Skip to main content
Build the future with Agentforce at TDX in San Francisco or on Salesforce+ on March 5–6. Register now.

Protect Against Threats in Web3

Learning Objectives

After completing this unit, you’ll be able to:

  • Explain common threats in Web3.
  • Explain how to protect your hardware wallets against threats.
Note

This module was produced in collaboration with Ledger. Learn more about partner content on Trailhead.

Keep Your Assets Secure

In Web3: Self-Custody and Digital Ownership, Ledger explains how crypto offers a way for people to gain control of their own money and assets, and how crypto wallets are a core technology in this ecosystem. Crypto wallets secure your most crucial piece of data in that ecosystem, your private keys. We recommend you complete that module before starting this one. In this module, Ledger helps you know exactly how to protect your digital assets.

Ultimately, the security of your private keys—and therefore, your crypto—depends on your wallet. But there are still some threats even a wallet cannot protect you from. The only way to really be sure you’ve properly secured your crypto is to understand the different types of threat that exist, and what type of defense—your wallet, or your own knowledge—needs to be deployed in order to avoid them.

Protect Against Cyber Threats—Hacking, Malware

Lines of code overlaid on an image of a hand on a laptop keyboard

Your internet connection is the biggest threat to your private keys. Anything connected to the internet—including your crypto wallet—is vulnerable to cyber threats. It’s that simple. 

There are a couple of ways this can happen. Let’s say you’re using a software wallet to secure your private key.

Since the interface is digital and exists on a connected device such as a computer or phone, it will always be vulnerable to hacks. For example, clicking on a malicious link could provide the hacker with remote access to your device, enabling them to extract things such as your private key or your recovery phrase.

The only way to really keep your keys safe is by using a wallet that’s not connected to the internet. The whole premise of a hardware wallet is to keep both your private keys and your recovery phrase offline and away from cyber threats. (We talk more about recovery phrases in the next unit.)

Protect Your Private Keys, Even When You Transact

And what about when you’re interacting with online apps? Some hardware wallets act as a venue for transactions to be signed offline. This means your data lives safely in your device even while the important information is communicated online to make the transaction happen.

Online Threats? Use An Offline Wallet

Ultimately, your crypto is vulnerable to this category of threats anytime your private keys are online. But that can easily be solved by using a hardware wallet to secure your private keys. As long as you use the device properly and secure your seed phrase safely, these threats can be completely overcome.

Protect Against Physical Threats—Theft or Attack of Your Hardware Device

Hardware wallet connected to a laptop with Enter PIN code on the screen and a 9 entered with seven more spaces

Say your hardware wallet is taken from you; how can you be sure your crypto will remain safe, even if the device is in the wrong hands?

A PIN Code Set By You

A hardware wallet is only as secure as its PIN code. It’s the front line of defense against intruders and it’s the only part of security that you set for yourself. This ensures that no matter who has your device, only you can access it. Some hardware wallets even have security measures where if the wrong PIN code is entered a certain number of times, the device automatically performs a factory reset.

Advanced Passphrase

Your 24-word recovery phrase is a clever way of keeping you connected with your private keys. But it carries the risk that someone else will see it and use it to recover your accounts. Advanced passphrase is an advanced security feature that allows you to negate that risk.

Advanced passphrase enables you to select a 25th word, which will create a completely new layer of crypto accounts on your wallet. These are sometimes referred to as “secret accounts” because there is no way of knowing they exist unless you yourself mention them. Unlike your standard 24 words, which are randomly selected from a set list, this 25th word is set entirely by you.

Physical Hacks to the Hardware

If your device falls into the wrong hands, you may face a more sophisticated threat—a physical hack of the device. With sophisticated attacks from expert hackers such as power glitching, side-channel attacks, and software hacks like attacking a Hardware Security Module, hardware wallets can be vulnerable if they don’t have the right fortification. 

  • Secure element chip. Some cold wallets use a secure element chip, which can also be found in things like passports and credit cards where high-end security is needed. They help protect against threats like laser attacks, electromagnetic tampering, and power glitches.
  • Operating system. The challenge for some hardware wallets is that they use a monolithic system, managing all of the applications they contain as one. More advanced wallet operating systems ensure that all of the apps and crypto accounts within your device are managed separately. For you, this means that even if an application was ever compromised via an attack, the damage would be isolated to that application, and would not impact the rest of your wallet.
  • Constant security innovation. To make sure your wallets are always safe from hacking, some wallet providers have a team of coders to continually test and find any potential vulnerability. When you research which wallet to choose, see if the provider conducts constant, extensive hacks to the hardware, establishing any possible point of failure that might impact your security, and constantly upgrades the system accordingly.

Protect Against Social Engineering Threats

Some hackers don’t play the internet or the code, they play the people. In social engineering attacks, scammers will create a fake situation to gain your trust. We see this approach in attacks like phishing and pharming (site addresses that look the same as a legit site but aren’t). 

Blind Signing: Scammers’ Paradise

Smart contracts enable the whole ecosystem of decentralized apps (dApps), but they come with a caveat. The majority of crypto wallets are not equipped with the plugins that enable them to display smart contract details to users.

This can force you to trust the other person behind the smart contract. Scammers can create scenarios that will convince you to approve a transaction that’s not legitimate. You might think that you’re minting an NFT, for example, but instead the smart contract is drawn to take an NFT from you.

The issue of blind signing is gradually being addressed by innovations in the space—for example, Ledger’s “clear signing” system enables full smart contract details to be displayed on the screen of the hardware wallet device for transactions with integrated dApps. This gives you complete transparency as you transact.

That said, the most reliable way of defending your crypto is by understanding exactly how transactions work and what red flags to look for. Learning how to read a smart contract is a great start. You should also avoid blind signing wherever possible, use other checks to mitigate your risks where clear signing is not an option, and take a cautious approach to anything suspicious is a fantastic start to securing yourself against social attacks. 

Be the Gatekeeper

Understanding the crypto ecosystem—and your role in your own cryptocurrency’s security—is crucial to the safety of your coins and tokens. In the next unit, Ledger reviews how you can recover a hot wallet.

Resources

Share your Trailhead feedback over on Salesforce Help.

We'd love to hear about your experience with Trailhead - you can now access the new feedback form anytime from the Salesforce Help site.

Learn More Continue to Share Feedback