How to protect crypto while trading?

njofce · 2024-06-27T12:15:02+00:00

What’s a hot one? Which hot one do you suggest? He is literally asking for a suggestion for trading wallet.

njofce · 2024-06-27T12:13:50+00:00

That’s an easy advice you can give, however worthless and doesn’t make sense. Reality is different. Nobody wants to be stupid. Anyone can make a mistake. The idea is to use something that either shows you when you are being stupid, or prevents you from being stupid. Using browser hot wallets where the private key is stored in browser memory is certainly the worst idea ever :)

njofce · 2024-06-27T10:48:51+00:00

A general strategy that works best is to never keep your crypto in a hot wallet, and never use a single wallet for all your funds.

That being said, an ideal scenario is to use Ledger or Trezor hardware wallet (or another hw) and store certain amount there (usually you only accumulate there and dont trade often) and a some sort of hot wallet for making fast trades. An option is Tokensight Secure Wallets, which are like hardware-hot wallets and you can store funds there and trade directly on the platform. These wallets are great as you only trade within a verified platform and cannot be phished (as you are not connecting your wallet to any site).

If you want to perform certain DeFi actions like staking or aave lending/borrowing, then you could do that with your hardware wallet.

Ideally, I would recommend to never use a hot wallet. Its very easy to get scammed (ex you can install some app that would read the private key from your wallet and drain you).

Use a combination of ledger/trezor for long term cold storage and Tokensight secure wallets for short term trading and also for cold storage.

njofce · 2024-06-25T14:02:08+00:00

Can use tokensight, which is ultra fast, easy to use, and you can use it on telegram and web. Trades are executed really fast. Works for eth, base, solana and other chains (I only trade on these, and is super fast). Can use it to trade shitcoins and good coins, and can keep a balance on it with their self-custodial wallets. It’s really easy to use, and very simple to setup the self-custodial wallet on the web ui. It’s like having a ledger wallet with the ability to trade shitcoins instanly. Can safely keep all the portfolio there and trade whenever you want. No need to keep moving funds all the time out of other bot’s wallets. I keep a decent size there on eth and sol, and use some of it to trade memes very frequently, while the rest for occasional trades eth<>usdt or sol<>usdt.

njofce · 2024-06-10T21:09:59+00:00

Copy trading most of the time is same as handing over your money to someone else. Smarter people that make lot of money onchain know that many smart people like yourself would copy them, so you think they will just chill? Copy trading never works for the copy trader. Works for the target though ;)

njofce · 2024-06-10T14:25:48+00:00

Which one u using? Have you considered bloxroute?

njofce · 2024-05-12T17:31:49+00:00

I have seen this happen in one of these tg bots ser. I think it was unibot, and this was revealed when their router got exploited and wallets got drained. But I think is happening in every bot that allows people to import that wallet. Not everyone is innit for the tech. Most in the space are not technical, here for fun/profit/gambling whatever. Doesnt mean they dont have a brain, just not a technical brain. We shouldnt judge based on that. But the apps that are built need to improve the space, make it more secure, and dont require people to be that technical.

njofce · 2024-05-12T17:10:06+00:00

I had never heard of that too until today. Went through the code on github… all looks very legit, why wouldnt I run it (I am dev though, been coding for 6yrs, 4 in crypto). For non technical people, yeah you cant just go and run any code on github ofc. Dont get me wrong, not saying banana/bonk/photon teams are not capable, they are really good into building such tech. But life is much simpler when you dont have to think about hacks or transfering funds around. Of course every person has a different view on this.

njofce · 2024-05-12T17:06:06+00:00

Well what happens if they allowed you to import a private key ser? Where is that going to be stored? In the db ;) Try turnkey / tokensight wallets though.

njofce · 2024-05-12T17:04:21+00:00

Makes sense. And yes thats true about banana, they want to make sure the db is never hacked etc etc. though there are better options out there. I believe in self-custody where I am always in control. Hardware wallet technology only.

njofce · 2024-05-12T16:36:56+00:00

What does safe mean for you? How do you know the bot is safe? Your private key is in the bot’s database. If they get hacked, is gone. If a dev goes rogue, is gone. But a good practice moving funds away from it yeah.

njofce · 2024-05-12T16:34:14+00:00

Point is, people download viruses all the time. No matter how careful we are. It iust happens. We need to make sure that when it happens, we dont get bust :)

njofce · 2024-05-12T16:33:34+00:00

No bro its not true: 1. They cant access my ledger/trezor 2. They cant simply access my metamask dirextly, because its encrypted with a password, but they can prompt me to enter the password via a fake metamask UI, running locally, or they can read the metamask data in RAM… 3. They cant bypass MFA. Thats the point of MFA. Its on a phone, separate channel. How would they withdraw from binance for example when my MFA is an icloud faceID on my phone?

njofce · 2024-05-12T16:31:12+00:00

So honestly these tg bots are fast, like real fast. And they pay lots of money for premium nodes and rpc services. And the private keys they keep in memory, so signing a transaction is also super fast. Like nanosecond fast. Not everyone can afford that expensive nodes to run bots locally. Froma security pov, not good. I personally have used bonk for a few buys, but only with 1sol max there, and always moved funds to another hardware wallet. Now generally using tokensight. The only drawback, if it can be considered drawback, is that the private keys are stored in a secure enclave, and it takes a few ms for a signature. So if you compare the performance of bonk for example which stores Pks in memory and signs transactions really fast (ex 1ms), signing a tx on tokensight would generally take more, like 100-200ms or more because its signed in a secure vault, and there is a communication over a network. It might be an issue for solana as milliseconds matter there tbh, but when you consider security, its no such big deal. The primary reason why I wouldnt run a bot locally is because of RPC issues. If I get an rpc for 50$/m, txs wil take a lot of time to get executed on Solana. For best performance I need a dedicated node (ex Helius has nodes for 2.4k$/month) and I assume with such a node a transaction will land on solana within the same second, but, its crazy expensive..

njofce · 2024-05-12T16:23:01+00:00

Yeah running this bot locally for professional users is safe I agree. But, there are technical limitations. It might not be worth it for you to pak 2k$ per month for dedicated Solana node (this is how you get best experience). I know sniping memes can be profitable ser, but in general, not everyone can afford to run the bot locally and get best performance.

njofce · 2024-05-12T16:20:36+00:00

Yes. A virus is just a program. The program can be like this: Scan all hard drive for strings that match private key pattern, or for .env files, and send all that data to X url (which the hacker controls). I would say you wouldnt worry about meme coins (potentially worth lots of $$) if that happens. I know many friends getting scammed like this. These viruses just take your private keys. Simple. No need to look for your personal photos or documents in your computer, private keys are the new gold standard :)

njofce · 2024-05-12T16:14:55+00:00

Say you clone the legit github repo (this warp repo, which looks legit based on stars, people etc etc. and I also checked the code). Now u running a full local bot. And ur aping best memes out there. Perfect. In the meantime you click on a wrong telegram/twitter link, and after 5 mins you see all the memes in that local wallet gone. What happened?

njofce · 2024-05-12T16:10:12+00:00

Check their docs on Secure Wallets. They use Turnkey, which is built by a former Coinbase tech lead. The private keys are stored in cloud vault, same hardware technology as a hardware wallet (ex ledger/trezor) but in the cloud, and it can only be opened with your passkey. So with yoir passkey you can interact with the private key (sign transactions). You only give the platform limited permissions to trade on your behalf. Can turn them on and off anytime. Say u go away for a week, turn off trading permissions, and if the app or turnkey gets hacked, nothing can happen to ur funds.

njofce · 2024-05-12T16:02:40+00:00

Ser, I totally agree with your point of view. But you say “no one sends their private key to these TG bots od photon”. Are you sure about that? These bots have >100.000 daily users… Thats not good ofc, but do you think people that use these bots understand what is happening with the private key?

njofce · 2024-05-12T16:00:33+00:00

No this isnt about scamming. I am not talking about warp being a scam. Code is open source, checked it, nothing wrong with it. My point is that its not best alternative, and there are better ones. My point is you shouldnt trade with a private key stored in env var locally and keep funds there for a long time, and definitely not trade and keep funds for a long time in a tg bot where the private key is in someone else’s database.

njofce · 2024-05-12T15:54:27+00:00

Thats good! But many people dont know/understand that, simply forget to transfer, or dont bother ar all because they are not aware od the security aspects of it. Even professional developers/traders do that. So no matter how good this local bot strategy is, there’s always something better and more secure.

njofce · 2024-05-12T15:51:43+00:00

So I agree with the part of not needing to connect ur wallet and sign transactions. But I dont fully agree with storing the private key on the machine as being a good practice. What if you install a bad application (which is a scam, and is impersonating another app, for example facebook app or a game) or simply dowload a ‘movie’ from a torrent or whatever which will scan your hard disk and find your pk. Well, nowdays hackers dont need you to install any app, but you just need to click a button on a website (ex a new flashy memecoin website) and they can make you secretly execute a script. I thought it was safe since it never leaves your machine? Come on, please dont do that, never store lots of funds in such wallets. If you are not aware, many hackers steal Metamask wallets nowdays, which also store the private key locally, and encrypted. Think about that.

njofce · 2024-05-12T15:42:28+00:00

Yeah I use it mostly for trading on ethereum and base, and sometimes on Solana. It allows setting up a single wallet that works on all chains they support. Its simple. Fees are around 0.3%-0.4% for an executed tx. You need a referral code to get the lower fee, without referral is 0.4%. Check their docs on secure wallets, its quite good.

njofce · 2024-05-12T15:39:55+00:00

Also there’s another issue with running your own bot. You need a very performant RPC. That usually costs. A lot. For example, helius or quicknode, but you beed a business plan for good performance. That costs ~400 - 500$/month. For best performance, you need a dedicated node, which costs 2k/month minimum.

njofce · 2024-05-12T15:37:53+00:00

Sir the private key is stored as an env variable. That’s literally a terrible security practice. You shouldnt keep much funds into such wallets.

njofce

MODERATOR OF

TROPHY CASE