How to securely manage your Topps GPK cards

The Topps Garbage Pail Kids Launch on the WAX ecosystem has surely been exciting. The initial 110,000 cards sold out in 28 hours and the trade volume on 2nd hand wax markets is after 2 days surpassing 300,000 WAX. There has been multiple tools launched by the community to help increase the experience of WAX. 

The WAX Cloud wallet has been a superb on-boarding platform, that increased the experience of how a launch on a blockchain is supposed to be for new folks. There are still parts that needs to be improved, which we have been told that the WAX and Topps teams are aware of and has already improved for future launches. 

Quick note on the account resources

Your account needs CPU, NET and RAM to operate on the blockchain. CPU is needed anytime you perform an action or transaction, NET is needed for the size of that action and RAM is your storage.

- NET is a no-issue for normal users
- CPU can run out if you are very active and play games etc
- RAM will run out if you own a lot of NFTs

For average users, the NET and CPU that comes with your account will be enough. But if you are more active you may run into shortage of CPU, in which case adding 10 WAX to your CPU will be enough (for now). These resources can later be unstaked and you get back your wax which can then be transferred. 

RAM is like your harddrive on the blockchain. You buy a portion of the storage (like paying for dropbox). In this storage you can store your tokens and Garbage pail kids cards. When you buy RAM, you own that portion until you sell it. For now RAM is rather cheap to buy, so if you put in 10 or 20 of WAX, it will be enough for quite some time for most users.

Adding 10 WAX to CPU and 20 wax to RAM, means you have locked up about 1usd in your blockchain account. These can later be sold to get back your tokens. Worth adding is that unstaking of tokens from CPU/NET takes 72 hours. This can be used to secure your tokens. 

*Worth noting is that RAM price goes up/down with demand, so your may get more or less of your ram tokens back when you sell them. 

Account types

Currently we can divide user accounts into two different types.
1) Cloud wallet account (all-access.wax.io)
2) Self managed account

The cloud wallet is a convenient way to interact with DAPPs, exchanges, websites and such. But it come with a trade off. In general, the more convenient your solution is, the more trade offs has been made towards security. This is not always the case, but it is a good rule to follow. 

In the cloud wallet, the wax team owns your keys, they make sure they are kept safe and allow you to not bother about it. This is great for convenience, but also means you have to trust the cloud wallet and wax team with your assets. This trust is fine for a convenience, but not to store large values. Whatever large value is will be individual to your economy, risk and what you are comfortable with. But as soon as you believe you have acquired a large value, you should start looking at having an account where you control the keys. 

If you use the cloud wallet, make sure you set up 2fa, or anyone with your login credentials can come, and take all you have, and there is nothing you can do against it. This is also why you should have a strong password. The easiest way to make a strong password is to combine 4+ words, like 'applemonitormousemountain'. However that is still very easy to crack, you will need to make an even stronger passphrase by also adding random characters inside it, breaking up the words, 'appl*emonit1ormou!semou@ntain'. With this you make it harder for dictionary brute forces to work, but still somewhat easy to remember. Please do not swap O for 0, or A for 4 etc, l33t language is built into these brute force tools. 

The best solution is still to use a password manager, and generate a longer random set of symbols, numbers and letters. Remember that all cloud based services is a honey pot for hackers to try to get their hands off, and if you use your email at multiple places, it's likely they will try to get in with your email and common passwords. 

Not your keys, not your GPK.

Managing your private keys

We have written a detailed guide for this: Private key management for DUMMIES

If you are not used to managing private keys, you should really take the time to read through that post. It is detailed and has a lot of examples on what can go wrong, and how to minimize the risk. 

We also have an advanced guide course on how to create offline generated keys.

If you are not used to managing your keys, the best option as soon as you acquired some value is to buy a hardware wallet. This is a great way to reduce risk of something going wrong with mismanagement. You can achieve as secure solution by no cost, but it requires more time, knowledge and skill. Above offline guide is one way to reach similar security. 

Currently the best option for hardware wallet with WAX is from Ledger, inside the ledger you can install an EOS app, and after that you can fetch keys that work with the WAX blockchain. 

If you want to learn how to change permissions, change keys and the tweaks of managing your WAX accounts, a great way to start is by creating an account on the testnet, which can be done here. You can also get some tokens and test it out. 

Storing your GPK cards inside another wallet

First if you don't have one you need to create another account. This can easily be done by:

  1. Going to wax.bloks.io
  2. Logging in with your cloud wallet.  (top right corner)
  3. Navigate to Wallet
  4. Navigate to create account
  5. Enter account name (12 characters long, a-z, 1-5 are allowed)
  6. Enter public key of owner and active (can be same, but not recommended)
  7. Buy NET, CPU and RAM for the account. more RAM is needed if you plan to store GPK's
  8. Hit 'Create Account' and sign the transaction with your cloud wallet. 

If you did everything correct, you now have another account where you control the keys. These private keys should be treated as highly valuable. Anyone that get access to your keys, now has access to your account and everything on it. If you missplace it, your account is lost. So make sure to scroll up and navigate to the Private key management for dummies.

The active key, if not in your hardware wallet, can now be entered in your preferred wallet. You can find a list of available ones on https://wax.io under Wallets & tools. Scatter, simpleos and anchor are those that are most used. 

To learn the difference between active and owner key, read the dummies text. But in short, owner key is your admin key, NEVER enter it anywhere unless you have to. And Active key can do everything that Owner key can, except swapping the owner key(s). 

Why not store it in the cloud wallet?

In the cloud wallet, you do NOT control the keys. And in the blockchain world, the one that control the keys are responsible for the assets. If the one controlling the keys make 1 mistake that results in the key being compromised, you will lose your assets. If you do so, you can not get it back. The same issue is present if you control your keys yourself. If you screw up, you screw up, no one will save you. 

So better take some time and learn the basics of key management, it will be worth it in the long run. You do NOT want to be in a position where you feel like sh*t because you did not take the time needed to learn how to do it better.

Most issues and vulnerabilities can be prevented fully or the risk reduced A LOT by small measurements. 

If you do not feel like you fully trust your self, a good idea is to buy a hardware wallet which only has 1 job, to keep your keys safe. This reduces a lot of risk, but doesn't eliminate all of them. You can still sign a bad action that swap your keys, so do not trust shady sites, and make sure to always use HTTPS on websites. 

ALWAYS READ THE ACTION MESSAGE IN YOUR WALLET

I can not stress this enough, when you try to buy/sell or do whatever where you need to sign a message in your wallet. Make sure to read that EXACT action. Because if it is a malicious service you use, and the action is i.ex. 'updateauth' instead of the 'transfer' action you tried to do. They will swap the keys of your account and then the account is no longer yours. This is another reason why you should NEVER have the owner key in your wallets. Because if you sign stuff with that, and they swap the action, they swap all your keys. If they do it with the active key, at least you have a chance to get your owner key and save your account. 

If these actions come up, make sure it is on purpose and not by mistake:

  • Updateauth - Swaps your keys
  • transfer - sends something out of your account
  • buyram - buys ram with your wax, make sure the receiver is whom it should be. 
  • delegatebw - This is the action to stake wax to CPU/NET, which usually is safe. BUT there is an option to add a '--transfer' flag, which moves the tokens out of your possession. Which is the same as a transfer action.

In addition to these actions, also read the contract name. The contract is where your action is being called to. Main actions, like those above are always called to 'eosio', which is the main contract of WAX. 

If you trade GPK NFT's, you will talk to 'simpleassets' and 'simplemarket. Each market will have their own contract, so you can easily see that the intended action is with the correct intent. If you try to send an GPK NFT to a marketplace, and the contract says "eosio::transfer", this means you are sending out tokens, not NFT. 

If the action is "simpleassets::transfer" you are sending out an NFT.

Get notifications if something happen in your account

There's a bot on WAX from one of the guilds which allows you to get a message as soon as transfers and unstaking of your tokens. This allows you to at least have a chance to react and save your account if it is unauthorized actions. 

Great way to protect your WAX tokens is to stake them. Unstaking takes 72 hours, and if you have notifications on your account, 72 hours should be enough for you to find your owner key, enter it in an uncompromised machine, and swap your keys to new ones. Which will remove the person that got access of your key and unstaked your tokens. 

Summary of best practices

1. Treat your Cloud wallet as a hot wallet

Only have what you intend to use, nothing else. It is convenient and a great tool to interact with 3rd parties. But convenience usually means added risk. 

2. Store large value on accounts where you control the keys

Learn basic key management, and store your high value cards and sums of tokens on one, or multiple self controlled accounts. 

3. Learn to read the actions you sign

Take the needed time, ask the right people questions, and just get used to reading that action. The larger value you have, and the larger transactions you make, the more important this will become. Make sure that if you want to send tokens to account "waxswedenorg", it doesn't go to "scamaccount1". 

4. Get notifications of your accounts

This is great to make sure you get notified if unauthorized actions occur on your account. And also a great way to keep informed on what happens in your account. 

5. Set up proper permissions of your self controlled account

With EOSIO, you have a VERY powerful permission system. You can learn more about that here. But essentially it allows you to add a Key to your account, that is ONLY able to perform the EXACT actions to the EXACT contract you allow. This is very powerful. 

6. Staked tokens means protected tokens

Stake your WAX tokens, it gives you a 72h window to save your account. This depends on how you secure your owner key, and if you have different owner and active keys. 

The higher value you have based on your perspective, the more important it will be to add additional security layers. 

7. Don't wish you payed attention to this when shit goes down

Take the time, just do it, to learn how to minimize the risk of something going wrong. Just start by reading this article and learn what steps to take.

Leave a Comment:

1 comment
EOS Hot Sauce #57: EOS Nation Infrastructure Improvements, EOS VC Grants, EOSIO Challenge Winner, EOS Lost Keys Renewal, Anchor Mobile and More! | EOS Nation | EOS Block Producer says July 7, 2021

[…] you’ll find GPK NFTs sorted by market capitalization, and WaxSweden published a great article on how to securely manage GPK NFTs, because: not your keys, not your […]

Reply
Add Your Reply