Whether it is a safe in a bank or a bag under the mattress of a grandmother's bed, our money is never entirely safe. Cryptocurrency is no exception. The author of the channel Shifrodengi prepared a column in which he shared his observations on how to increase the level of protection of the wallet for storing cryptocurrency specifically for the readers of DeCenter.
In this guide, I will not write down a list of security tips by type, like “do not transfer your private keys to anyone,” “make backups,” and “be careful.” I will suppose that you already understand this perfectly and approach the storage and use of cryptocurrencies competently.
This article will be about additional protection for your wallet—protection which will save money even if your private key has already fallen into the hands of intruders.
You may ask, "how is this possible?" The bottom line is that in Bitcoin, Ethereum, and other altcoins there is a mechanism that allows you to kill an unconfirmed transaction with another transaction with a larger transaction fee. In Bitcoin, for example, this mechanism is called Replace by Fee.
Typically, RBF is used in cases where it is necessary to send the same transaction to the same addressee, but with a larger commission, just to speed up the confirmation process. But very few people know that you can change the addressee and create a competitive transaction! And if everything is done correctly and you are lucky, your competitive transaction will be included in the block earlier, and the first transaction will be rejected as an attempt at double-spending.
A True Story about How 2 BTC Were Saved
"Somehow, our payment gateway was hacked and 2 BTC were slated for withdrawal. That version of the gateway has a commission of 0.0001 BTC, which was quite low at that time. The time was enough to sort everything out and replace the transaction by raising the commission to 0.1 BTC. As a result, our transaction was confirmed faster, and the attacker did not receive anything," says the author of the article, which discusses an experiment that is being performed with the RBF mechanism for the Bitcoin network.
Replacing Transactions in Ethereum
Is it possible to do the same in Ethereum? Unlike the accounting model for inputs and unused outputs (UTXO) in Bitcoin, Ethereum uses "world state" to determine the balances in each account. To create a competitive transaction, it is necessary that it has the same nonce as the attacker's transaction.
A nonce indicates to miners and nodes the order of transactions and, accordingly, how to change the "account status." The first is the transaction that has the lower nonce parameter. If there are two transactions with the same nonce, only the one that is first included in the block will be taken.
Most Ethereum wallets will not allow you to send a transaction with the same nonce, but this can be done via the web3.js, the official library for interaction with the Ethereum node.
You May Have Only 15 Seconds
The difficulties do not end here. 15 seconds is the average time for the new block to be mined in the Ethereum network. The expected time to enable the attacker's transaction to the block under normal network loads and normal commissions is 30 seconds.
Yes, of course, if the network is overloaded and transactions are confirmed very slowly, as was, for example, during the most active crowd sales, such as those of Bancor and Status, then the time for your response can increase to several hours or even days, which may be very useful.
It turns out that on an average day in the Ethereum network, you will have 30 seconds to:
Determine that a new outgoing transaction has appeared in the mempool from your address;
Create a competitive transaction with the same nonce, but with a larger commission, and indicate your backup wallet as the addressee.
Obviously, without automation, we have practically no chances. Below, we will talk about the possibilities to implement this automation.
Set an Alarm on Your Ethereum Wallet
To create your own system for responding to theft, you need the following:
A node or a service that constantly monitors the mempool and looks for outgoing transactions from your address and, in case of danger, issues an alarm in the form of a web search or push notification.
A computer or wallet device working 24/7 that will process Webhook or push notification and create a competitive transaction to withdraw all funds to some backup address, including all ERC20 or other tokens.
Monitoring the Mempool
To check the mempool, you can independently raise your geth node, write a script using node.js and web3.js. The resource-intensive maintenance of Ethereum nodes will cost you an average of $70 per month. Also, note that the Ethereum blockchain now weighs about 100 GB.
Another way is to take advantage of some ready-made service for monitoring blockchains at specified addresses. For example, myeth.io. The service checks the Ethereum and Bitcoin network mempool every 15 seconds and sends an instant notification to Telegram of any transactions that appear there. It is possible to add up to 50 addresses for simultaneous monitoring.
Install the Telegram bot @myeth_bot, enter your ETH or BTC address, and receive notifications of all transactions on Telegram. In addition, for specific addresses, you can configure Webhook, which will be sent instantly in the case of an outgoing transaction.
Webhook is a user-configurable HTTP URL that allows you to transfer data wherever a user wants. The presence of Webhooks extends the functionality of any system. For example: https://webhook.site/f7c55e64-4809-40f3-9ea0-boa7daec3cf6.
Just send the URL of your Webhook and that's it. After that, your webhook will react automatically in the case of an outgoing or incoming transaction.
Ideally, I would just like to install a mobile application that would generate a competitive transaction by push notification. But mobile wallets with such functionality now, unfortunately, are not available on the market, but I am sure that they will soon appear. Besides, there are SDK developments already which allow one to independently create such functionality for open source wallets.
Another way is to use a non-disconnected home computer or VPS, which will spin the Webhook handler, which will launch a self-scripted command to create a competitive transaction.
The script for creating a competitive transaction in Ethereum can be written to node.js using the library web3.js, which provides an API for interacting with the Ethereum blockchain. In order not to raise your node, you can connect to the public node from Infura.io.
For Bitcoin, the choice is much broader. You can use a js library such as bitcoinjs or a solution from BitPay or a python library to write your script to create a competitive transaction. A public node can be found on bitnodes.
Instead of a Conclusion
As you can see, crypto technologies have interesting possibilities for automation and additional protection of wallets. By the way, some blockchains implement protection and insurance functions at the main protocol level, for example, in EOS, stolen funds can be returned through the built-in arbitrage mechanism.
I hope this article provided you with useful information on additional protection and monitoring of your wallets. Thanks for reading!