mirror of
https://github.com/slowmist/Blockchain-dark-forest-selfguard-handbook.git
synced 2024-11-10 07:54:03 +08:00
Compare commits
8 Commits
7b93f3b683
...
93a6deabd6
Author | SHA1 | Date | |
---|---|---|---|
|
93a6deabd6 | ||
|
11e3fccb8c | ||
|
39d901d990 | ||
|
9feaad481d | ||
|
fb8ab509ad | ||
|
4f004d85cd | ||
|
6629c934da | ||
|
3bf2b255d5 |
75
README.md
75
README.md
@ -4,6 +4,7 @@ Blockchain dark forest selfguard handbook<br>
|
||||
:fire:Website: https://darkhandbook.io/<br>
|
||||
:cn:中文版:[《区块链黑暗森林自救手册》](README_CN.md)<br>
|
||||
:jp:日本語版:[ブロックチェーンのダークフォレストにおける自己防衛のためのハンドブック](README_JP.md)<br>
|
||||
:kr:한국어 버전:[블록체인 다크 포레스트 셀프가드 핸드북](README_KR.md)<br>
|
||||
*Note: V1, Update Logs, please see the Chinese version.*
|
||||
|
||||
Author: Cos@SlowMist Team<br>
|
||||
@ -71,6 +72,7 @@ Proofreader:
|
||||
- [Appendix](#appendix)
|
||||
- [Security rules and principles](#security-rules-and-principles)
|
||||
- [Contributors](#contributors)
|
||||
- [The Tools](#the-tools)
|
||||
- [Official Sites](#official-sites)
|
||||
|
||||
# Prologue
|
||||
@ -161,7 +163,7 @@ If you pay attention, you will find the download pages for both GPG tools give s
|
||||
|
||||
**If it is a browser extension wallet**, such as MetaMask, the only thing you have to pay attention to is the download number and rating in the Chrome web store. MetaMask, for example, has more than 10 million downloads and more than 2,000 ratings (though the overall rating is not high). Some people might think that the downloads numberand ratings may be inflated. Truth to be told, it is very difficult to fake such a large number.
|
||||
|
||||
**The mobile wallet** is similar to the browser extension wallet. However, it should be noted that the App Store has different versions for each region. Cryptocurrency is banned in Mainland China, so if you downloaded the wallet with your Chinese App Store account, there is only one suggestion: don't use it, change it to another account in a different region such as the US and then re-download it. Besides, the correct official website will also lead you to the correct download method (such as imToken, Trust Wallet, etc. It is important for official websites to maintain high website security. If the official website is hacked, there will be big problems.).
|
||||
**The mobile wallet** is similar to the browser extension wallet. However, it should be noted that the App Store has different versions for each region. Cryptocurrency is banned in Mainland China, so if you downloaded the wallet with your Chinese App Store account, there is only one suggestion: don't use it, change it to another account in a different region such as the US and then re-download it. Besides, the correct official website will also lead you to the correct download method (such as imToken, OneKey, Trust Wallet, etc. It is important for official websites to maintain high website security. If the official website is hacked, there will be big problems.).
|
||||
|
||||
**If it is a hardware wallet**, it is highly recommended to buy it from the official website. Do not buy them from online stores. Once you receive the wallet, you should also pay attention to whether the wallet is inact. Of course, there are some shenanigans on the packaging that are hard to detect. In any case, when using a hardware wallet, you should create the seed phrase and wallet address at least three times from scratch. And make sure that they are not repeated.
|
||||
|
||||
@ -223,7 +225,7 @@ I will briefly explain each type.
|
||||
|
||||
**SSS**, Shamir's Secret Sharing, SSS breaks down the seed into multiple shares (normally, each share contains 20 words). To recover the wallet, a specified number of shares has to be collected and used. For details, refer to the industry best practices below:
|
||||
|
||||
>https://support.keyst.one/advanced-features/recovery-phrase/import-or-create-shamir-backup<br>
|
||||
>https://guide.keyst.one/docs/shamir-backup<br>
|
||||
>https://wiki.trezor.io/Shamir_backup
|
||||
|
||||
Using solutions such as multi-signature and SSS will give you peace of mind and avoid single-point risks, but it could make management relatively complicated and sometimes multiple parties will be involved. There is always a compromise between convenience and security. It is up to the individual to decide but never be lazy in principles.
|
||||
@ -291,7 +293,7 @@ To better avoid AML issues, always choose platforms and individuals with a good
|
||||
|
||||
### Cold Wallet
|
||||
|
||||
There are different ways to use a cold wallet. From a wallet's perspective, it can be considered as a cold wallet as long as it's not connected to any network. But how to use it when it's offline? First of all, if you just want to receive cryptocurrency, it's not a big deal. A cold wallet could provide excellent experience by working with a Watch-only wallet, such as imToken, Trust Wallet, etc. These wallets could be turned into watch-only wallets by simply adding target wallet addresses.
|
||||
There are different ways to use a cold wallet. From a wallet's perspective, it can be considered as a cold wallet as long as it's not connected to any network. But how to use it when it's offline? First of all, if you just want to receive cryptocurrency, it's not a big deal. A cold wallet could provide excellent experience by working with a Watch-only wallet, such as imToken, OneKey, Trust Wallet, etc. These wallets could be turned into watch-only wallets by simply adding target wallet addresses.
|
||||
|
||||
If we want to send cryptocurrency using cold wallets, here are the most commonly used ways:
|
||||
|
||||
@ -1036,22 +1038,61 @@ Security principles:
|
||||
|
||||
## Contributors
|
||||
|
||||
Thanks to the contributors, this list will be continuously updated and I hope you can contact me if there are any ideas for this handbook.
|
||||
Thanks to all the contributors, this list will continue to be updated. If you have any ideas, please contact:
|
||||
|
||||
>Cos, Twitter([@evilcos](https://twitter.com/evilcos))、即刻(@余弦.jpg)
|
||||
>Cos, Twitter([@evilcos](https://twitter.com/evilcos))、Jike App(@余弦.jpg)
|
||||
|
||||
Contributors
|
||||
Contributors:
|
||||
```
|
||||
My wife
|
||||
SlowMist, Twitter (@SlowMist_Team), e.g. Pds, Johan, Kong, Kirk, Thinking, Blue, Lisa, Keywolf...
|
||||
Jike app
|
||||
Some anonymous friends ...
|
||||
More: https://darkhandbook.io/contributors.html
|
||||
SlowMist, Twitter (@SlowMist_Team), e.g. Pds | Johan | Kong | Kirk | Thinking | Blue | Lisa | Keywolf...
|
||||
English translator, e.g. Alphatu | C. | CJ | JZ | Lovepeace | Neethan | pseudoyu | SassyPanda | ss |
|
||||
Japanese translator, e.g. Jack Jia | Mia
|
||||
Korean translator, e.g. Sharon | Jeongmin
|
||||
Jike App
|
||||
Some Anonymous friends ...
|
||||
More info: https://darkhandbook.io/contributors.html
|
||||
```
|
||||
|
||||
**If your contribution is accepted for inclusion in this handbook, you will be added to the list of contributors.**
|
||||
**As long as there is help that is adopted and included in this handbook, such as: providing specific defense suggestions and cases; translation work; correction of major errors, etc.**
|
||||
|
||||
**For example**: provided specific safety defense suggestions or cases; participated in translation work; corrected larger errors, etc.
|
||||
## The Tools
|
||||
|
||||
This handbook, commonly referred to as the "Dark Handbook," has been available for over two years, and I'm delighted to observe its helpful impact on many individuals. Its influence continues to expand, with a growing number of supporters advocating for updates. Typically, these updates to the Dark Handbook primarily consist of [expanded readings](https://github.com/evilcos/darkhandbook). The challenge with these extended readings is that they are technically complex and not very accessible for beginners. Additionally, I recognize that not everyone is keen to invest substantial time in mastering the nuances of blockchain security. Originally, this section aimed to recommend some beginner-friendly tools, such as wallets, security extensions, and scripting tools. However, after much deliberation, I have decided against endorsing specific products due to the swift pace of change within the industry. Although this manual has highlighted several reliable tools, it's uncertain whether they will remain effective or relevant in the future. Given my responsibility towards all readers, I must admit, I'm not sure.
|
||||
|
||||
As I've stated previously, when recommending a tool, I strive to describe it as objectively and neutrally as possible. Additionally, for enhanced security, every reader should bear in mind the following:
|
||||
|
||||
* Absolute security does not exist. Adopting a zero-trust approach with continuous verification is essential in navigating this complex landscape. Should any of these tools develop a bug, encounter a security issue, or, in a worse scenario, include a backdoor in a new update, the risk is yours to manage. I encourage you to think independently and critically before using these tools.
|
||||
|
||||
* My research skills are well-honed, and I have a broad network, so rest assured that I will recommend quality tools when it seems appropriate. There is no need to rush; if a tool proves reliable and earns widespread trust, I will naturally endorse it.
|
||||
|
||||
* Everyone has their unique approach, and this is mine.
|
||||
|
||||
* Stay away from the influence of coin prices.
|
||||
|
||||
* Trust is hard to build, but it can collapse in an instant, so please cherish it.
|
||||
|
||||
Although I do not make any specific tool recommendations in this section, I would like to share a valuable mindset: the firewall mindset. The previously emphasized concepts of "zero trust" and "continuous verification" are actually part of this firewall thinking.
|
||||
|
||||
예For example, in the use of wallets, signing is a major area of concern for fund security, with various sophisticated phishing methods related to signing, such as:
|
||||
|
||||
- The exploitation of native signing with eth_sign/personal_sign/eth_signTypedData_*, where eth_sign has been increasingly blocked by wallets.
|
||||
- The exploitation of authorization functions like approve/permit for Tokens/NFTs.
|
||||
- The utilization of powerful functions like Uniswap’s swapExactTokensForTokens/permit2.
|
||||
- The exploitation of protocol functions from OpenSea/Blur and others (which are very diverse).
|
||||
- The exploitation of TX data 4byte, such as for Claim Rewards/Security Update.
|
||||
- Using Create2 to pre-create funding receiving addresses, bypassing related checks.
|
||||
- A single signature on Solana phishing away all assets in a target wallet address.
|
||||
- Bitcoin inscription for one-click mass phishing, utilizing the UTXO mechanism.
|
||||
- Switching phishing across various EVM chains/Solana/Tron, etc.
|
||||
|
||||
If your wallet, when prompting for signature confirmation, sends out the signature right after a single click—whether due to FOMO or a shaky hand—then this method of using the wallet does not embody the firewall mindset. A better practice is to require at least two clicks; each additional click adds a layer of security (of course, not too many layers, as people can become desensitized...). For example, I use browser extension wallets like Rabby, MetaMask, and OKX Wallet, and except for test wallets, I always pair these with a hardware wallet (preferably one with a larger screen to easily review the content about to be signed).
|
||||
|
||||
At this point, the extension wallet’s signature confirmation popup will perform the first layer of security analysis, such as identifying phishing sites, risky wallet addresses, what-you-see-is-what-you-sign, and high-risk signature recognition. These are crucial for user interaction security. The hardware wallet provides a second layer of security analysis. If you then add a browser wallet security extension like Scam Sniffer, Wallet Guard, or Pocket Universe, you add another layer to your firewall. However, it’s essential to remember, even if there are no risk alerts for the action you are undertaking, you must still be vigilant and recognize that ultimately, you are your own last line of defense...
|
||||
|
||||
Once accustomed to the firewall mindset, the impact on efficiency is minimal, but the sense of security is greatly enhanced. Let’s generalize this approach to other scenarios.
|
||||
|
||||
That’s all,Thank you!
|
||||
|
||||
## Official Sites
|
||||
```
|
||||
@ -1061,13 +1102,17 @@ Sparrow Wallet https://sparrowwallet.com/
|
||||
MetaMask https://metamask.io/
|
||||
imToken https://token.im/
|
||||
Trust Wallet https://trustwallet.com/
|
||||
TokenPocket https://www.tokenpocket.pro/
|
||||
Gnosis Safe https://gnosis-safe.io/
|
||||
ZenGo https://zengo.com/
|
||||
Fireblocks https://www.fireblocks.com/
|
||||
Safeheron https://www.safeheron.com/
|
||||
Keystone https://keyst.one/
|
||||
Trezor https://trezor.io/
|
||||
OneKey https://onekey.so/
|
||||
imKey https://imkey.im/
|
||||
Rabby https://rabby.io/
|
||||
OKX Wallet https://www.okx.com/web3
|
||||
EdgeWallet https://edge.app/
|
||||
MyEtherWallet https://www.myetherwallet.com/
|
||||
Phantom https://phantom.app/
|
||||
@ -1078,9 +1123,11 @@ Compound https://compound.finance/
|
||||
SushiSwap https://www.sushi.com/
|
||||
OpenSea https://opensea.io/
|
||||
Revoke.cash https://revoke.cash/
|
||||
APPROVED.zone https://approved.zone/
|
||||
Scam Sniffer https://www.scamsniffer.io/
|
||||
Wallet Guard https://www.walletguard.app/
|
||||
Pocket Universe https://www.pocketuniverse.app/
|
||||
|
||||
即刻 https://okjike.com/
|
||||
Jike App https://okjike.com/
|
||||
Kaspersky https://www.kaspersky.com.cn/
|
||||
Bitdefender https://www.bitdefender.com/
|
||||
Cloudflare https://www.cloudflare.com/
|
||||
|
@ -15,6 +15,7 @@ Blockchain dark forest selfguard handbook<br>
|
||||
|
||||
| 日期 | 更新日志 |
|
||||
| --- | --- |
|
||||
| 2024/05/16 | V1.2 新增[韩文版](README_KR.md),日文版及英文版同步更新!还有一点小修正>_< |
|
||||
| 2024/04/24 | V1.2 新增`那些工具`章节及更新`贡献者`、`那些官网`。 |
|
||||
| 2023/05/24 | V1.1 `小心签名!`章节做了点更新。 |
|
||||
| 2023/01/07 | 我在我的个人 GitHub 做扩展阅读更新:https://github.com/evilcos/darkhandbook |
|
||||
|
15
README_JP.md
15
README_JP.md
@ -14,19 +14,6 @@
|
||||
|
||||
![alt this](res/this.png)
|
||||
|
||||
| 日付 | 更新履歴 |
|
||||
| --- | --- |
|
||||
| 2024/04/25 | V1.1[日文版](README_JP.md) `その他のツールについて`の章を追加し、`貢献者`、`関連サイト`と`署名に注意!`の章を更新。 |
|
||||
| 2024/04/24 | V1.2 `その他のツールについて`の章を追加し、`貢献者`と`関連サイト`を更新。 |
|
||||
| 2023/05/24 | V1.1 `署名に注意!`の章を少し更新。 |
|
||||
| 2023/01/07 | 私の個人的なGitHubでアドバンス内容を更新中:https://github.com/evilcos/darkhandbook |
|
||||
| 2022/06/14 | V1 [日文版](README_JP.md)がリリース。翻訳者の皆様に感謝。 |
|
||||
| 2022/05/17 | V1 [英文版](README.md)がリリース。軽微な修正を行いました。翻訳者の皆様に感謝。 |
|
||||
| 2022/04/15 | V1 がリリース。誤字脱字の修正のみを行いました。いくつかの良い提案をいただいたので、今後のミニバージョンで取り入れていきたいと思います。ありがとうございました:) |
|
||||
| 2022/04/12 | V1 Beta がリリース。中国語版が完成。空き時間を利用して3週間かけて断続的に執筆しました:D |
|
||||
|
||||
*注:GitHubを選択したのは、協同作業がしやすく、更新履歴が確認できるためです。Watch、Fork、Starしていただけると嬉しいですが、何より皆様からの貢献を期待しています:)*
|
||||
|
||||
:anchor:**Contents**
|
||||
- [はじめに](#はじめに)
|
||||
- [一枚の図](#一枚の図)
|
||||
@ -231,7 +218,7 @@
|
||||
|
||||
**SSS**, シードを複数のスライス(1スライスあたり20単語が一般的)に分割し、ウォレットを復元する際に、指定された数のスライスを使用する必要があります。業界におけるベストプラクティスを参照してください:
|
||||
|
||||
>https://support.keyst.one/v/chinese/gao-ji-gong-neng/zhu-ji-ci/chuang-jian-dao-ru-fen-pian-zhu-ji-ci<br>
|
||||
>https://guide.keyst.one/docs/shamir-backup<br>
|
||||
>https://wiki.trezor.io/Shamir_backup
|
||||
|
||||
マルチシグネチャー、SSSのようなソリューションを利用すればより安心感があり、単一リスクを回避できますが、管理も比較的複雑であり、これには複数の人が関わることが多いです。利便性と安全性は常に相反するので、どっちを重視するのかはあなた次第です。 しかし、ルールや準則を怠ってはいけません。
|
||||
|
1140
README_KR.md
Normal file
1140
README_KR.md
Normal file
File diff suppressed because it is too large
Load Diff
Loading…
Reference in New Issue
Block a user