Since the forum homepage is now officially full of people getting rekt and chasing their lost funds, I decided to add my 2 cents as a former web security professional / ethical hacker. Read carefully and your funds will be protected. Forever.
Fake websites. Currently the most common attack out there. Targeting Anchor users, the attacker clones the source code of the Anchor web UI (HTML, CSS, JS), and spins up an identical website on a slightly different domain. It sounds like a noobish mistake to fall for this, but it has more depth to it than you’d think.
First and foremost: when you try to interact with Anchor, always check the website’s domain up there in your browser. If you are NOT on app (.) anchorprotocol (.) com, close the page and delete your browsing history. If you are not certain, how you got there (e.g. unsure if you clicked a malicious link), immediately remove all browser extensions, plus run an antivirus scan with trusted software (malwarebytes for example).
I suggest twofold prevention for this:
- First: Bookmark Anchor, and only use it by clicking the bookmark from now on.
- Second: In Chromium-based browsers (Chrome, Brave, etc.) right click the Terra Station extension icon, and choose “This can read and change site data >” “On app (.) anchorprotocol (.) com”. This way, Anchor will instantly load your balances without human interaction ONLY when you access the real website.
The domain is correct, yet you’re on a fake Anchor website. Yes, this can happen. The domain translation is a complex process, relies on multiple DNS servers, ISPs, and configuration. It’s a big chain of trust, any node becoming malicious means you’re compromised.
Say, you accessed Anchor through public Wifi. The network settings usually default to using the ISP’s DNS settings, thus the Wifi owner can force you to load the website from a different IP address. Moreover, you can’t trust the lock either. The lock next to the domain name only means, the connection is encrypted with the other party, but does not guarantee, who the other party is.
Thus, do not use public Wifi for doing anything crypto-related. If you cannot avoid this on the go, spin up a trusted VPN service, and make sure, you access the website through a secured VPN connection. In this case you don’t have to trust the wireless network operator, but need to trust the VPN provider instead. You generally don’t want to go for the cheapest no-name VPN provider out there.
Also, you might want to manually set your computer to use a trusted DNS server. For example, Google’s Open DNS servers are 22.214.171.124 (primary) and 126.96.36.199 (secondary). Open network settings and explicitly set these addresses.
Limit your use of browser extensions. Dedicate a browser or standalone browser profile for transactions. Do not install browser extensions other than the very neccessary Terra Station Browser Extension or the official Metamask. When installing Terra Station, make sure you are on a reliable network, the real app store, the extension has real users and reviews. Most extensions have the rights to see or completely fake anything you see online. In general we go for the whitelist approach if possible, only allow certain extensions to read/change data on certain websites, like I mentioned above with Terra Station.
Use a hosts file. The hosts file is present on all major operating systems, Windows, MacOS, Linux. It’s found at C:\\Windows\System32\drivers\etc or /etc/hosts. If you happen to know a known phishing website, don’t be afraid to block access to it. Add one line in the following format:
0.0.0.0 malicious-anchorprotocol (.) com
Then your browser will never be able to load the phishing website. It can also be done in the opposite direction to bind the legit IP address to a legit website.
Use a hardware wallet. So you are forced to interactively approve every single transaction with the device. Ledger and Trezor supports Terra. I don’t think this needs more explanation on this forum. Or does it?
Let’s get into it, then. How to use a hardware wallet properly?.
- Order it from the official website from a trusted computer, from a browser in incognito mode with no browser extensions installed, from a trusted network.
- The shipping address should NOT be your home address. Use your workplace, delivery box or something. Preferably order it from an email address you don’t use at any crypto-related websites, exchanges.
- Check the parcel for any damage before opening it. In the case of any damage, document, discard, and request a new device from the manufacturer before using it.
- Use the manufacturer’s website or software with similar precautions to verify if your device is original.
- Then you generate a new keypair, and write down the seed phrase. Store the seed phrase in a secure place (or more places, split in pieces). Don’t be afraid to get hardcore with this: you can encrypt your seed phrase (OFFLINE!), find out some algorithm that’s easy to remember, yet if anyone gets access to your encrypted seed phrase, they: either do not know at first, that it’s a seed phrase or: they have no idea how to map the text to the original seed phrase.
- Never ever type your seed phrase in any electronic device, be it phone, computer or tablet.
- Order a backup device.
- If someone accesses your seed phrase, immediately send your funds to a different, safe wallet.
- Always check the amounts and the recipients (contract addresses) in your transactions before allowing.
Allowances. In general, you don’t want to allow any contract on any network to access more funds than you are willing to spend. For example if you want to swap 1 ETH to 33 LUNA on Uniswap, don’t stick with the default settings that Uniswap can spend Unlimited amount of ETH. Set it to 1 ETH (or in some cases, double the amount, if the transaction fails, but never give access to all your funds). Yes, more fees for regular transactions, but peace of mind in return.
I’m planning to release a Terra allowance checker soon, where you’ll be able to see what you gave access to, and revoke it.
Finally, one last advice: avoid clicking any links on this forum, or hover over them and double-check the address before doing so.
Decentralized finance is a great invention, but comes with great responsibility.
Hope you find this helpful. Peace