Imagine waking up one morning and seeing a list of automated emails from Opensea, notifying you that your items have sold! Only, you didn’t have anything listed for sale… You rush to open your Metamask wallet, only to realize it has been drained. You have been careful; no interactions with shady DMs in Discord, and you haven’t shared your seed phrase with anyone. Why has this happened?

There are almost daily threads on CT that document how people have lost funds or valuable NFTs (or both) because they were using a hot wallet. In the more straightforward cases, individuals know where the hack came from. Maybe it was a malicious user posing as a moderator in a Discord server, maybe it was a smart contract interaction with a fake minting site. However, there are cases where folks have no idea where it came from.

My own introduction to this topic was luckily early in this leg of my crypto/NFT journey, thanks to some very brave individuals who candidly shared their story on CT for the benefit of others. While I do use a hardware wallet, I admittedly did not know how it actually worked, so I did some research into the topic.

First a quick primer on how the blockchain works. The blockchain is a ledger comprised of all transactions that have every taken place on it, secured using cryptography. In order to interact with the blockchain, you first need to have a digital wallet, which allows you to make changes to the blockchain by adding new transactions. A wallet is also a cryptographically secured address of sorts that is used to indicate ownership of digital assets. The wallet does this by having two components; a public key and a private key.

Public and private keys are unique sequences of alphanumeric characters (called a hash) which serve different purposes. They are a set, with the public key being mathematically derived from the private key. In basic cryptography, public and private keys can be used two ways. A message encrypted by a public key can only be decrypted and read by the owner of the private key. In addition to decrypting messages encrypted with the public key, the owner of the private key can “sign” messages using the private key to indicate they are the actual sender or authorizer.

These characteristics enable wallets to be used for “holding” digital assets. If the public key (usually shortened to a wallet “address”) is known, you are able to send digital assets to that wallet. Any transfer out of the wallet requires the authorization by private key, hence it is a big problem if your private key (usually expressed as a human-readable password or seed phrase), is exposed. This article from Coinbase includes a helpful graphic of this overall concept.

With this background, we come to the conclusion on why securing your private key is important. It is because on the blockchain, you no longer have sole control over your assets if your private key becomes publicly known. Anyone anywhere can access your wallet and transact, liquidating your assets and sending your tokens to other wallets. Security surrounding private keys is paramount.

Broadly speaking, there are two types of digital wallets and they differ in how your private keys are held. A hardware (HW) wallet, also known as a cold wallet, is a physical tool used to store your private keys. Each time you take an action that would require approval by your private keys, you grant permission through the hardware device. When using a HW wallet, your private keys are never exposed to either your computer or the internet, unless you have typed them using your keyboard. The opposite of a HW wallet is a software (SW) wallet, also known as a hot wallet. These store your private keys on the internet, and you can access it by entering your password.

There are benefits and drawbacks to both types. A HW wallet is most secure and you generally will need to transact using a PC with a USB port. The down side is that it takes a few more steps to access and use. On the other hand, a SW wallet is very handy and can be used both from a mobile device as well as a PC. However, your private keys are stored on the internet, therefore it is far less secure than a HW wallet.

Hot wallets and cold wallets each have their uses. One way to think about these is to use a combination for good wallet management. A cold wallet may be used for more permanent items (i.e. your vault) as well as high value assets. A hot wallet may be more for everyday use, such as smaller value assets or interactions that you may want to use for from a mobile phone.

It is important to remember that a wallet is not a fix-all solution. Malware may affect your computer and alter the address to which you are sending your Crypto, so you must be vigilant and check the screen on your HW wallet before approving any transactions. Also if you misread a transaction, say, it is supposed to be signing but the transaction says sending ETH instead, your approval in the hardware wallet will allow it be processed; there is no fail-safe. Connecting to malicious sites may also compromise your wallet if you (inadvertently) grant transaction authorizations, which are a kind of blank check; certain transactions may take place without your knowledge, as blanket authorization was granted beforehand. This negates the security of a HW wallet.

While the terminology may appear to indicate otherwise, the digital assets are not actually held in your wallet. The assets themselves are either on-chain or in other forms of digital storage. this means that anything that may threaten the existence of the underlying blockchain cannot be mitigated by securing your own wallet. If the Ethereum blockchain ceases to exist, so will your NFTs, no matter how well you have secured your HW wallet.

One final point to remember is with a HW wallet you must maintain its physical security, as anyone who has access to your HW wallet will have complete control over your funds. On the flip side, if you lose your HW wallet and your backup seed phrase, you will be locked out of your funds. This is the price of self-sovereignty.

I hope this article has been helpful as an introduction to what are digital wallets, how do they work, what do they secure, and what don’t they secure. If you will be transacting with any meaningful amount of crypto (that is, any amount that would pain you to lose), I highly suggest buying a HW wallet if you don’t have one already. The two biggest players are Trezor and Ledger. If at all possible, avoid purchasing from Amazon or other resellers and purchase from the manufacturers directly, to avoid the risk of having a tampered HW wallet. I view HW wallets as only a part of the op sec that you should have, but that is a topic for another day.

Imagine waking up one morning and seeing a list of automated emails from Opensea, notifying you that your items have sold! Only, you didn’t have anything listed for sale… You rush to open your Metamask wallet, only to realize it has been drained. You have been careful; no interactions with shady DMs in Discord, and you haven’t shared your seed phrase with anyone. Why has this happened?

There are almost daily threads on CT that document how people have lost funds or valuable NFTs (or both) because they were using a hot wallet. In the more straightforward cases, individuals know where the hack came from. Maybe it was a malicious user posing as a moderator in a Discord server, maybe it was a smart contract interaction with a fake minting site. However, there are cases where folks have no idea where it came from.

My own introduction to this topic was luckily early in this leg of my crypto/NFT journey, thanks to some very brave individuals who candidly shared their story on CT for the benefit of others. While I do use a hardware wallet, I admittedly did not know how it actually worked, so I did some research into the topic.

First a quick primer on how the blockchain works. The blockchain is a ledger comprised of all transactions that have every taken place on it, secured using cryptography. In order to interact with the blockchain, you first need to have a digital wallet, which allows you to make changes to the blockchain by adding new transactions. A wallet is also a cryptographically secured address of sorts that is used to indicate ownership of digital assets. The wallet does this by having two components; a public key and a private key.

Public and private keys are unique sequences of alphanumeric characters (called a hash) which serve different purposes. They are a set, with the public key being mathematically derived from the private key. In basic cryptography, public and private keys can be used two ways. A message encrypted by a public key can only be decrypted and read by the owner of the private key. In addition to decrypting messages encrypted with the public key, the owner of the private key can “sign” messages using the private key to indicate they are the actual sender or authorizer.

These characteristics enable wallets to be used for “holding” digital assets. If the public key (usually shortened to a wallet “address”) is known, you are able to send digital assets to that wallet. Any transfer out of the wallet requires the authorization by private key, hence it is a big problem if your private key (usually expressed as a human-readable password or seed phrase), is exposed. This article from Coinbase includes a helpful graphic of this overall concept.

With this background, we come to the conclusion on why securing your private key is important. It is because on the blockchain, you no longer have sole control over your assets if your private key becomes publicly known. Anyone anywhere can access your wallet and transact, liquidating your assets and sending your tokens to other wallets. Security surrounding private keys is paramount.

Broadly speaking, there are two types of digital wallets and they differ in how your private keys are held. A hardware (HW) wallet, also known as a cold wallet, is a physical tool used to store your private keys. Each time you take an action that would require approval by your private keys, you grant permission through the hardware device. When using a HW wallet, your private keys are never exposed to either your computer or the internet, unless you have typed them using your keyboard. The opposite of a HW wallet is a software (SW) wallet, also known as a hot wallet. These store your private keys on the internet, and you can access it by entering your password.

There are benefits and drawbacks to both types. A HW wallet is most secure and you generally will need to transact using a PC with a USB port. The down side is that it takes a few more steps to access and use. On the other hand, a SW wallet is very handy and can be used both from a mobile device as well as a PC. However, your private keys are stored on the internet, therefore it is far less secure than a HW wallet.

Hot wallets and cold wallets each have their uses. One way to think about these is to use a combination for good wallet management. A cold wallet may be used for more permanent items (i.e. your vault) as well as high value assets. A hot wallet may be more for everyday use, such as smaller value assets or interactions that you may want to use for from a mobile phone.

It is important to remember that a wallet is not a fix-all solution. Malware may affect your computer and alter the address to which you are sending your Crypto, so you must be vigilant and check the screen on your HW wallet before approving any transactions. Also if you misread a transaction, say, it is supposed to be signing but the transaction says sending ETH instead, your approval in the hardware wallet will allow it be processed; there is no fail-safe. Connecting to malicious sites may also compromise your wallet if you (inadvertently) grant transaction authorizations, which are a kind of blank check; certain transactions may take place without your knowledge, as blanket authorization was granted beforehand. This negates the security of a HW wallet.

While the terminology may appear to indicate otherwise, the digital assets are not actually held in your wallet. The assets themselves are either on-chain or in other forms of digital storage. this means that anything that may threaten the existence of the underlying blockchain cannot be mitigated by securing your own wallet. If the Ethereum blockchain ceases to exist, so will your NFTs, no matter how well you have secured your HW wallet.

One final point to remember is with a HW wallet you must maintain its physical security, as anyone who has access to your HW wallet will have complete control over your funds. On the flip side, if you lose your HW wallet and your backup seed phrase, you will be locked out of your funds. This is the price of self-sovereignty.

I hope this article has been helpful as an introduction to what are digital wallets, how do they work, what do they secure, and what don’t they secure. If you will be transacting with any meaningful amount of crypto (that is, any amount that would pain you to lose), I highly suggest buying a HW wallet if you don’t have one already. The two biggest players are Trezor and Ledger. If at all possible, avoid purchasing from Amazon or other resellers and purchase from the manufacturers directly, to avoid the risk of having a tampered HW wallet. I view HW wallets as only a part of the op sec that you should have, but that is a topic for another day.