Security Best Practices - Grants Stack Edition

Security Best Practices - Grants Stack Edition

Best Practices

Here are some best practices to keep in mind when running a round.

  • Be really careful which wallets you give admin privileges to.
    • Anybody’s who’s wallet’s attached could approve/reject, and they could empty the wallet if they so choose to.
  • Ideally use a Gitcoin Passport wallet, one that has some onchain reputation, but NOT one where you receive a salary, or hold important funds.
  • Regularly check which sites your wallet is connected to, and disconnect from any that you’re not familiar with or actively using.
  • Double check the wallet address that you send funds to your escrow account
    • Send a small amount first to double check.
  • Be careful of unknown people DMing you
  • Grantees who get rejected and are trying to appeal, or anyone reaching out to support could be a
    • Being SUPER clear about what you’ll never do and where exactly to get support
  • Be VERY clear about who gets rejected and approved. If not, it’s an opportunity for people to get phished by someone pretending to be a round operator.

How to make sure your wallet doesn’t get compromised

  • Be careful what you click on
    • Unknown DMs
  • Segment what you use that wallet for
  • Use a separate browser for anything grants round-related
  • Run malwarebytes
    • It’s not always about clicking on a link and getting your wallet drained. If there is malware on your computer, it could open you up to vulnerability quite easily.
  • Use a password manager
  • Use 2fa for whichever key accounts that you do have.

The extra mile

The following is not necessary, but these are the “extra mile” steps we recommend if you want added security beyond the fundamentals.

  • Be in “guest” mode instead of “administrator” mode on your computer.
    • This is an extra layer of protection in case you do get compromised, as they won’t have access to your administrator passwords.
  • Do you want to use a ledger?
    • It can make it more of a time-consuming process, but it is more secure.
  • Multisigs are another option.
    • Remember, you’ll need to rely on multiple signers

How to protect grantees & donors

Whatever you choose to socialize, it’s important to have clear guidelines. Here’s what we (Gitcoin) will never do or will do as inspiration.

  • Be aware of “moments of FOMO”
    • Right before the round or shortly before it ends
    • People getting their applications in right before the deadline
    • Donors donating right before deadline
  • NEVER encouraging FOMO
  • Have a clear way for community members to report
    • If there’s a copy of your round floating around, having a way for people to flag some potential scam is important
  • Have a way to recognize the legitimate version of the round
    • “Only use the link that’s linked from the official twitter page/webpage”
    • Have a list of trusted domains/webpages

What we (Gitcoin) will never do:

  • Asking you to send us money and then get 2x back or anything similar to this
  • We don’t do airdrops or token distributions
  • We will never (and no one should ever) ask you for your passcodes for hot wallets
  • We will never ask you to download a screensharing service that grants remote access to your device (TalkDesk, etc.)
  • We will never mistakenly send you an NFT and ask you to send it back; if someone on the Gitcoin team makes a mistake, you get to keep the NFT, we promise.
  • We will never transfer funds to your bank account or ask you to accept a check. We don’t use bank accounts–that’s so web2.

Some general best practices around web3 cybersecurity

  • Bookmark tabs! Bookmark the Gitcoin webpage. Bookmark our Passport page. Bad actors sometimes buy domains that look similar, and can even get these malicious sites to the top of search engines for a while!
    • (While you’re at it: Bookmark all your tradfi bank websites, too, and your cefi exchanges… we’ll wait.)
  • Never give your wallet passcodes on a phone call, or input them directly into any site.
    • The ONLY time you should be prompted for your passcodes is when you have downloaded a hot wallet as a browser extension or desktop app and when you are affirming ownership of a wallet you created elsewhere. Always verify the number of downloads from a trusted app store to check whether you are downloading a hot wallet imitator app.
      • We recommend cold storage for long-term storage.
      • Do not use a wallet holding your life-savings to browse hot new web3 projects.
    • Best practice: Never sign for a new contract on a new website or an NFT platform without checking that it is the contract address you’re expecting. Find the contract address and verify it in Etherscan or similar.
    • Do not transfer spam NFTs or trash-tokens out of your wallet if you are holding significant assets in the sending or receiving wallet; this action can activate malicious contracts.
  • Assume that all of your usernames and passwords are known. Set-up 2fa on any web2 or web3 accounts where you keep substantial funds (or use a cold storage wallet). Use a password manager for web2 world + 2fa wherever possible.
  • Never download Talkdesk or similar screenshare software that grants a 3rd party full remote access to your computer. Legitimate support services should not ask you to do this, as it provides a well-known exploit for scammers. If you find yourself having downloaded an app like this, turn off the computer, remove the battery or the power cord; take the device to your local tech service and tell them what you’ve done. They’ll forgive you and help you remove the software without giving the 3rd party access to transfer all your funds and your fave NFTs.