Tutorials:Web3 Introduction: Difference between revisions
No edit summary |
No edit summary |
||
| Line 26: | Line 26: | ||
The Master private key is characterized by a set of twelve words, called the seed, that are enough to recreate all your private keys. If you have your 12 words you can install a wallet software anywhere and load your private keys to access your coins. | The Master private key is characterized by a set of twelve words, called the seed, that are enough to recreate all your private keys. If you have your 12 words you can install a wallet software anywhere and load your private keys to access your coins. | ||
=How Secure is the Seed?= | |||
Breaking a modern Bitcoin/Ethereum seed phrase by brute force is computationally hopeless because of the number of possible seeds is astronomically large. Even if an attacker had unrealistically massive hardware that could test trillions of seeds per second, the expected time to hit the right 12-word seed would still be around 10¹⁹ years, vastly longer than the age of the universe. | Breaking a modern Bitcoin/Ethereum seed phrase by brute force is computationally hopeless because of the number of possible seeds is astronomically large. Even if an attacker had unrealistically massive hardware that could test trillions of seeds per second, the expected time to hit the right 12-word seed would still be around 10¹⁹ years, vastly longer than the age of the universe. | ||
| Line 46: | Line 46: | ||
A direct attack by hackers to the blockchain is nearly impossible at this stage. There are public bitcoin addresses with thousands of Bitcoins that remain untouched for years. The weak point in security is keeping the private keys safe. | A direct attack by hackers to the blockchain is nearly impossible at this stage. There are public bitcoin addresses with thousands of Bitcoins that remain untouched for years. The weak point in security is keeping the private keys safe. | ||
We will list some of the dangers you have to avoid | We will list some of the dangers you have to avoid: | ||
Seed phrase exposure (the #1 risk): screenshots, cloud notes, email drafts, password managers you don’t fully trust, printers, clipboard history, or anyone seeing it even once. | |||
Phishing & fake sites: “wallet connect”, airdrops, support DMs, Google ads, and look-alike domains that trick you into typing your seed or signing something. | |||
Malware / keyloggers: cracked software, shady browser extensions, “PDF invoices,” remote-access trojans—anything that can read your screen/keyboard or swap copy-pasted addresses. | |||
Fake wallet apps / malicious updates: downloading wallets from unofficial links, or installing “updates” pushed through Telegram/Discord. | |||
Malicious browser extensions: especially “helper” crypto tools that request broad permissions; some drain wallets by altering transactions. | |||
Blind signing approvals: signing a transaction you don’t understand (or that your wallet can’t clearly decode), especially on Ethereum where signatures can grant spending rights. | |||
Unlimited token allowances: approving a dApp to spend unlimited ERC-20 tokens, then the dApp (or a compromised contract) drains later. | |||
Wrong network / wrong address copy-paste: sending funds to the wrong chain, wrong address type, or a contract that can’t receive them; also clipboard “address swapping.” | |||
Fake tokens & impersonation: scam tokens with the same ticker/name, spoofed “verified” accounts, and fake liquidity pools. | |||
Social engineering: “support” staff, “admins,” or “friends” asking for your seed, remote access, or “verification” transactions. | |||
SIM swap / weak 2FA: relying on SMS for exchange security; attackers port your number and reset passwords. | |||
Exchange account compromise: reused passwords, no hardware 2FA, leaked email access, API keys left enabled, or phishing that steals session cookies. | |||
Poor backup practices: only one copy of your seed, storing it where fire/water/theft can destroy it, or telling “someone you trust” who later leaks it. | |||
Physical theft / coercion: unsecured hardware wallets, showing your balances publicly, storing seed at home without considering burglary or personal safety. | |||
Signing on a “dirty” device: managing funds on a PC you use for gaming/mods/torrents; mixing high-risk browsing with high-value wallets. | |||
Complacency with hot wallets: keeping long-term savings in a browser wallet instead of cold storage; one bad click can be enough. | |||
Revision as of 00:21, 8 January 2026
The term Web 3 refers to using the Internet to interact with cryptocurrencies.
Crypto 101
A cryptocurrency involves 3 components:
- A computer network sharing a protocol for validating and updating a shared data structure called a Block-chain.
- The Block-Chain, that keeps track of all transactions of the base digital assets.
- And the digital assets themselves.Very special data structures that can be "owned" as physical objects do, often called coins, or tokens.
Although there are tens of thousands of cryptocurrencies, there are two basic design principles, exemplified by Bitcoin and Ethereum. Bitcoin was designed to be a decentralized peer to peer cash system, and Ethereum was designed as a decentralized virtual machine, expanding the idea of decentralization to computing itself.
Wallet
Only the network nodes interact directly with the blockchain. Most users interact via Internet using special software called a Wallet. Giving the impression that it is the place where you keep your coins, but it isn´t.
In crypto, the only thing you have is a private key, used to transfer the property of the coins from the address associated to the private key, to another address. The coins live in the blockchain, and you can loose your phone or computer, and no coins will be lost.
But if you loose your private keys there is no way to recover your coins.
The Wallet software does not hold or contain the coins, instead it contains a Master Private Key used to generate addresses (on Bitcoin) or accounts (on Ethereum), which are the places where you transfer the property to and from.
The Wallet Seed
The Master private key is characterized by a set of twelve words, called the seed, that are enough to recreate all your private keys. If you have your 12 words you can install a wallet software anywhere and load your private keys to access your coins.
How Secure is the Seed?
Breaking a modern Bitcoin/Ethereum seed phrase by brute force is computationally hopeless because of the number of possible seeds is astronomically large. Even if an attacker had unrealistically massive hardware that could test trillions of seeds per second, the expected time to hit the right 12-word seed would still be around 10¹⁹ years, vastly longer than the age of the universe.
In practice, successful “wallet hacks” almost never come from cracking the cryptography; they come from mistakes like weak passphrases, phishing, malware, leaked backups, or someone exposing their words.
The Most Important Safety Lesson In Crypto
All you really have is your twelve words. If you loose them, you loose everything.
Permissions
The wallet software is used to interact with websites. It handles the permissions and authorizations granted to the website over your coins.
More on Safety
A direct attack by hackers to the blockchain is nearly impossible at this stage. There are public bitcoin addresses with thousands of Bitcoins that remain untouched for years. The weak point in security is keeping the private keys safe.
We will list some of the dangers you have to avoid:
Seed phrase exposure (the #1 risk): screenshots, cloud notes, email drafts, password managers you don’t fully trust, printers, clipboard history, or anyone seeing it even once.
Phishing & fake sites: “wallet connect”, airdrops, support DMs, Google ads, and look-alike domains that trick you into typing your seed or signing something.
Malware / keyloggers: cracked software, shady browser extensions, “PDF invoices,” remote-access trojans—anything that can read your screen/keyboard or swap copy-pasted addresses.
Fake wallet apps / malicious updates: downloading wallets from unofficial links, or installing “updates” pushed through Telegram/Discord.
Malicious browser extensions: especially “helper” crypto tools that request broad permissions; some drain wallets by altering transactions.
Blind signing approvals: signing a transaction you don’t understand (or that your wallet can’t clearly decode), especially on Ethereum where signatures can grant spending rights.
Unlimited token allowances: approving a dApp to spend unlimited ERC-20 tokens, then the dApp (or a compromised contract) drains later.
Wrong network / wrong address copy-paste: sending funds to the wrong chain, wrong address type, or a contract that can’t receive them; also clipboard “address swapping.”
Fake tokens & impersonation: scam tokens with the same ticker/name, spoofed “verified” accounts, and fake liquidity pools.
Social engineering: “support” staff, “admins,” or “friends” asking for your seed, remote access, or “verification” transactions.
SIM swap / weak 2FA: relying on SMS for exchange security; attackers port your number and reset passwords.
Exchange account compromise: reused passwords, no hardware 2FA, leaked email access, API keys left enabled, or phishing that steals session cookies.
Poor backup practices: only one copy of your seed, storing it where fire/water/theft can destroy it, or telling “someone you trust” who later leaks it.
Physical theft / coercion: unsecured hardware wallets, showing your balances publicly, storing seed at home without considering burglary or personal safety.
Signing on a “dirty” device: managing funds on a PC you use for gaming/mods/torrents; mixing high-risk browsing with high-value wallets.
Complacency with hot wallets: keeping long-term savings in a browser wallet instead of cold storage; one bad click can be enough.