*Note: V1, Update Logs, please see the Chinese version.*
Author: Cos@SlowMist Team<br>
@ -71,6 +72,7 @@ Proofreader:
- [Appendix](#appendix)
- [Security rules and principles](#security-rules-and-principles)
- [Contributors](#contributors)
- [The Tools](#the-tools)
- [Official Sites](#official-sites)
# Prologue
@ -161,7 +163,7 @@ If you pay attention, you will find the download pages for both GPG tools give s
**If it is a browser extension wallet**, such as MetaMask, the only thing you have to pay attention to is the download number and rating in the Chrome web store. MetaMask, for example, has more than 10 million downloads and more than 2,000 ratings (though the overall rating is not high). Some people might think that the downloads numberand ratings may be inflated. Truth to be told, it is very difficult to fake such a large number.
**The mobile wallet** is similar to the browser extension wallet. However, it should be noted that the App Store has different versions for each region. Cryptocurrency is banned in Mainland China, so if you downloaded the wallet with your Chinese App Store account, there is only one suggestion: don't use it, change it to another account in a different region such as the US and then re-download it. Besides, the correct official website will also lead you to the correct download method (such as imToken, Trust Wallet, etc. It is important for official websites to maintain high website security. If the official website is hacked, there will be big problems.).
**The mobile wallet** is similar to the browser extension wallet. However, it should be noted that the App Store has different versions for each region. Cryptocurrency is banned in Mainland China, so if you downloaded the wallet with your Chinese App Store account, there is only one suggestion: don't use it, change it to another account in a different region such as the US and then re-download it. Besides, the correct official website will also lead you to the correct download method (such as imToken, OneKey, Trust Wallet, etc. It is important for official websites to maintain high website security. If the official website is hacked, there will be big problems.).
**If it is a hardware wallet**, it is highly recommended to buy it from the official website. Do not buy them from online stores. Once you receive the wallet, you should also pay attention to whether the wallet is inact. Of course, there are some shenanigans on the packaging that are hard to detect. In any case, when using a hardware wallet, you should create the seed phrase and wallet address at least three times from scratch. And make sure that they are not repeated.
@ -223,7 +225,7 @@ I will briefly explain each type.
**SSS**, Shamir's Secret Sharing, SSS breaks down the seed into multiple shares (normally, each share contains 20 words). To recover the wallet, a specified number of shares has to be collected and used. For details, refer to the industry best practices below:
Using solutions such as multi-signature and SSS will give you peace of mind and avoid single-point risks, but it could make management relatively complicated and sometimes multiple parties will be involved. There is always a compromise between convenience and security. It is up to the individual to decide but never be lazy in principles.
@ -291,7 +293,7 @@ To better avoid AML issues, always choose platforms and individuals with a good
### Cold Wallet
There are different ways to use a cold wallet. From a wallet's perspective, it can be considered as a cold wallet as long as it's not connected to any network. But how to use it when it's offline? First of all, if you just want to receive cryptocurrency, it's not a big deal. A cold wallet could provide excellent experience by working with a Watch-only wallet, such as imToken, Trust Wallet, etc. These wallets could be turned into watch-only wallets by simply adding target wallet addresses.
There are different ways to use a cold wallet. From a wallet's perspective, it can be considered as a cold wallet as long as it's not connected to any network. But how to use it when it's offline? First of all, if you just want to receive cryptocurrency, it's not a big deal. A cold wallet could provide excellent experience by working with a Watch-only wallet, such as imToken, OneKey, Trust Wallet, etc. These wallets could be turned into watch-only wallets by simply adding target wallet addresses.
If we want to send cryptocurrency using cold wallets, here are the most commonly used ways:
@ -1036,22 +1038,61 @@ Security principles:
## Contributors
Thanks to the contributors, this list will be continuously updated and I hope you can contact me if there are any ideas for this handbook.
Thanks to all the contributors, this list will continue to be updated. If you have any ideas, please contact:
SlowMist, Twitter (@SlowMist_Team), e.g. Pds | Johan | Kong | Kirk | Thinking | Blue | Lisa | Keywolf...
English translator, e.g. Alphatu | C. | CJ | JZ | Lovepeace | Neethan | pseudoyu | SassyPanda | ss |
Japanese translator, e.g. Jack Jia | Mia
Korean translator, e.g. Sharon | Jeongmin
Jike App
Some Anonymous friends ...
More info: https://darkhandbook.io/contributors.html
```
**If your contribution is accepted for inclusion in this handbook, you will be added to the list of contributors.**
**As long as there is help that is adopted and included in this handbook, such as: providing specific defense suggestions and cases; translation work; correction of major errors, etc.**
**For example**: provided specific safety defense suggestions or cases; participated in translation work; corrected larger errors, etc.
## The Tools
This handbook, commonly referred to as the "Dark Handbook," has been available for over two years, and I'm delighted to observe its helpful impact on many individuals. Its influence continues to expand, with a growing number of supporters advocating for updates. Typically, these updates to the Dark Handbook primarily consist of [expanded readings](https://github.com/evilcos/darkhandbook). The challenge with these extended readings is that they are technically complex and not very accessible for beginners. Additionally, I recognize that not everyone is keen to invest substantial time in mastering the nuances of blockchain security. Originally, this section aimed to recommend some beginner-friendly tools, such as wallets, security extensions, and scripting tools. However, after much deliberation, I have decided against endorsing specific products due to the swift pace of change within the industry. Although this manual has highlighted several reliable tools, it's uncertain whether they will remain effective or relevant in the future. Given my responsibility towards all readers, I must admit, I'm not sure.
As I've stated previously, when recommending a tool, I strive to describe it as objectively and neutrally as possible. Additionally, for enhanced security, every reader should bear in mind the following:
*Absolute security does not exist. Adopting a zero-trust approach with continuous verification is essential in navigating this complex landscape. Should any of these tools develop a bug, encounter a security issue, or, in a worse scenario, include a backdoor in a new update, the risk is yours to manage. I encourage you to think independently and critically before using these tools.
*My research skills are well-honed, and I have a broad network, so rest assured that I will recommend quality tools when it seems appropriate. There is no need to rush; if a tool proves reliable and earns widespread trust, I will naturally endorse it.
*Everyone has their unique approach, and this is mine.
*Stay away from the influence of coin prices.
* Trust is hard to build, but it can collapse in an instant, so please cherish it.
Although I do not make any specific tool recommendations in this section, I would like to share a valuable mindset: the firewall mindset. The previously emphasized concepts of "zero trust" and "continuous verification" are actually part of this firewall thinking.
예For example, in the use of wallets, signing is a major area of concern for fund security, with various sophisticated phishing methods related to signing, such as:
- The exploitation of native signing with eth_sign/personal_sign/eth_signTypedData_*, where eth_sign has been increasingly blocked by wallets.
- The exploitation of authorization functions like approve/permit for Tokens/NFTs.
- The utilization of powerful functions like Uniswap’s swapExactTokensForTokens/permit2.
- The exploitation of protocol functions from OpenSea/Blur and others (which are very diverse).
- The exploitation of TX data 4byte, such as for Claim Rewards/Security Update.
- Using Create2 to pre-create funding receiving addresses, bypassing related checks.
- A single signature on Solana phishing away all assets in a target wallet address.
- Bitcoin inscription for one-click mass phishing, utilizing the UTXO mechanism.
- Switching phishing across various EVM chains/Solana/Tron, etc.
If your wallet, when prompting for signature confirmation, sends out the signature right after a single click—whether due to FOMO or a shaky hand—then this method of using the wallet does not embody the firewall mindset. A better practice is to require at least two clicks; each additional click adds a layer of security (of course, not too many layers, as people can become desensitized...). For example, I use browser extension wallets like Rabby, MetaMask, and OKX Wallet, and except for test wallets, I always pair these with a hardware wallet (preferably one with a larger screen to easily review the content about to be signed).
At this point, the extension wallet’s signature confirmation popup will perform the first layer of security analysis, such as identifying phishing sites, risky wallet addresses, what-you-see-is-what-you-sign, and high-risk signature recognition. These are crucial for user interaction security. The hardware wallet provides a second layer of security analysis. If you then add a browser wallet security extension like Scam Sniffer, Wallet Guard, or Pocket Universe, you add another layer to your firewall. However, it’s essential to remember, even if there are no risk alerts for the action you are undertaking, you must still be vigilant and recognize that ultimately, you are your own last line of defense...
Once accustomed to the firewall mindset, the impact on efficiency is minimal, but the sense of security is greatly enhanced. Let’s generalize this approach to other scenarios.
evilcos
lisa2gether