Are Your Crypto Wallet Keys Really Safe?

Written by sankritk | Published 2023/02/24
Tech Story Tags: cryptocurrency | crypto-wallet-security | blockchain | public-key-cryptography | blockchain-technology | web3-security | cryptocurrency-top-story | defi

TLDRWith the recent surge in the popularity of cryptocurrencies, more and more people are looking for ways to store their digital assets safely. One of the most popular is to use a cryptocurrency wallet. However, **your crypto keys are not 100% safe even with a wallet** In fact, there are a number of different ways that your keys can be compromised.via the TL;DR App

With the recent surge in the popularity of cryptocurrencies, more and more people are looking for ways to store their digital assets safely. While there are many different methods of doing this, one of the most popular is to use a cryptocurrency wallet.

However, your crypto keys are not 100% safe even with a wallet. In fact, there are a number of different ways that your keys can be compromised, whether by hackers, thieves, or even just through human error.

Why Many Consider Private Keys To Be Safe

Crypto-maxis beat the drum of “Not your keys, not your crypto.” and advocate the use of non-custodial wallets. The thinking is that as long as you don’t store your keys on an exchange or with a third-party service, they can’t be stolen. This is true to some extent.

If you use a non-custodial wallet (such as Metamask, Trust Wallet, and others), it would be very difficult for a hacker to get to your digital assets. But not impossible.

Non-custodial wallets put most of the key management into the hands of the user, thereby claiming to provide true ownership of digital assets.

The Concept of a Mnemonic Phrase

A mnemonic phrase, also known as a seed phrase or recovery phrase, is a set of words that can be used to restore your wallet. Mnemonic phrases are obtained from private keys by transforming the hexadecimal digits of a private key into a series of words. Each word in the phrase corresponds to a hexadecimal digit, and the position of each word in the phrase corresponds to the position of the corresponding hexadecimal digit.

Most non-custodial wallets will generate a mnemonic phrase for you when you first create your wallet. This phrase typically consists of 12-24 words. If you ever need to restore your wallet, you simply need to enter your mnemonic phrase into the wallet software, and it will generate your private keys and allow you to access your digital assets.

While this may not sound like much, it certainly provides a high degree of probabilistic security.

To put that into perspective, the odds of guessing a seed phrase correctly is 1 out of 1.96 x 10^69, which is more than the total estimated number of atoms on Earth!

The problem is that if someone were to get hold of your mnemonic phrase, they would have full access to your wallet and could do whatever they wanted with your digital assets.

This is known as the “Private Key Paradox” - despite the unfathomable security of cryptography, your digital assets are just one guess away from being completely compromised.

Under the Hood of Crypto Wallets

A software wallet is a software or browser extension (in most cases) that allows you to access on-chain assets. You can interact with other wallets through the PKI system. An interesting thing to notice is that all these non-custodial wallets store your keys offline in your device or on your browser, so if your device is compromised, it will be easy for the intruder to access that data.

Here’s a case of a hacker brute forcing a Trezor hardware wallet to access over $2 million worth of cryptocurrencies just because the PIN had been momentarily stored on the device’s ram.

Further, most non-custodial wallet solutions today rely on APIs from Etherscan, Opensea, Alchemy, and Infura (all being centralized) to produce your recent transactions, wallet balance, and NFTs available in your wallet.

This is concerning because there is no verification done by these wallets on whether or not the API calls are legitimate. This essentially pushes the ecosystem to trust centralized services.

The recent MetaMask-Infura fiasco that geo-blocked all the users of Venezuela to accessing their wallets further emphasized how dangerous these central entities are when providing true decentralization, which web3 is aiming at.

The Menace of “Secure” Wallets

Over the years, several non-custodial wallets were subject to hacks and theft. Some of the popular ones include the Slope wallet hack, which compromised over 8,000 accounts in August, the Trinity wallet hack, which lost over $2 million in IOTA tokens in 2020, and the Parity wallet hack, which allowed an attacker to steal 150,000 ETH in 2017.

In April 2022, Apple customers were advised by MetaMask to turn off the automatic iCloud backup of their wallet data. The warning was issued in response to the losses suffered by an NFT collector, who reportedly lost $650,000 in digital assets after his MetaMask wallet was wiped out in seconds.

Reliance on PKI

The problem with managing private keys is that it’s often difficult to remember dozens of random, hexadecimal strings. As a result, many people tend to store their keys in digital wallets or on physical devices such as USB drives.

This creates a new set of problems, as the user now must worry about losing their device or wallet. If the user loses access to their device, they also lose access to their digital assets.

Another problem with storing private keys on devices is that it’s often difficult to tell if the device has been compromised. For example, if an attacker were to gain physical access to your device, they could install malware that would record your keystrokes and steal your private keys.

To address these problems, many wallets rely on Public Key Infrastructure (PKI), which is a system of digital certificates and cryptographic keys that can be used to verify the identity of users and devices.

For example, when you log into a website, the server will use PKI to verify that your browser is who it says it is. PKI can also encrypt communication between two parties, such as when you use HTTPS to connect to a website.

The problem with PKI is that it relies on centralized Certificate Authorities (CAs) to issue and manage digital certificates. These CAs are often owned by large corporations, such as Symantec or Comodo. The reliance on centralized CAs creates a single point of failure that attackers can exploit. For example, in 2011, an attacker was able to obtain a fraudulent SSL certificate for the domain name “google.com” from Comodo.

Yet PKI is still in use because of its adoption and established industry standard. We need a realistic way out of this.

Conclusion

The nature of key ownership, whether custodial or non-custodial, is not as simple as it looks and served to you on the front. The problem is compounded by the numerous moving elements involved in key management, from key generation to storage. Every piece of hardware or software in the chain poses risks that expose even allegedly non-custodial wallet choices to custodial-type concerns.

It all comes to a point where the wallets utilize the centralized entities to perform almost 95% of their tasks, and outdated PKI used by these wallets are the two pain points that can be resolved with the evolution of web3.

Sankrit for Your Content

If you are looking for a web3-native content writer, I’d be happy to chat and share more of my work.

LinkedIn: https://www.linkedin.com/in/sankritk/

Website: https://sankrit.com



Written by sankritk | Freelance web3 content writer | Trusted by MoonPay, Alchemy, Ledger and more. | Writing professionally since 2018.
Published by HackerNoon on 2023/02/24
ABOUTHow hackers start their afternoons. We publish tech stories and build publishing software.

READEntirely free library read by hundreds of millions to learn anything about any technology.

WRITEHackerNoon elevates quality technology writing far and wide across the interwebs.

PARTNERHackerNoon works directly with tech companies to place ads by content relevancy