When another major NFT collector, Larry Lawliet, lost more than $2.7m worth of non-fungible tokens (including seven pricey Bored Apes) earlier this month, many in the art world rolled their eyes. But Lawliet’s misfortune will have made others uneasy at the thought of their own digital assets suffering a similar fate.
Lawliet’s loss comes just one month after the New York-based art collector and gallerist, Todd Kramer, appealed to the Twitter community over the loss of $2.2m of NFTs from the Bored Yacht Club and Mutant Ape Yacht collections. In both cases, the collectors fell victim to a social engineering or phishing scam in which they were duped into giving up sensitive information.
So, what exactly are online “wallets” and how can you keep them safe? Online wallets differ fundamentally from their offline counterparts in that they store the identification details for an asset rather than store the asset itself.
“When many people hear ‘wallet’, they’re actually thinking about the tool you use to control your wallet—often, this is MetaMask on Ethereum, or TempleWallet on Tezos,” says Christopher King, a co-founder of ClubNFT, a platform and advisory service focused on safeguarding collectors. “These are more appropriately called ‘wallet managers’, with the wallet being more of an ID or set of cryptographic keys associated with a blockchain address.” The tokens themselves are owned by that address, but for NFTs, the media files are often stored off-chain.
The vulnerabilities of such a system are manifold but, on a fundamental level the move to a decentralised system shifts the onus onto owners to secure their assets.
“We are so used to the banks and other institutions taking care of our assets that we don’t know how to protect ourselves,” says Amir Soleymani, an NFT art collector. “A decentralised space is for everyone, even the bad actors, and it’s up to each of us to educate ourselves on securing and protecting our assets.”
Threats and vulnerabilities
Whereas an offline theft or scam could see perpetrators caught and assets restored, the moment keys or the wallet to an NFT are compromised, the value is irretrievably lost.
Online scammers are one of the most obvious risks, and the examples of Kramer and Lawliet highlight the challenge of identifying trusted sources in a market that is still relatively young.
“As a relatively new economy, buyers are not aware enough of the risks and potential tactics of hackers,” says Fanny Lakoubay, the founder of LAL art NFT advisory, who adds that “buyers are not even aware sometimes of how to secure their investment”.
Malware and attacks on machines are another concern, hence a growing number of initiatives and technological solutions focused on storing NFTs and security information offline, including ledgers and cold wallets.
However, and perhaps ironically, it is the offline and human element that poses the most risk.
“The weakest link in the blockchain security model is the user themselves,” King says. “If a user shares the secret key to a wallet with someone else, by accident or due to a clever social engineering attack, that user has just likely lost everything they owned in that wallet. If a user clicks ‘approve’ on a transaction they were tricked into believing was legitimate but was an attempt to steal from them, then they have just given approval to the thief to steal their assets.” Threats of physical extortion are also reported.
Those dabbling in the digital art market at the lower end may not think they have much to lose. But, as the online platform Vertical Crypto Art warns in one of its website classes, perpetrators may keep your details for when your assets are worth more.
How to keep secure
There are two types of wallet—“hot”, which is constantly linked to the internet, and “cold”, which is not. The latter is considered safer, although its security still depends on the owner remembering key details. Ensuring basic health checks for your devices, such as remembering to install the latest updates and verified antivirus software, is also important.
Ensure that any offers or click-throughs come from a verified account or user. This includes emails seemingly from OpenSea, approaches asking for your seedphrase (words generated by your wallet) and attempts to sell spam NFTs.
Take your time
And do your homework. This includes knowing where the value of your NFTs is held—most works of art linked to NFTs are not stored in the blockchain (they can be on an InterPlanetary File System, or IPFS), so other security options are worth considering.
Keep your password safe
Once a password or key is out, the loss is irretrievable. Consider old-school methods to remember it—believe it or not, good old-fashioned paper, pen and envelopes can sometimes be best.
If it looks too good to be true…it is
Be suspicious, assume the worst and work backwards. It may not be the most positive approach, but it can prove the safest.