that looks almost identical to a legitimate crypto platform (like a wallet provider or exchange). Users unknowingly input their private keys or seed phrases, giving the scammers full access to their wallets.
Email Phishing: Phishing emails are sent out, appearing to come from a trusted platform. They often contain links to fake websites or attachments designed to steal your information.
Social Engineering: Scammers impersonate support staff, influencers, or project team members on social media, asking users to share sensitive information, claiming it’s necessary for troubleshooting or account recovery.

Red Flags of Phishing

Unsolicited Requests for Private Keys or Seed Phrases: Legitimate platforms will never ask for your private key or seed phrase. If anyone asks for this information, it’s a scam.
Suspicious URLs: Phishing sites often have URLs that look almost identical to the real ones but with slight misspellings or extra characters (e.g., g00gle.com instead of google.com).
Urgency: Phishing attacks often create a sense of urgency to trick users into acting without thinking. For example, you may receive an email claiming your account has been compromised and asking you to click a link immediately.
Fake Social Media Accounts: Scammers often create fake profiles that mimic influencers, project leads, or customer support accounts. Always verify account handles, as scammers often use slight variations to trick users.

Example of Phishing Attack

A common phishing attack involves fake MetaMask browser extensions or mobile apps that look identical to the legitimate MetaMask wallet. Users install the fake app, input their seed phrase, and then find that their wallets have been emptied by the scammers.

Other Common Crypto Scams

The following is a list of common scams that are seem in the crypto space.

Ponzi Schemes

Ponzi schemes in crypto promise investors high returns with little to no risk. The scam works by using new investors’ funds to pay off earlier investors, creating the illusion of a profitable business. Eventually, the scheme collapses when new money stops coming in, leaving most investors with losses. Red Flags of Ponzi Schemes:

Guaranteed Returns: No legitimate investment can guarantee fixed returns, especially in the volatile crypto market.
Referral Incentives: If a project focuses more on recruiting new participants rather than its actual product or service, it’s likely a Ponzi scheme.
Lack of Transparency: If the project’s investment strategy is vague or overly complex, it could be hiding fraudulent activity.

Pump-and-Dump Schemes

In pump-and-dump schemes, scammers artificially inflate the price of a low-cap token through hype and manipulation, often in private groups or on social media. Once the price has surged, the scammers sell off their tokens, causing the price to crash and leaving late investors with worthless tokens. Red Flags of Pump-and-Dump Schemes

Sudden Price Spikes: If a token experiences a rapid, unnatural price increase without any major news or product launch, it could be a pump-and-dump.
Unusual Volume: Watch for sudden spikes in trading volume followed by sharp price declines.
Small or Unverified Projects: Pump-and-dump schemes usually target low-market-cap coins or new projects with little public attention.

Giveaway Scams

Giveaway scams promise users free crypto in exchange for sending a small amount of crypto to “verify” their wallet. These scams often appear on social media platforms, with fake accounts impersonating well-known figures or projects. Red Flags of Giveaway Scams

Too Good to Be True: If someone claims you can get free crypto just by sending a small amount first, it’s a scam.
Impersonation: Scammers frequently impersonate celebrities, influencers, or project teams to lure users into the scam.

Types of Scams
Scam Type	How It Works	Red Flags	Prevention Tips
Rugpulls	Developers suddenly withdraw all liquidity or abandon a project, leaving investors with worthless tokens.	Anonymous teams, no liquidity lock, unrealistic promises.	Always check for team transparency, liquidity lock, and realistic roadmaps.
Phishing	Scammers trick users into revealing private keys or login credentials through fake websites or messages.	Suspicious URLs, unsolicited requests for private keys or seed phrases.	Always verify URLs, never share private keys or seed phrases.
Ponzi Schemes	Promises high returns with little to no risk, relying on new investors’ funds to pay earlier investors.	Guaranteed returns, heavy focus on recruiting new participants.	Research projects thoroughly, avoid schemes offering guaranteed profits.

How to Stay Safe

Double-Check URLs: Always double-check the URLs of websites you visit to make sure you’re on the legitimate site.
Enable Two-Factor Authentication (2FA): Use 2FA on all your crypto accounts for an extra layer of security.
Verify Social Media Accounts: Check the legitimacy of social media profiles claiming to be official representatives of a project before interacting with them.
Research Before Investing: Never invest in a project without thoroughly researching the team, audits, and roadmap. Avoid any project that uses high-pressure tactics to get you to invest quickly.
Store Your Private Keys and Seed Phrases Securely: Never share these with anyone, and always store them offline in a safe place.

Conclusion

As crypto adoption grows, so do the number of scams targeting unsuspecting users. Whether it’s through rugpulls, phishing attacks, or Ponzi schemes, bad actors are constantly seeking ways to steal your assets. By understanding the red flags of common scams and practicing security best practices, you can protect yourself from falling victim to these traps. Always stay vigilant, double-check everything, and remember: if something sounds too good to be true, it probably is.

VPNs, Malware/Spyware, & Other Security Best Practices

TL;DR: In the potentially wild world of crypto, security is everything. Protect yourself with VPNs, avoid malware/spyware traps, and follow security best practices to keep your assets safe from hackers and scammers.

VPNs: Why You Should Use Them

A VPN (Virtual Private Network) is one of the best tools for maintaining online privacy and security. When you connect to a VPN, your internet traffic is encrypted and routed through a secure server, masking your IP address and making it difficult for third parties to track your online activity.

Why VPNs Matter for Crypto Users

Protects Your Privacy: A VPN helps keep your real IP address hidden, preventing websites, exchanges, or potential attackers from identifying your location or tracking your activity.
Secures Public Wi-Fi: If you’re trading crypto or accessing your wallet on public Wi-Fi (e.g., in a café or airport), using a VPN encrypts your connection, making it much harder for hackers to intercept your data.
Bypasses Geographical Restrictions: Some countries or exchanges may block access to crypto-related websites. A VPN can help you bypass these restrictions by allowing you to connect through servers in different regions.
Mitigates Man-in-the-Middle Attacks: VPNs help prevent man-in-the-middle attacks, where hackers intercept your data as it travels between your device and a website. By encrypting your connection, a VPN makes it significantly more difficult for attackers to access your sensitive information.

How to Choose a VPN for Crypto Security

No-logs Policy: Ensure the VPN provider has a strict no-logs policy, meaning they don’t store data about your online activities.
Strong Encryption: Look for VPNs that use industry-standard encryption protocols like AES-256 to secure your data.
Multi-device Support: Many crypto users operate across multiple devices. Ensure the VPN can protect your desktop, smartphone, and tablet simultaneously.
Reputation: Choose VPN services with a solid reputation for security and privacy, such as NordVPN, ExpressVPN, Surfshark or ProtonVPN.

Malware and Spyware: Threats to Your Crypto

Malware and spyware are malicious programs designed to infiltrate your device, often with the intent of stealing sensitive information, including private keys, seed phrases, and exchange login credentials. Once malware is installed on your system, hackers can remotely access your data or control your device, putting your crypto holdings at risk.

Common Types of Malware in Crypto:

Keyloggers: Keylogging malware records everything you type, including passwords, seed phrases, and private keys. Hackers then use this information to steal your funds.
Clipboard Hijackers: These malicious programs monitor your clipboard and change copied wallet addresses to the hacker's address. When you paste the address during a crypto transaction, you unknowingly send your funds to the attacker.
Trojan Horses: Disguised as legitimate software or downloads, trojans can give attackers remote access to your device, allowing them to steal sensitive data or take control of your wallet.

How to Protect Against Malware/Spyware:

Use Reputable Anti-malware Software: Install and regularly update trusted anti-malware programs like Malwarebytes, Bitdefender, or Kaspersky to scan your device for malware.
Keep Your Software Up to Date: Ensure that your operating system, browsers, and crypto-related software (wallets, exchanges, etc.) are always up to date. Many updates include security patches that address vulnerabilities hackers can exploit.
Be Cautious with Downloads: Avoid downloading files, browser extensions, or software from untrusted sources. Hackers often hide malware in seemingly legitimate downloads.
Check for Suspicious Activity: Regularly monitor your devices for signs of malware, such as unexpected pop-ups, slow performance, or unauthorized transactions.

Other Security Best Practices for Crypto

In addition to using VPNs and protecting yourself from malware, several best practices can help ensure your crypto assets remain safe from hackers and scammers.

Use Strong, Unique Passwords

Weak or reused passwords are one of the easiest ways for attackers to compromise your accounts. Always use strong, unique passwords for your crypto wallets, exchanges, and any related services. Consider using a password manager (like LastPass, 1Password, or Bitwarden) to generate and store complex passwords securely.

Enable Two-Factor Authentication (2FA)

Two-factor authentication (2FA) adds an extra layer of security to your accounts by requiring a second verification step in addition to your password. The most secure method of 2FA is using an authentication app like Google Authenticator or Authy, rather than SMS-based 2FA, which can be vulnerable to SIM-swapping attacks.

Use a Hardware Wallet for Long-term Storage

For large or long-term holdings, using a hardware wallet like Ledger or Trezor provides a significantly higher level of security compared to software wallets or exchanges. Hardware wallets store your private keys offline, protecting them from online threats like malware or phishing.

Regularly Revoke Token Approvals

When you interact with decentralized applications (dApps), you may grant them access to spend tokens from your wallet. Over time, these approvals can accumulate, leaving your wallet exposed to potential risks if any of the dApps are compromised. Regularly revoke token approvals using tools like Etherscan or Revoke.cash to minimize the risk.

Avoid Phishing Attacks

Phishing scams remain one of the most common ways crypto users are exploited. These scams often come in the form of emails, fake websites, or social media messages that trick you into revealing your private keys or passwords. Always double-check URLs, avoid clicking on unsolicited links, and never share your private keys or seed phrases with anyone.

Back Up Your Seed Phrase

While using a wallet, make sure you securely back up your seed phrase (the recovery phrase for your wallet) in multiple secure locations. Keep it offline, such as written down and stored in a safe or metal backup, and never store it digitally. Losing your seed phrase means losing access to your wallet and funds forever.

Conclusion

Crypto security is a critical part of managing your digital assets safely. By using VPNs to protect your online activity, safeguarding against malware/spyware, and following basic security best practices like strong passwords and 2FA, you can greatly reduce your exposure to threats. As the crypto world evolves, so do the tactics of bad actors, so staying informed and vigilant is essential to protecting your wealth in the decentralized world.

What are Smart Contract Risks & Revoking Approvals

TL;DR: Smart contracts power DeFi but can have bugs, vulnerabilities, or malicious code. Understanding the risks and regularly revoking token approvals can protect your funds from unexpected losses.

Smart Contract Risks

Smart contracts are the foundation of decentralized applications (dApps) and services in the blockchain world, automating transactions without needing intermediaries. However, interacting with these contracts comes with risks, from bugs to malicious actors. A key way to manage these risks is by understanding token approvals and learning how to revoke approvals when necessary to protect your assets.

Coding Bugs and Vulnerabilities

Smart contracts are immutable once deployed, meaning any errors in the code are permanent unless the contract is upgraded (which isn’t always possible). Even minor bugs can lead to major vulnerabilities, enabling attackers to exploit the contract and steal funds.

Example: The DAO (Decentralized Autonomous Organization) hack of 2016 was a pivotal event in Ethereum's history. A vulnerability in the DAO's smart contract allowed an attacker to repeatedly withdraw ETH without the contract updating its balance. This exploit resulted in the theft of approximately 3.6 million ETH, worth about $50 million at the time. The immutable nature of blockchain meant that once deployed, the flawed contract couldn't be easily modified to stop the attack. This crisis led to a controversial decision: the Ethereum community voted to implement a hard fork, effectively rolling back the blockchain to a point before the hack. This action returned the stolen funds but also split the Ethereum blockchain. The original chain, where the hack remained, became Ethereum Classic (ETC), while the new chain with the reversed transaction history continued as Ethereum (ETH).

Exploits and Attacks

Smart contracts can be exploited by attackers, especially if they’re poorly designed or interact with external data sources (like price oracles). A common type of exploit in DeFi is the flash loan attack, where attackers manipulate markets and drain liquidity pools by exploiting temporary imbalances. Flash loans are uncollateralized loans that must be borrowed and repaid within a single blockchain transaction. They allow users to temporarily access large amounts of capital without putting up any collateral, as long as the loan is repaid by the end of the transaction. While this feature can be useful for legitimate purposes like arbitrage, it also creates opportunities for malicious actors.

Exploit and Attack Examples

Harvest Finance (October 2020): An attacker used a $50 million flash loan to manipulate the price of stablecoins in Harvest Finance's pools. This allowed them to drain approximately $34 million from the protocol. The attack exposed vulnerabilities in how the platform calculated asset values.
Poly Network (August 2021): Exploited a vulnerability in the crypto exchanges software to extract $611 million worth of crypto. All the stolen funds were eventually returned as it transpired that the hacker had carried out the attack just to see if it was possible.
Wormhole (February 2022): The Wormhole token bridge suffered an exploit which resulted in the loss of 120,000 wrapped Ether (wETH) tokens, worth over $325 million at the time, in what was then the 2nd largest De-Fi hack ever. The bridge connected multiple blockchain networks including Ethereum, Solana, Terra, BNB Smart Chain, Polygon, Avalanche and Oasis.
Ronin Network (March 2022). Targeted the network supporting the Axie Infinity blockchain gaming platform. The largest crypto hack to date with $625 million worth of crypto stolen.
BSC Token Hub cross-chain bridge (October 2022): Hackers exploited by creating extra Binance coins, and then taking all available coins.
PlayDapp (February 2024): The crypto gaming and NFT platform lost $290M worth of their PLA tokens in two separate attacks. The exploiter managed to mint 2 billion PLA tokens but since the total circulating supply was only 577 million prior, the exploiter struggled to sell them at anything close to their prior market value.

Trends and Patterns

Cross-chain bridges and DeFi protocols are frequent targets due to their complexity and high value of assets.
Flash loan attacks have become a common method for exploiting vulnerabilities in DeFi projects.
Some hacks, like the Poly Network incident, resulted in partial or full fund recovery.
North Korean hacking groups, such as Lazarus, have been linked to several major crypto heists.

Cryptocurrency exchanges and platforms continue to be prime targets for hackers, with new exploits occurring regularly. The industry faces ongoing challenges in securing digital assets and improving cybersecurity measures.

Rugpulls and Malicious Developers

Sometimes, developers embed malicious code into smart contracts with the intent to scam users. They might drain liquidity pools or steal users' funds after attracting a large amount of investment. Rugpulls occur when developers launch a token or project, build up hype, and then withdraw all the liquidity, leaving investors with worthless tokens.

External Oracle Risks

Many smart contracts rely on oracles—external data providers that supply information (like asset prices) to the blockchain. If an oracle is manipulated or compromised, it can lead to incorrect data being fed to the smart contract, causing unintended behavior.

Example: A compromised oracle could give a wrong token price, leading to incorrect trades, liquidations, or fund losses in DeFi protocols.

Token Approvals and Why They Matter

When you interact with a DeFi protocol, such as a decentralized exchange (DEX) or staking platform, you typically need to approve a smart contract to spend your tokens. This allows the contract to transfer tokens on your behalf—an essential step for actions like trading, staking, or liquidity provisioning.

How Token Approvals Work

Approval Process: When you approve a contract, you’re granting it permission to access and transfer tokens from your wallet.
Unlimited Approvals: Many contracts default to asking for unlimited approval (i.e., permission to spend all tokens of a specific type). This is convenient but risky, as any compromise in the contract or dApp could allow your entire token balance to be drained.

Risks of Open Token Approvals

Open approvals, especially for unlimited amounts, leave your tokens exposed to risks. If the contract gets hacked or if the developers turn malicious, they can exploit the token approval to drain funds from your wallet.

Even if you stop using a specific dApp, the contract can retain its approval to spend your tokens unless you revoke it manually.

How to Revoke Token Approvals

Revoking token approvals is an essential security measure to limit your exposure to potentially risky or outdated smart contracts. By revoking approvals, you prevent those contracts from accessing your tokens in the future. Several tools make it easy to review and revoke token approvals across different platforms.

Blockchain Explorers

Etherscan and other blockchain explorers offer a simple tool for checking and revoking token approvals on that network.

How to Use

Go to the relevant blockchain explorer's Token Approval Checker such as Etherscan, Arbiscan BaseScan and BscScan
Connect your wallet.
Review the contracts with approvals and click “Revoke” to remove permissions from those you no longer use or trust.

Revoke.cash

Revoke.cash is another popular tool for Ethereum Virtual Machine (EVM) networks that allows users to manage their token approvals.

How to Use

Visit Revoke.cash
Connect your wallet.
Check for active token approvals and revoke those that are unnecessary.

Debank

Debank supports multiple blockchains and allows users to manage approvals across Ethereum, BNB Smart Chain, and other DeFi ecosystems.

How to Use

Visit Debank
Connect your wallet.
Navigate to the "Approval" section and revoke any unnecessary approvals.

Best Practices for Managing Approvals

Approve Limited Amounts: When interacting with dApps, approve only the specific amount you plan to use, rather than granting the maximum or unlimited access. This minimizes the potential loss if the contract is exploited.
Regularly Revoke Unused Approvals: If you no longer use a dApp or have granted permissions for multiple platforms, make it a habit to revoke any unused approvals. This limits your exposure to dormant risks.
Monitor Activity: Periodically check your approvals to ensure no unexpected permissions have been granted.

Conclusion

Smart contracts offer revolutionary ways to interact with decentralized finance, but they come with risks. Bugs, vulnerabilities, and malicious actors can put your funds in jeopardy if you’re not careful. Understanding the risks associated with smart contracts and regularly revoking token approvals are key steps in protecting your crypto assets.

By using tools like Etherscan, Revoke.cash, and Debank, you can manage your token approvals and reduce your exposure to risky contracts, ensuring that your wallet remains secure even as you explore the opportunities in DeFi.