Ledger CTO on How NOT to Lose Your Crypto

Podcast Summary

• Crypto Wallet Security with Charles Giammetta from Ledger: Learn essential crypto wallet security practices from a security expert, including setting up a seed phrase, private keys, cold and hot wallets, and private key management. Understand concepts like entropy, blind signing, transaction simulation, phishing prevention, and smart contract allowances.

  Setting up and managing your own crypto wallet involves important security practices to prevent loss of funds. In this episode of Bankless, security expert Charles Giamay from Ledger shares his expertise on topics such as setting up a seed phrase, private keys, cold and hot wallets, and private key management in the world of Web 3. It's crucial for individuals to navigate the self-custody aspect of crypto with knowledge and confidence. The episode covers essential concepts like entropy for creating a private key, blind signing, transaction simulation, phishing prevention, and smart contract allowances. The future of wallet security and private key management is also discussed. For beginners, this episode provides practical advice and peace of mind. Veterans can also benefit from learning new nuances and nuggets. Sponsors like Kraken and Phantom support the show, offering secure and user-friendly crypto platforms.

• Navigating Crypto Safety: Setting Up a Wallet, Maintaining Private Keys, and Using the Wallet in Web 3: Learn about setting up a wallet, maintaining private keys, and using the wallet in the web 3 environment to navigate the crypto world safely. Choose between hardware, software, or web wallets, understand the importance of backups, strong passwords, and avoiding phishing scams, and be aware of smart contract risks and only interacting with trusted sources.

  As a beginner in the world of crypto and self-custody, managing your own private keys can seem intimidating due to the potential consequences of making mistakes. However, it's essential to understand that security is an ongoing process, and companies like Ledger are dedicated to improving it. To help navigate the world of crypto safely, there are three main categories to consider: setting up a wallet, maintaining private keys, and using the wallet in the web 3 environment. By educating yourself on these topics and being cautious, you can minimize risks and enjoy the benefits of being your own bank. Charles Guillaume, CTO of Ledger, emphasized the importance of security in the crypto world, acknowledging that there's no such thing as bulletproof security. Instead, the focus should be on implementing the best practices and continuously raising the bar for security. Setting up a wallet involves choosing between various options, such as hardware wallets, software wallets, or web wallets. Maintaining private keys requires understanding the importance of backups, strong passwords, and avoiding phishing scams. Lastly, using a wallet in the web 3 environment involves being aware of smart contract risks and only interacting with trusted sources. By being informed and taking the necessary precautions, you can confidently manage your own private keys and enjoy the benefits of being in control of your crypto assets.

• Securely Generating Private Keys in Crypto: Crypto's security relies on randomly generated, high-entropy private keys. These keys prove ownership of digital assets and must be kept secret. Understanding their importance is key to maintaining a secure presence in the blockchain world.

  In the world of cryptocurrency and blockchain technology, the secure generation and self-custody of private keys are of the utmost importance. These keys act as the proof of ownership for your digital assets, and because of the immutability of blockchain, if an attacker gains access to your key, there's no central entity to report to and reverse the transaction. Therefore, it's crucial that your keys are randomly generated with a high level of entropy to ensure they're difficult to guess and evenly distributed within the vast 256-bit space. This randomness eliminates any patterns that could limit the available private keys. The power of owning your own crypto comes with a great responsibility, and understanding the importance of private key generation is the first step in establishing a secure presence in the blockchain world.

• Securing Private Keys through Robust Random Number Generation: Ensure wallets use robust random number generation processes to secure private keys and avoid sharing seed phrases with others.

  The security of your cryptocurrency wallet depends heavily on the quality and distribution of the private key generation process. Two notable examples of mistakes made in the past include the use of a vanity address generator with insufficient entropy and a wallet that relied on an external source of randomness, which changed unexpectedly. These errors significantly reduced the number of possible private keys and made it easier for attackers to recreate them, potentially draining wallets. As a new user, it can be challenging to ensure the entropy of your seed is sufficient. However, reputable wallets like Ledger and MetaMask employ hardware-based True Random Number Generators (TRNGs) to create secure private keys. These devices have dedicated hardware specifically designed to generate random numbers, enhancing the security of your wallet. It's essential to be aware that attackers can exploit vulnerabilities in private key generation, so always double-check the security practices of any wallet or tool you use. Additionally, avoid sharing your seed phrase with anyone, as it grants full access to your wallet. In summary, the importance of sufficient entropy in private key generation cannot be overstated. By understanding the risks and using secure wallets with robust random number generation processes, you can help protect your cryptocurrency assets.

• Hardware wallets offer more secure key generation than software wallets and computers: Hardware wallets like Ledger provide a more secure environment for generating and storing cryptographic keys due to rigorous testing, dedicated hardware, and additional cryptographic post-processing. Software wallets and computers may not provide the same level of security and are more susceptible to risks.

  While software, including MetaMask, can generate keys, it may not provide the same level of security as hardware wallets like Ledger. Hardware wallets, such as Ledger, undergo rigorous testing and certification processes to ensure the quality of their random number generation (TRNG) and offer additional cryptographic post-processing to amplify entropy. Users can trust the generated keys within the hardware wallet, but have the option to import their own keys or generate keys on a separate device they trust. Computers and software, including MetaMask, are not as reliable for generating high-quality keys due to potential issues with entropy and verifiability. Additionally, being connected to the internet increases the risk of malware or attacks. Hot wallets, which are connected to the internet, offer convenience but come with these risks. To enhance security, it is recommended to use a hardware wallet like Ledger and connect it to software wallets like MetaMask for improved connectivity. Storing keys on software wallets or computers is not a secure method due to potential risks with entropy and verifiability. In summary, hardware wallets like Ledger provide a more secure environment for generating and storing cryptographic keys due to their rigorous testing, dedicated hardware, and additional cryptographic post-processing. While software wallets and computers can generate keys, they may not provide the same level of security and are more susceptible to risks.

• Seed Phrase vs Private Key: Understanding the Differences: A seed phrase is a sequence of 24 words representing a master secret, while a private key is a unique code derived from the master secret to access a cryptocurrency account.

  A seed phrase and a private key are related but distinct concepts in the world of cryptocurrencies. A seed phrase is a sequence of 24 human-readable words that represents a master secret. This master secret can be used to generate multiple private keys for various accounts and blockchains. The words in the seed phrase come from a dictionary of 2,048 words, and each word has a corresponding index. An algorithm, using a one-way function like a hash function, is used to derive private keys from the master secret. The seed phrase allows you to generate an endless list of private keys, but knowing one private key does not allow you to derive the seed phrase or any other private keys. The process of deriving the master secret for a specific blockchain is different, and there is a dedicated field in the derivation process to specify the chain. The entropy from the seed phrase and the derivation path combine to create the unique entropy for each blockchain. Each character in a seed phrase word is important because it corresponds to an index in the dictionary, not the specific letters themselves.

• Digitizing your seed phrase increases security risks: Writing down your seed phrase on paper is the most secure method, while digitizing it increases your risks of having it compromised by hackers or malware.

  Writing down your seed phrase on any digital form connected to the Internet significantly increases your security risks. The crypto world uses a standardized dictionary with specific serial numbers for each word, creating the necessary entropy for security. Seed phrases, consisting of 24 words, are crucial for accessing your cryptocurrency wallet. However, remembering and writing down these words in order is challenging for most people. Common mistakes include digitizing seed phrases by taking photos on smartphones or writing them in emails. These methods expose your seed phrase to potential threats, such as hackers accessing your photos or emails. In fact, there are bots that specifically search for photos of seed phrases in people's photo albums. Writing your seed phrase in a digital file on your computer is also risky, as it can be accessed by malware or hackers. The security risks associated with digitizing your seed phrase are similar to using a software wallet, making it essentially the same level of risk. Pen and paper remain the most secure method for storing your seed phrase since it is not connected to the Internet. By avoiding digitization, you minimize the potential risks of having your valuable data compromised by attackers on the Internet. The difference in security between writing down your seed phrase on paper and digitizing it is like a binary chasm, with one side offering total security and the other opening you up to a long tail of unknown risks.

• The Value of Exploiting Vulnerabilities in the Digital Age: Stay informed of the latest security threats, secure your digital assets, practice good security habits, and understand the consequences of losing access to them.

  As technology advances, so does the potential for vulnerabilities and the value of exploiting them. From selling vulnerabilities as a teenager to the current market for critical vulnerabilities like zero-click, zero-day remote code execution on mobile phones for millions of dollars, the security landscape has significantly changed. With the rise of cryptocurrency, the stakes are even higher, as an attacker could potentially drain all wallets worldwide, making a few million dollars insignificant. It's crucial to be aware of this risk and take appropriate measures to secure your digital assets. Another important takeaway is the importance of practicing good security habits, such as writing down and securing seed phrases for crypto wallets. However, it's essential to understand the difference between a wallet with valuable assets and a test wallet. The speaker emphasized the need for personal responsibility in securing your digital assets and considering the potential consequences of losing access to them. It's a reminder that security is a personal matter and requires careful thought and planning.

• Where to Store Your Crypto Seed Phrase?: Consider safety, living situation, and potential risks when deciding where to store your cryptocurrency seed phrase. Personal circumstances, risk tolerance, and convenience play a role in the best storage solution.

  Storing your cryptocurrency seed phrase requires careful consideration and personal assessment of various factors. It's not as simple as having a prescribed answer. Instead, you must ask yourself a series of questions to determine the best storage solution for you. First, consider the safety of your seed phrase. Don't keep it on your desk or in an easily accessible place. If you're comfortable with the recovery time, you might be able to hide it outside of your house. If not, you may want to split it into parts or use a safe. Consider your living situation. Do you live alone? Do you trust those around you? Do you have children or pets that could accidentally find or damage your seed phrase? Additionally, think about potential risks such as fire or theft. What would you do if your home was on fire and your seed phrase was the only way to access your funds? A personal setup could involve keeping your hardware wallet with you while storing the seed phrase in a secure location. Alternatively, you could use the plausible deniability feature to create multiple wallets with different passphrases. Ultimately, the answer to where to store your seed phrase depends on your personal circumstances, risk tolerance, and convenience. It's a question that requires careful thought and consideration.

• Adding a 25th word for extra wallet security: Adding a 25th word to a Bitcoin wallet seed phrase enhances security with an extra layer of plausible deniability and password protection. However, it's complex and not recommended for new users due to potential mistakes and risks of losing access to funds.

  Creating a secure Bitcoin wallet involves using a seed phrase of 24 words, but there is an optional 25th word that can be added for extra security. This 25th word functions as a password to create a new wallet with all new entropy, providing an additional layer of plausible deniability and security. However, it's important to note that this feature is more advanced and not recommended for new users due to its complexity. Overengineering wallet security can lead to mistakes, such as forgetting a passphrase or trying to remember it instead of writing it down. The loss of access to a wallet due to forgotten passphrases or other mistakes can result in the permanent loss of funds. While building your own self-custody setup can be admirable, it's important to consider the value of off-the-shelf solutions that have been developed by specialized security companies with significant resources and expertise. Ultimately, the choice between self-custody and off-the-shelf solutions depends on individual preferences, comfort levels, and priorities. For new users, it's recommended to keep it simple and use the regular 24-word seed phrase, stored securely in a safe place. As users become more comfortable with self-sovereignty and self-custody, they can consider exploring more advanced features like the 25th word option. But beware, even the most security-conscious individuals can make mistakes, so always prioritize backups and redundancies to minimize the risk of losing access to your funds.

• Hot vs Cold Wallets: Balancing Security and Convenience: Hot wallets offer convenience but less security, while cold wallets offer greater security but less convenience. Individuals can use both for managing digital assets based on their needs and risk tolerance, with valuable items stored in cold wallets and smaller transactions in hot wallets.

  Managing digital assets requires careful consideration of security measures, specifically in the context of hot and cold wallets. Hot wallets, which are more automated and faster for frequent transactions, offer less security due to their convenience. Cold wallets, on the other hand, offer greater security but are less convenient due to their manual nature and limited transaction capabilities. Exchanges use this system to secure most of their assets in cold wallets while keeping a smaller portion in hot wallets for quick transactions. Individuals can adopt a similar approach when managing their own digital assets, keeping valuable items in cold wallets for long-term storage and using hot wallets for smaller transactions involving greater risk. It's important to remember that hot wallets are more susceptible to hacks and that using a hardware wallet for hot wallet transactions adds an extra layer of security. Ultimately, the choice between hot and cold wallets depends on an individual's specific needs and risk tolerance.

• Hot wallet vs Cold storage: Set up a hot wallet for easy transactions and a cold storage wallet for securely holding larger assets. Keep only small amounts in your hot wallet and avoid complex transactions. Have your cold storage wallet only send and receive funds to and from a single hot wallet.

  In the world of crypto, it's essential to set up your wallet like a bank with a hot wallet acting as a teller desk for easy transactions and a cold storage wallet as a secure vault for larger assets. It's important to keep only small amounts in your hot wallet and avoid signing complex transactions from it to minimize the risk of getting hacked. A good practice is to have your cold storage wallet only send and receive funds to and from a single hot wallet. This ensures that all transactions are simple and well-supported by your wallet, reducing the risk of errors or hacks. Uniswap is a decentralized exchange and NFT aggregator that makes it easy to buy, sell, or swap tokens and NFTs, even directly from a bank account. Arbitrum is a scalability solution for Ethereum that provides faster transaction speeds and lower gas fees, making it an attractive option for builders and users alike. By following these best practices and utilizing reliable platforms like Uniswap and Arbitrum, you can minimize risks and maximize the security of your crypto assets.

• Managing Cryptocurrencies and NFTs: Beyond Private Keys: Smart contracts introduce new risks, especially with allowances and permissions. Use tools like Earnify to manage wallets and track allowances. Prioritize security features like key generation, secure cryptography, and clear signing.

  Managing cryptocurrencies and NFTs involves multiple layers of security, going beyond just protecting private keys. Smart contracts introduce new risks, particularly with allowances and permissions. Earnify is a tool that helps users claim unclaimed airdrops and manage their wallets, including tracking allowances. When it comes to security, key generation, secure cryptography within an enclave, and clear signing with human-readable consent are essential properties to consider. Allowances and access permissions can give third parties the right to perform transactions on your behalf, so it's crucial to manage them carefully and ideally contain them in a single wallet. Always be aware of the risks and take appropriate measures to secure your digital assets.

• Managing Access Permissions with Care in DeFi and NFT Transactions: Be cautious when granting access permissions for specific transactions, as off-chain signatures can be vulnerable to time-based attacks. Focus on secure, on-chain transactions to maintain transparency and security.

  While smart contracts can be used to give third parties permission to access parts of your wallet for specific transactions, such as selling NFTs on marketplaces like OpenSea, it's important to handle these interactions with care. Off-chain signatures, which are used in these transactions, can be vulnerable to time-based attacks. The design of platforms like OpenSea, which rely on off-chain signatures to save on gas fees, can lead to a lack of transparency and security. It's crucial to remember that the purpose of blockchain and smart contracts is to enforce rules and ensure security, rather than relying on off-chain signatures that can be exploited. Instead, efforts should be focused on solving scalability and fee challenges to ensure secure, on-chain transactions. When it comes to allowances and access permissions, it's essential to be aware of the potential risks and carefully manage your wallet, especially when engaging in high-activity, high-touch, high-frequency DeFi and NFT transactions.

• Be cautious when granting smart contract approvals: Granting smart contract approvals can expose digital assets to security vulnerabilities. Understand contract functionality, manage approvals with tools like revoke.cash, and only grant when necessary.

  While interacting with decentralized finance (DeFi) platforms and non-fungible token (NFT) marketplaces, it's crucial to be cautious when granting allowances or approvals to smart contracts. These approvals can give access to your digital assets, and if not managed properly, could potentially lead to security vulnerabilities. For instance, an attacker could exploit an allowance to buy your NFT at a cheap price. It's essential to understand the specific smart contract's functionality and the conditions under which it can use your assets. If you're not planning to sell or trade your NFT or tokens, it's recommended to revoke all approvals. To manage your approvals, consider using tools like revoke.cash. When dealing with different smart contracts, consider their reputation and the level of trust associated with them. Newly deployed contracts may carry more risk, and beware of potential phishing attempts. Remember, only grant allowances when necessary and ensure you fully understand the implications.

• Be cautious when signing transactions in Web 3 and DeFi: Avoid blind signing and always understand the implications before approving transactions, especially with valuable assets.

  In the world of Web 3 and decentralized finance (DeFi), it's crucial to be cautious and fully understand what you're signing before proceeding. Blind signing, or signing a message without knowing its implications, can lead to significant losses. For instance, you might unknowingly grant full access to a malicious smart contract, potentially emptying your wallet. It's essential to keep calm, question suspicious requests, and avoid blind signing, especially with valuable assets. Instead, use a separate wallet for experimental transactions and be informed about the details of the transaction before approving it. Ledger aims to provide as much information as possible to help users make informed decisions.

• Challenges of Blind Signing in Web 3 and Potential Solutions: Hardware wallets with larger screens and transaction simulation systems are potential solutions for the challenge of blind signing in decentralized applications. It's important to maintain the secrecy of your cryptographic keys and understand what you're consenting to in clear signing.

  Ensuring security in web 3 involves several complex issues, one of which is the challenge of blind signing in decentralized applications (dApps). This problem is multifaceted and requires innovative solutions. Two potential solutions mentioned are hardware wallets with larger screens for better readability and transaction simulation systems for displaying the outcome of transactions. Ledger is working on several initiatives to address these issues, including the Web Suite Check feature and the development of Ledger Stacks with a wider screen. Another important aspect is maintaining the secrecy of your cryptographic keys and understanding what you're consenting to in clear signing. Resources for learning more about these topics include Ledger's podcast series, Stephanie's content focused on Bitcoin, and Bankless. Overall, security in web 3 is a crucial topic, and staying informed and practicing good security habits are essential.

• Join the Exciting Frontier of Crypto and DeFi with Bankless: Become a Bankless premium subscriber for exclusive content, market analysis, and community perks in the crypto and DeFi space.

  Investing in Ethereum (ETH), crypto, and Decentralized Finance (DeFi) comes with risks, but it's also a part of the exciting frontier that offers financial independence from traditional banks. Managing your own private keys can be risky, but it's a necessary step for those on the bankless journey. Despite the risks, the Bankless community is a valuable resource for those interested in crypto. By becoming a Bankless premium subscriber, you'll gain access to exclusive content, market analysis, and community perks. The Bankless channel offers in-depth interviews, educational content, and weekly summaries of The Week in Crypto. Don't miss out on this opportunity to learn and grow in the crypto space. Click the link in the description to join the Bankless Nation today.