So because of the recent event I went through, I figure it was time for me to reeducate myself in this matter so it doesn't happen again. And in doing so, I am hoping this guide can help others understand what they are looking at and maybe it will help better protect them.

Note, I will be using metamask as my example. In short, it's the most popular app to us at this time when it comes to these types of things. And generally other wallets are extremely similar to things like this.

_________________________________

Digital signature/signing a message/logging into web 3 sites

I'm going to start with one of the least risky of the 2 and it is a signature. Signing a message with your wallet is a method of authentication. It is typically used to prove ownership of a specific wallet address without revealing the private key. It is commonly used for logging into websites, accessing certain services, or participating in specific activities. The process involves creating a digital signature using your private key to verify your identity.

What is important to note is this DOES NOT go on the blockchain. The signed message might be sent back to the website or service that requested it, and they can then use the signature to verify your ownership of the corresponding wallet address. This verification process often involves using your wallet's public key, which is derived from your private key, to ensure that the signature is valid and matches the signed message.

Because of this, signing a message doesn't have the ability to transfer funds from your wallet in itself.

An example of what it could look like is something like this

https://preview.redd.it/8eex6ku9ztfb1.png?width=645&format=png&auto=webp&s=434158d6cc48f22dc711a9df04462824f69c37e5

Lets focus on

Only sign this message if you fully understand the content and trust the requesting site.

If you sign a message on an untrusted or malicious website, the biggest risk is:

The website could use the signed message to gain unauthorized access to certain services or perform actions on your behalf without your consent. Note this only happens with that single site and you can't take the signature from 1 site and use it on others. So like if you signed a message on Myspace it can't be used on another site. Many sites for this reason if they deal with money like web3 bots. They will have the sign message only being valid for 24 hours.

Basically think of it like if you had a pretty good password system setup that doesn't copy with other sites. And your password changes every so often. Depending on how the hacker has access. This can be used to steal your access to the site or service. So like a web3 site or mailing thing, they might be able to send things on your behalf depending on the system.

So the damage is extremely limited on this.

Lets focus on the

Message: 

Signing in with pixels: Arr3gFbBY2cpXC7gaTrUEqn9JjzBrIF7_vdP_aqGIkO-AMxFEA0Dyj792hROBjG0vS_syUrLXzBhMNhw

This part, the end with the long things is just a challenge. It's unique, and this makes things more secure. Overall, this helps prove you are who you say you are.

Note I did personally request Metamask to add a different background when you deal with this vs a smart contract. Things like that could make it that much easier and safer for users.

_______

Smart contracts

Smart contracts how ever are a bit different. They are on the blockchain and if you don't pay attention it could cause you to lose all your funds. Smart contracts is a self-executing code on the blockchain. They can be highly useful in DeFi, DEX, and legitimate services. But, between the 2 this, this is what you have to really watch out for.

An example is something like this

https://preview.redd.it/h52ibdcr3ufb1.png?width=632&format=png&auto=webp&s=bd6336a03482a23ef4a239eef7018bba70176ea2

In this case you might see something about asking for a spending limit. This is important to note because depending on how things are written a scammer can try to hide a lot of this by adding a bunch of junk and stuff, and they can aim to make the spending or transfer unlimited. From there once sign, it will suck the funds out that the smart contract told it you allowed and the amount.

Note if it's unlimited this stays active until you revoke the smart contract. You can do this by using something like https://revoke.cash/

This is pretty straight forward. But you can change the allowance to 0 or just click revoke. And go through the process and it will revoke the smart contract. There is a number of other places you can do this with. They all work pretty much the same but some have a better interface.

Safety note:

In the image above basically I was using the Uniswap DEX as an example. But lets say I wanted to trade 10 coins. Marking 1000 is dangerous. For if the system gets hacked, they now have access to the allowance amount you gave it and not used yet. It's best to just mark the amount you are going to use during that transaction.

Again, you can revoke it. But if you're using a L2 fees shouldn't be a major problem anyways.