This post is also available in: Română (Romanian)
I am part of various Facebook or Telegram crypto groups where inevitably there are also many beginners or less technical users. Often I see phrases like “my funds were transferred to another wallet, but I don’t understand how since I had both pin and face ID authentication”.
Let me explain briefly and in simple terms how a wallet works.
Important to know
As a user, you have absolutely nothing physical in a wallet. There is no Bitcoin or Egold in a wallet, even if your wallet shows that you have X amount available.
Everything you have is actually on the blockchain, assigned to a certain address.
How blockchain works in short
The blockchain is a chain of data. When you create a new wallet, you receive a new address. Often, if you don’t make any transactions (receive or send anything), the new address does not physically exist on the blockchain. When there is a transaction to or from your address, then the first record in the blockchain related to your wallet address appears.
Imagine the blockchain as a large notebook with many lines, in which an accountant writes line by line everything that happens with clients’ accounts. The only way to see your total funds is to go through that notebook line by line and subtract/add that line, and finally, have a current total of your account.
Now… your address consists of 2 parts: the public part (public key) and the private part (private key).
The public part is known to everyone, if someone wants to send you funds, the address where they send these funds is the public part of your address. In the imaginary ledger, the lines that represent you are only those that contains your public key.
The private part is known only to you and must be treated like a very important password. If you want this imaginary ledger we have to note something in the notebook (on the blockchain), we need to make a special request in which we mention, among other things: to whom we transfer coins, in what quantity, what payment details we include, and so on. Now comes the interesting part: such a request to the blockchain without a signature is useless. The accountant will not take it into account.
How do we make sure our requests are taken into account and fulfilled? We sign our request with the private key. You can imagine a ticket on which you note all the transaction details and at the end, instead of signing with your name, you sign with those 24 (depending on the blockchain it can be a different number) words. The accountant (blockchain) sees that these words are the real ones, in the right order, considers your request valid, and writes it on a line in the notebook.
Once the accountant has written your transaction in the notebook, the operation can no longer be reversed. So, if you sent money to an address but mistakenly entered a wrong number or letter in that address, the operation cannot be stopped/reversed.
How a wallet works
A wallet does nothing special except facilitate communication with the blockchain. Often there are mechanisms behind it that keep the current state of your account on the blockchain in a more centralized way so you don’t have to go through all the “rows” in the ledger to see how much funds you have available.
The wallet uses these mechanisms to essentially ask “hey, how many coins does Filip have at this moment, starting from the first transaction written in the ledger.”
The wallet has another important function: it needs to keep your private key safe, which are those secret words. Only then can you ask the wallet to send coins to a friend and have them send it on to the blockchain/accountant at your request.
Often, a wallet keeps those secret words in a secure location (for example, on your phone in a secure chip from which information can only be taken if you authenticate with Face/Touch ID or enter a PIN code).
The fact that you’ve protected the wallet app with a PIN code doesn’t mean that no one can touch your funds. Why? Because those 24 secret words are all you need to record transactions in the ledger. The blockchain/accountant doesn’t know your phone PIN, or app PIN, or try to mimic your face to get past Face ID. Instead, it only knows how to verify the secret words.
For this reason, there are wallet types called “paper wallets.” Simply put, you write the secret words on a piece of paper and keep it safe there. It’s the safest method because the paper is not connected to the internet, but it’s also an inefficient method because if you’re not tech-savvy, you can’t sign transactions with those words by yourself.
That’s why 99% of people use a wallet app so that the wallet secures the secret words in the signature and makes the process easier.
Example: In the MultiversX network, I use the xPortal wallet. It keeps my 24 secret words safe. But for example, I can have the secret words on my computer and make transactions from there, using the same account (the public key is the same), so I can send 1 EGLD from my computer using the secret words, and when I open the xPortal app later, I’ll see that I have 1 EGLD less. This demonstrates that there is nothing physical in a wallet, and any type of funds or tokens are exclusively kept on the blockchain.
How can a crypto/blockchain account be “hacked” under these conditions?
The most efficient way of hacking in this area of crypto/blockchain is social hacking.
What does social hacking mean? In super simple terms: someone tricks you into revealing your secret part, the 24 words.
All kinds of shady websites mimic the official wallet, scams like “you have won $1000, all you need to do to receive it is to enter your 24 words here to confirm that it’s you.”
As a golden rule of thumb, your secret words should never be entered anywhere else other than your wallet one time only (if you import them). Oftentimes, you shouldn’t even know them, just keep them in a safe place as backup.
Every time you give out your secret words, you are giving full and unconditional access to your wallet account. It’s like signing a blank sheet of paper that someone can later use however they want, filling out a request to the accountant which will be authentic and processed.
Another way your private key (your secret words) can be stolen is if you keep them somewhere on the internet. For example, you wrote down your secret words in a file on your desktop. There are viruses that can extract anything that looks like secret phrases and read your file, stealing your phrase and that’s it. They may not even act immediately, waiting for you to have more funds in your account and then they will act, because those secret words don’t expire and are valid for life.
Or, for example, you wrote down your secret words in Gmail, in an email sent to yourself, but you have a very simple password for Gmail and no 2-step authentication. Someone logs into your account, scans anything that looks like “private keys,” and stores them somewhere to be used later.
For this reason, the safest place to keep your secret words is a space that is not connected to the internet and will never be connected: a physical device (Ledger, Trezor) or written on a piece of paper (which you shouldn’t take a picture of with your phone, otherwise you wrote your words for nothing, the picture may end up on the internet and you’ve been compromised).
Can I compromise my account if I sign transactions with WalletConnect?
Quick answer: no!
The complete answer is a bit longer and goes into the realm of DAPPs (decentralized applications).
DAPPs “talk” to your wallet constantly. When you connect to an application with your wallet, you usually scan a QR code, and the wallet asks for permission to connect to that application. When you give permission, the wallet does not send anything private back to the application. Everything it sends is public information, such as the public part of your wallet, i.e., your address.
For example, on my blog, there are spaces where you can buy “ads.” To do this, you first connect with your wallet. Once there is an active connection, the application (DAPP) can send sign requests to your wallet. For example, you rent an ad space on my blog. You press a button, and the blog sends a sign request to your wallet: Filip’s blog wants to send amount X to this address with payment details Y. It is your decision whether you sign and send that transaction further.
As I mentioned earlier, the wallet does not send anything private to the application, but it can send signed transactions back. It is a bit more complicated to understand if you are a beginner or non-technical, but the 24 words are not sent to the application; instead, the transaction is “mixed” with your signature (with the secret words). Therefore, the DAPP can send your transaction further to the blockchain as if it came directly from you.
For example, if you rent an ad space on my blog, no one in the blockchain will see that you used my blog to rent the space. They will see a transaction sent directly from you to a smart contract. No one knows who helped whom to form this transaction, but it is authentic and signed by you.
For this reason, I generally have no fear of connecting to any online DAPP because I know that nothing private is sent to these applications.
It is very important to look at what transactions you are signing. After you are connected to an application, it can send anything to your wallet to be signed. The wallet is transparent with you, and you will see what you need to sign before you do it. If you sign everything blindly, like the mayor so to speak, then it is your fault for any losses. For example, an application may ask you to sign a transaction that sends all the funds in your account to another address. If you are not careful and press the sign button in the wallet… it is only your fault, and the blockchain will show that you willingly sent all your funds to Gigi Hacker.
Conclusion: Blockchain holds you accountable
In this space, you are responsible for your funds. You are responsible for keeping your secret words safe so that only you can send requests to the blockchain/accountant.
It is almost impossible for a blockchain to be hacked and for someone to steal your funds without you giving away your secret words or compromising them somewhere.
No matter how many layers of security your wallet has, if someone has taken your secret words through a method (with your help, as no one can take them without you revealing them), they can make transactions on your behalf without having your Face ID or wallet Pin.
Nothing is reversible on the blockchain, so if you have compromised your secret part, you should move your funds to another wallet before someone steals them. Once the funds are sent to another address on the blockchain, you can say goodbye to your funds.
Be very careful about the transactions you sign, do not sign blindly like the mayor without looking at what you are signing, do not reveal your secret words anywhere, and keep them safe somewhere, in a place that is not connected to the internet. Only in this way can you ensure that you will never be “hacked” in crypto/blockchain.