There comes a point in your life where you want to start becoming more security oriented. For me this day came when I realized that a JPEG that I almost have forgotten about is now one of the most expensive NFTs.
Here is my story on how I found out that I owned a CryptoPunk and the realized that I needed to secure it with a hardware wallet. How could this happen and how did it end?
My CryptoPunk Story
In November 2018 I visited the first real CryptoPunk exhibition at the Kate Vass gallery in Zurich. I was inspired by the CryptoPunks, so I bought one myself later. And then I forgot it in my MetaMask wallet and didn’t think about it.
This year I was talking to a good friend who is an NFT expert, and he told me that it is very risky, to store a great NFT in MetaMask. And this was the reason to transfer some NFT’s to my hardware wallet, which is a Ledger Nano X.
I contacted the helpdesk at Ledger to get some more information about transferring a NFT to Ledger. I read an article in the knowledge base at Ledger, that CryptoPunks, which are based on ERC20 standard, can’t be managed by Ledger. What does that mean – it can’t be managed? I was confused and started to do more research:
It just means, that Ledger Live can’t show NFT’s based on ERC20 standard, but if they are transferred correctly to an Ethereum address at Ledger, they will be stored and will be safe.
If you want to know more about the different standards, check the article on Standard Tokens.
What is MetaMask?
MetaMask is a very common crypto wallet & gateway to blockchain apps. It’s easy to install browser extension for Brave, Chrome, Firefox, Opera and Edge.
So, why is a hardware wallet safer than MetaMask, Trust Wallet, Exodus, or any other software wallet? Software wallets are always at risk of remote hacks.
A hardware wallet stores the private keys separate and so they are not exposed to this issue.
Please remember the phrase: not your keys – not your coins! That means, any offered storage, where you do not own the private keys, is very bad. If you buy some cryptocurrencies on an exchange, move them quickly to a safe storage, unless it is a small amount, and you use it for intra-day-trading. If you are in crypto staking, most hardware wallets offer a possibility for staking.
“What is staking? At a very basic level, “staking” means locking your crypto assets in a proof-of-stake blockchain for a certain period of time. These locked assets are used to achieve consensus, which is required to secure the network and ensure the validity of every new transaction to be written to the blockchain. Those who stake their coins in a PoS blockchain are usually called “validators.” For locking their assets and providing services to the blockchain, validators are rewarded with new coins from the network.” – Bitcoin Suisse
If you want to stake your coins anywhere else and not direct from an option of your hardware wallet, you can connect your Ledger to MetaMask and connect it to the desired service.
What is a CryptoPunk?
“10,000 unique collectible characters with proof of ownership stored on the Ethereum blockchain. The project that inspired the modern CryptoArt movement. Selected press and appearances include Mashable, CNBC, The Financial Times, Bloomberg, MarketWatch, The Paris Review, Salon, The Outline, BreakerMag, Christie’s of London, Art|Basel, The PBS NewsHour, The New York Times in 2018 and again in 2021. The Cryptopunks are one of the earliest examples of a “Non-Fungible Token” on Ethereum, and were inspiration for the ERC-721 standard that powers most digital art and collectibles.” Explanation by Larvalabs.
If you want to buy yourself a piece of the first NFT art, just go to OpenSea and there you can easily buy one.
Now coming back to the issue with the CryptoPunk. To make sure that the information is valid, and the resource is trustful, I contacted again the Ledger support and got supported by Chuck White, who is called “Chuck, the resident boomer in Ledger CS” 😊
He has a very funny way of writing and we exchanged a lot of emails. He supported me with screenshots and a structured instruction on how to transfer an NFT to Ledger. I am just citing now the main info from Chuck:
“Since your Punk is an ERC based NFT, it will show up in your Ledger ETH account when you send it to your Ledger ETH account address. Here is a screenshot of the ERC NFTs in my Ledger Live ETH account:
The question is, do you want your Punk in your Main Ledger ETH account or a second “cold storage” ETH account.
Once you decide this, you can send your Punk to either your main ETH account in Ledger Live or add a second ETH account in Ledger Live and then send the Punk to that ETH account. You will need ETH in Ethereum 1 account before you can create Ethereum 2 account (it is how Ledger Live works).
Let me know your thoughts and additional questions and also if you prefer to use MetaMask instead of Ledger Live.
Once I hear back from you, I will assist you further and I happy to walk you through all the steps.
Then the moment came to transfer my NFT to Ledger nano. I asked a good friend, David Furrer, Co-founder of Onchained, who has a lot of knowledge in NFT’s, to assist just to make sure that I won’t miss anything.
As I received this notice in my MetaMask, I was happy that the fee was very low and my heart started to race.
Then I pressed the button and had to wait some seconds, to see the NFT in the wallet on my Ledger nano. Checking again on opensea.io and etherscan.io. Yes, it worked – now I am happy and the NFT is safe!
Signing a smart contract
Who of you knows what really happens when you sign a smart contract? What do you confirm when you click on “sign message”?
What can happen if you get a malicious smart contract?
A good explanation from Chuck White, Ledger:
“The two main ways you can get tricked and lose your NFT assets is by signing either of these two ERC721 token functions when it is associated with a malicious contract or scammer:
When you sign and set those token approvals, the smart contract you interacted with now has the authority to send the NFTs in a certain collection out of your account to another account.
You’ll most commonly see the “setApprovalForAll” function when you list your NFTs for sale on a marketplace, and its purpose is simple: it allows that marketplace to move your NFT out of your wallet, and into someone else’s, whenever it is sold.
The other very common smart contract function you may encounter is “SafeTransferFrom” – this message will appear during any transaction where you’re sending an NFT from your own wallet to another wallet.
Both functions are necessary for ERC721 smart contract interactions. However, users must carefully review when signing and setting these token approvals as scammers will trick you into signing and setting the approvals when you shouldn’t.
This Ledger Academy article explains the malicious uses of these two important ERC721 contract functions:
These Twitter threads from earlier this year detail how “setApprovalForAll” has been exploited:
The main problem in crypto is the usability. To store yourself the cryptos – without a custodian – you must read and learn a lot to understand how everything works, how to secure your funds and not to lose anything. The mass adoption of cryptocurrency will only happen when the usability becomes more and more user friendly.