Since firmware v. 1.6 you can sync your ZERO with Rabby Wallet. This allows you to use Rabby Wallet, while your private keys stay secure on your ZERO.
Soon, we'll release a MetaMask integration too.
If you have an existing Rabby wallet, it is recommended to transfer your existing Rabby accounts to ZERO and then connect these ZERO accounts with Rabby. This way they are less vulnerable.
A hardware wallet that keeps your seed phrase offline, like ZERO, offers more security than a 'hot' wallet like Rabby Wallet or Metamask that stores the seed in a browser or on a phone. But this doesn't mean that nothing can happen. By signing a malicious transaction, you can still lose your funds.
Below are some tips to stay safe on web3.
Segregate wallets for different activities
This tip is based on the 'TAP' setup from twitter/X user @Punk6529, and takes it a step further. (TAP is short for "Three Address Protocol")
The easiest and most effective action you can take, is to segregate your funds in separate wallets and across different addresses. If you ever need to sign a transaction that you don't trust 100%, doing it from a separate wallet with only the funds needed for that transaction will limit the possible effects in case it goes wrong.
Creating new wallets on ZERO is trivial with the passphrase feature.
Wallet 1 - Cold storage
- This is your most secure wallet. It is never used for defi.
- You can connect it to Rabby Wallet to manage and transact coins that are not supported in the LIQUID app. But for anything else, the other wallets should be used.
- This wallet is disconnected from Rabby Wallet after usage to limit the possibility of making any mistake.
Wallet 2 - Defi wallet
- Your web3 wallet. This wallet can connect to dApps that you're familiar with. It only holds funds that you need for defi activities.
- This wallet can stay synchronized with Rabby Wallet.
- You can spread assets across different addresses in this wallet to further minimize the risk.
Wallet 3 - Risky wallet
- This wallet can be used to connect to dApps you don't fully trust.
- This wallet holds no other funds, only the amount required for the transaction you want to do.
- Afterwards, the funds should be moved to wallet 1 or 2 (Cold storage or Defi wallet).
- Spread assets across different addresses in this wallet to further minimize the risk.
Disconnect dApps and revoke token approvals as soon as possible
Connecting your wallet to a site doesn't pose any risks in itself. But a website that you're connected to may propose a malicious transaction. As long as you don't consent with a transaction, nothing can happen to the funds in your wallet.
- But to be sure, we recommend disconnecting from sites as soon as a connection is no longer required. But to be sure, we recommend disconnecting from sites and dapps as soon as a connection is no longer required. In Rabby Wallet you can manage all connections via More >> Connected Dapps.
- Based on the segregated wallet setup described above, never use your cold storage wallet to connect to sites. Only use your 'defi' or 'risky' wallet to connect your wallet.
A token approval can be more risky than connecting a wallet. An approval allows a smart contract to interact with a token in your wallet for a certain quantity.
- You should revoke any token approvals as soon as the approval is no longer required. In Rabby Wallet you can manage all token approvals via the 'Approvals' button.
- Based on the segregated wallet setup described above, you should only use your 'risky' wallet for token approvals.
"Know your scams"
Familiarizing yourself with different types of scams will make you more aware of them and may help to identify scam attempts.
MetaMask has an extensive overview of all sorts of scams in their Help Center: Staying safe in web3.
- Address poisoning scams
- Clipboard hacking
- Failed transaction scams
- Fake crypto exchange scams
- Fake 'mining' voucher scams
- Fake token investment scams and 'pig butchering' attacks
- Honeypot scams
- How to tell the difference between a regular airdrop and airdrop phishing scams
- NFT airdrop scams
- NFT listing scams
- NFT minting scams
- Scammers and Phishers: Rugpulls and airdrop scams
- Signature phishing
- Spoofing scams
- What is a sweeper bot?
- Testnet ETH scams
- Token pre-sale scams
Check the smart contract
Be wary if a smart contract transaction asks you to approve access to your tokens. Make sure to check the following:
- Is the token approval relevant for what the smart contract is supposed to do?
- Does the amount of tokens being requested match with what you expected?
- Make sure to use an account or wallet that only holds the amount of tokens needed for this transaction.
- Make sure to revoke the approval as soon as it is no longer needed.
Look up the smart contract on the relevant blockchain explorer:
- Known scams will be marked as such.
- Is the source code verified?
- Check if the smart contract has any comments.
Use security features and extensions
Rabby Wallet has some interesting security features. Make sure to use them.
- Address whitelisting allows you to save frequent addresses, ensuring that you can easily select the correct address & to warn you when you've never transferred to this address before, helping you recognize scam addresses. You can also label smart contracts as "Trusted" or "Blocked" to easily recognise them the next time.
- Rabby Wallet provides a "Pre-sign check" to detect abnormality before you sign and show a clear explanation. Built-in security alerts identify & mitigate any potential risks by examining recipient addresses, token details, contract addresses and approvals.
- With transaction simulations you can preview all asset changes before signing, making it easier to identify scams.
Blind signing
Make sure you also read the article about Blind signing. For certain transactions it can't be avoided. But it carries certain risks, which are important to understand.
Disclaimer
The risk of loss in signing smart contract transactions can be substantial. You should understand the possibility of losses associated with such transactions and assume complete responsibility for all associated risks and their outcomes.
NGRAVE, its employees, or representatives do not and will not provide any investment or legal advice regarding your transactions. You acknowledge that you are solely responsible for your decisions and actions performed with NGRAVE's products. Additionally, you acknowledge that NGRAVE, its employees, or representatives will not make any personal recommendations or provide any advice on your transactions or investment decisions.
Before signing any transaction or contract, you should carefully consider whether it is secure and suitable for you, given your current circumstances and financial resources.
In the event that something goes wrong, you acknowledge that NGRAVE is powerless to intervene and cannot and will not assist in resolving any issues arising from your transactions