SlowMist, Twitter (@SlowMist_Team), e.g. Pds | Johan | Kong | Kirk | Thinking | Blue | Lisa | Keywolf...
English translator, e.g. Alphatu | C. | CJ | JZ | Lovepeace | Neethan | pseudoyu | SassyPanda | ss |
Japanese translator, e.g. Jack Jia | Mia
Korean translator, e.g. Sharon | Jeongmin
Jike App
Some Anonymous friends ...
More info: https://darkhandbook.io/contributors.html
```
**If your contribution is accepted for inclusion in this handbook, you will be added to the list of contributors.**
**As long as there is help that is adopted and included in this handbook, such as: providing specific defense suggestions and cases; translation work; correction of major errors, etc.**
**For example**: provided specific safety defense suggestions or cases; participated in translation work; corrected larger errors, etc.
## The Tools
This handbook, commonly referred to as the "Dark Handbook," has been available for over two years, and I'm delighted to observe its helpful impact on many individuals. Its influence continues to expand, with a growing number of supporters advocating for updates. Typically, these updates to the Dark Handbook primarily consist of [expanded readings](https://github.com/evilcos/darkhandbook). The challenge with these extended readings is that they are technically complex and not very accessible for beginners. Additionally, I recognize that not everyone is keen to invest substantial time in mastering the nuances of blockchain security. Originally, this section aimed to recommend some beginner-friendly tools, such as wallets, security extensions, and scripting tools. However, after much deliberation, I have decided against endorsing specific products due to the swift pace of change within the industry. Although this manual has highlighted several reliable tools, it's uncertain whether they will remain effective or relevant in the future. Given my responsibility towards all readers, I must admit, I'm not sure.
As I've stated previously, when recommending a tool, I strive to describe it as objectively and neutrally as possible. Additionally, for enhanced security, every reader should bear in mind the following:
*Absolute security does not exist. Adopting a zero-trust approach with continuous verification is essential in navigating this complex landscape. Should any of these tools develop a bug, encounter a security issue, or, in a worse scenario, include a backdoor in a new update, the risk is yours to manage. I encourage you to think independently and critically before using these tools.
*My research skills are well-honed, and I have a broad network, so rest assured that I will recommend quality tools when it seems appropriate. There is no need to rush; if a tool proves reliable and earns widespread trust, I will naturally endorse it.
*Everyone has their unique approach, and this is mine.
*Stay away from the influence of coin prices.
* Trust is hard to build, but it can collapse in an instant, so please cherish it.
Although I do not make any specific tool recommendations in this section, I would like to share a valuable mindset: the firewall mindset. The previously emphasized concepts of "zero trust" and "continuous verification" are actually part of this firewall thinking.
예For example, in the use of wallets, signing is a major area of concern for fund security, with various sophisticated phishing methods related to signing, such as:
- The exploitation of native signing with eth_sign/personal_sign/eth_signTypedData_*, where eth_sign has been increasingly blocked by wallets.
- The exploitation of authorization functions like approve/permit for Tokens/NFTs.
- The utilization of powerful functions like Uniswap’s swapExactTokensForTokens/permit2.
- The exploitation of protocol functions from OpenSea/Blur and others (which are very diverse).
- The exploitation of TX data 4byte, such as for Claim Rewards/Security Update.
- Using Create2 to pre-create funding receiving addresses, bypassing related checks.
- A single signature on Solana phishing away all assets in a target wallet address.
- Bitcoin inscription for one-click mass phishing, utilizing the UTXO mechanism.
- Switching phishing across various EVM chains/Solana/Tron, etc.
If your wallet, when prompting for signature confirmation, sends out the signature right after a single click—whether due to FOMO or a shaky hand—then this method of using the wallet does not embody the firewall mindset. A better practice is to require at least two clicks; each additional click adds a layer of security (of course, not too many layers, as people can become desensitized...). For example, I use browser extension wallets like Rabby, MetaMask, and OKX Wallet, and except for test wallets, I always pair these with a hardware wallet (preferably one with a larger screen to easily review the content about to be signed).
At this point, the extension wallet’s signature confirmation popup will perform the first layer of security analysis, such as identifying phishing sites, risky wallet addresses, what-you-see-is-what-you-sign, and high-risk signature recognition. These are crucial for user interaction security. The hardware wallet provides a second layer of security analysis. If you then add a browser wallet security extension like Scam Sniffer, Wallet Guard, or Pocket Universe, you add another layer to your firewall. However, it’s essential to remember, even if there are no risk alerts for the action you are undertaking, you must still be vigilant and recognize that ultimately, you are your own last line of defense...
Once accustomed to the firewall mindset, the impact on efficiency is minimal, but the sense of security is greatly enhanced. Let’s generalize this approach to other scenarios.
evilcos
2 months ago
committed by
GitHub