Part 1: EZINCRYPTO’s Hack, and the EZMONEY DAO
Greetings Web3 friends. I’m writing today to a few different ends, but hopefully this will turn out to be an informative and helpful article for people who are looking to upgrade their security in the bull market. We can start with a short story about a very good friend of mine who recently suffered an attack that felt personal. I can relate - I had one like that last year. I’m not sure who these new attackers are, in the space, but one thing is for sure: it’s a good time to start thinking precautionary thoughts.
The Story: EZINCRYPTO Gets Social Engineered
The details are similar to a million stories you’ve no doubt heard before. Web3 OG, the last person you’d expect this to happen to, makes a tiny slip-up but it happens because they’re experimenting with something new and they just get careless. You’ve probably got a name in your mind’s eye now. Some CT influencer you’ve seen make money but also get rekt. Well, in this case, the difference is that our original cryptocurrency community member wasn’t out in the world doing degen things. Instead, he was looking for support in a community he’s a part of, and has been for a long time.
Our friend, EZINCRYPTO, recounted the story of how some malicious user inserted a hacked support bot into a server and used it to socially engineer him. He didn’t get to revoke.cash quick enough, and in the end the damage was around $10,000 of liquid crypto that was sent out of his wallet.
I know there’s a chance that your reaction to this is something along the lines of “yep, that’s why crypto’s a scam.”
And in a way, that’s a fair point of view. The difference between crypto and Web2 rails with customer service and account recovery is that there’s always someone between you and whatever it is you’re supposed to be interacting with. In Web3, we don’t have that protection. So, you’re completely right - there is user safety infrastructure that needs to be built without compromising the strengths of decentralized Web3 technologies. The good news is that Web3 gives us a lot of control over almost every aspect of our experience. We can engage where we like and earn money if the market is good, we can build our own projects, and there is nobody standing there telling us we can’t.
Things are good as they are in Web3 today, in many ways, if freedom is your primary concern. And if you like to spend a lot of time figuring things out. If you’re a safety person, I might be rather surprised to hear that you choose to use a centralized custodian but if it is a party that deserves the trust, so much the better. There are Web3 safety techniques as well, and I’m hoping to share a powerful one with you in the next section of the article here. Our story today is nearly done. EZ got hacked, and the community was not happy to hear the bad news. We discussed our thoughts and shared ideas to improve the situation for both the individual man who was hurt and the community that is suffering these attacks. And thanks to the community’s interest in changing that dynamic of Web3 for ourselves, the story ends with a happy note of hope. Jose Cabrera and EZ and others from around the Web3 community that arose from Cent a few years ago including members of the PageDAO, the PizzaDAO, the WIP meetup, and more - we’re coming together to throw a party.
The Community You’d Like To Be A Part Of (And Are Invited To!!!)
This party is likely to be a networked event that spans continents with musicians, poets, speakers, artists, writers, developers, finance people, and more. We’re currently operating with the thought that we should airdrop to our community during the event and reserve 5B $EZM tokens for attendees to receive as part of the entertainment.
Once launched, EZMONEY DAO will stand as a monument to both interDAO coordination and the idea that managing your money onchain should be easy. The initial purpose for which EZMONEY DAO is being founded is to spread the word far and wide about security best practices in Web3 and fund technical solutions to problems faced by real users. If you’re interested in the project and want to contribute (or just to party!) check out the whitepaper here: https://docs.google.com/document/d/1Hvvk-NJ2zIidtxPn73vC-rSTfsUmv4qy9NwgpIti_A8/edit?usp=sharing
Part 2: The Cleanest, Cheapest, Easiest Secure Asset Storage Solution In Web3
What if I told you that you could spin up a Keplr wallet, and for less than $.10, spin up your own onchain multisignature interchain fungible token vault?
It’s not a joke. It is not even considered a lift among builders in the space today either. It takes under ten minutes even if you’ve never done it before. First, you’ll want to start by creating a Keplr wallet and sending .5 $OSMO or so for gas to it.
Setting up a new Osmosis wallet is easy:
Step 1. Go to keplr.app/download and install the Keplr Wallet extension
Step 2. Create your account and secure your mnemonic phrase. Copy your wallet address for the Osmosis chain.
(source: https://pagedao.org/docs/faq)
Once you’ve got your Keplr wallet and you’ve got a little $OSMO for gas, you can head to https://daodao.zone and click ‘Create’ on the left-hand menu. All you do from here is choose ‘Membership’ for the DAO style and you can customize your parameters to suit your needs.
That’s actually it! Now your on-chain DAO is setup. It’s mostly just a multisig with a landing page for you to customize if you like. Here’s mine. Note, it takes a few minutes to change it - so you may want to take your time and make it look nice on setup. Or you may not use the homepage at all.
Eventually, my plan is to put my valuable assets into multisignature wallets along this line. Why? Well, for one thing, I can spread the authentication factors out however I like without it being particularly obvious where any of them is at any time. And I can pass a transaction from one without too much hassle, provided I don’t mind waiting for a week to do so.
Sometimes founders get annoyed with me because I will literally just come start using their technology for whatever weird thing I’m up to at the moment. Not Noah from DAODAO, though. He’s a super nice dude and I really think he’s building in a great direction here.
The Theory
Okay, so what’s the theory here?
I know someone is asking this question, but I wanted to save it until the end so that people would understand at a high level what we’re talking about before we get here. But we’ll analyze EZ’s attack and figure out what happened and whether this technique could’ve helped.
- An agent pulled off an extremely clever attack and hurt EZ’s bank balance by stealing bags of assets he was saving.
- Putting those bags somewhere safer could have done 2 things:
- By using DAODAO to manage funds balances that are not of acceptably small size to keep in a hot wallet, users can give themselves quick and easy access to their funds while also confounding almost anyone who would care to steal them.
The best part? To implement the strategy, just repeat the Keplr Wallet setup on two different devices and throw the PKs away. If you lose one, at least your valuables are all in the multisig. Just simply get a new device, spin up a new wallet there, and use the remaining factor to remove the lost one from the multisig. You may still be susceptible to the “wrench attack” (“I’m going to hit you with this wrench unless you send me your crypto!”) but in a way, the wrench attack is the one thing encryption and security best practices cannot protect us from.
We must be careful in this dangerous world.
In sum, I do believe that the system advocated for in this second section of the blog post here can create a manageable, navigable, and cheap partition between hot wallet assets and colder assets that still need to be accessible onchain and thus are not suitable for airgapped deep cold storage.
I fully intend to use my own DAODAO vault as a form of social media and have already taken steps to integrate it with my author page. I made one that can serve as a sort of transparent GoFundMe for EZ, if anyone would like to donate:
https://daodao.zone/dao/juno1wpj7xjjk9wgprl27ultev3tj0yxrtf6elt0efhfy7u2fhr3rrn0qwuj73s/home EZ and I are the signers here, so my plan is to get him to add one or two more factors to the multisig and then remove myself to get out of the way. Perfect way to onboard friends, right? You can literally help them set up their own web3 profile at DAODAO and teach them how to keep their assets safe at the same time. To me, that’s about as cool as it gets.
A Note from Musashi, founding team member at EZMONEY DAO
The EZMONEY dao will be able to fund public goods focused around security tools and educational resources.
One example might be a dApp that retrieves tokens from a compromised wallet. Once a user has finished a few quests that teach them about best practices in online and web3 security they would open up access to retrieve their funds. This would help to minimize the chances of losing their funds again.
Another example might be a credentialing system targeting web3 security. Users could go through an educational program tailored to teaching and testing the most relevant web3 security practices in the industry. These credentials would be a verifiable, on-chain credential that is soul-bound to a user’s account, giving an attestation to their knowledge in the industry. On-chain attestations are rapidly becoming the go to industry standard for variable credentials, becoming the building blocks to a web3 identity and CV. On-chain security focused credentials are missing in this industry and we could help to fill that crucial gap.
Token Engineering Academy is an upstanding example of such a system in its infancy.
Closing
Musashi’s work here is a shining example of what FOSS can become when we add Web3 rails to it. The EZMONEY DAO is designed to facilitate not only Musashi’s work but the work of many others who share similar values and align around the same goal. It’s time for Web3 to take up security as a personal goal that affects each of us. Whether we’re using multisignature wallets to make identity and onchain balances more durable or building tools to help people recover assets from a cracked PK hot wallet, there is a major need to build a culture of security best practices and onboarding materials to help new users avoid being attacked as they enter the space.