Another amazing video. U master hardware wallets bro!! I have just learnt how to sign transactions knowing exactly from and where my funds are going. Thumbs up !! Underestimated youtuber bro
Hello I picked up the keystone pro 3 for this specific feature of decoding smart contracts, after following all tutorials on loading up ABI zip files on to sdevice I’m still getting “unknown contract” when using meta mask or uniswap. Any suggestions? Are those two platforms not supported?
@ I followed the tutorial listed on site. I only use the two platforms listed. I recall from one of your videos you had difficulty displaying contract details on MetaMask then you switched to pancake where it worked.
2 years later and this is still a pretty serious problem. The industry needs to standardize certain security features and make them universal so everyone can protect themselves.
Yea unfortunately the nature of smart contract platforms makes this very difficult to do in a consistent way on EVM chains, let alone across other smart contract platforms.
Something that bugs me is that the smart contract ABI is just sitting there on the blockchain explorer just waiting to be used, but it's a HUGE hassle to actually use it. The person who wrote the contract must provide the ABI to verify the contract (so people can interact with it directly on the blockchain explorer). So the data is already there, just not in a way that hardware wallets can use. I feel like (which means I don't understand the technicalities involved) there should be an easier way to pull the ABI from all verified contracts so hardware wallets can use them. It's also a struggle because most solid projects use 3-8 different smart contract for simple things like the router and lending so you'd potentially need to 3-8 different ABI files.
Yea it's a complete mess and reflects the reality that the jury is still out on whether the approach that Ethereum went with will be workable over the long term. (Never mind that the incentives simply aren't there for projects to spend time ensuring that their platform is verifiable)
Nice video. Any thoughts on the new debank Rabby wallet? Also could there be an issue putting an SD card into your hardware wallet? It seems kind of freaky if you put in the wrong file and had issues from that
Haven't heard of Rabby but I'll certainly check it out. In terms of the SD card, it's still much lower risk than connecting a hardware wallet over USB or Bluetooth, in that you aren't creating a two way active connection. Exploits via malicious SD card data are possible, (especially given that the device runs Android, so higher risk than SD card in something like a ColdCard) but they would need to be very sophisticated to actually leak any data/keys given that signing all happens via QR.
Steve, how are you? Thanks for adding translation to the videos. I have a doubt. can you guide me better? " I have my address, because I have a transaction print. (I lost the HD). I'm lost in the videos on where to start to check the pk. It's possible to do this with the database I downloaded from your site. Could you guide me better , where to start?
This doesn't seem to be the case with Ledger Nano X per a video on their channel, a second video from another channel shows setup: Ledger nano settings, Contract data, allow contract data in transactions, Allowed. Afterwards, there doesn't appear to be "blind signing." Does this sound right?
They recently (about 6 months ago) changed the language of the warning message to from "Data Present" (With the setting toggle being called "allow contract data") to "Blind Signing" (With the setting toggle being changed to match) Prior to this, the Nano also didn't even support basic smart contract interactions like "Transfer", meaning that you were not only blind for complex contract interactions, but for every ERC20/BEP20 transfer too. (You can see what it looked like early last year in this video here: th-cam.com/video/Doo9aEVM0bM/w-d-xo.html)
Nano S and X behave the same way. If you go to do a swap with something like Pancakeswap, Uniswap, etc, anything beyond a basic transfer, you will need to enable blind signing (or contract data) and get a warning that you are either "blind signing", or that there is "data present". (Which language it gives you will depend on which Eth app version you are running)
It’s weird, I have a ledger S and nano X , they are not acting the same as you in the video. When I sign a smart contact I can see all the transactions detail on the screen of my ledger ( address sending, address receiving, text into , fee, ect. ) So I can co firm that I’m signing the right contract
It's not just the contract address that you need, but you also need to confirm the what the contract will actually execute. If you aren't seeing warnings about "data present" or "blind signing" then your are just doing a normal transaction. (So send, receive, etc)
@@CryptoGuide no I don’t have any warnings about blind signing, yes I see everything, i see all the message info, which function is getting called, slippage , ect.
It's not just a stock android SoC, but actually has a secure element in there too. You can just graphine to run something like Airgap wallet if you want to go with this approach.
If you want to use Metamask with a a hardware wallet too then your best bet is to have a dedicated "clean" (ie: used for nothing else) system for Metamask. This could be a dedicated PC or a virtual machine. (Keeping it offline isn't really an option as it would need to pull down smart contract definitions for Metamask) Even just making a habit of checking the data tab in metamask is better than nothing. The other thing is that since Metamask has added QR based signing for the keystone, broader offline signing support for Metamask is now much easier to implement. (So a software stack that does what the keysone is doing is much easier to make/use, though don't expect a working solution any time soon)
At this time no, a Ledger doesn't allow you to fully verify smart contracts outside of a very small number of projects. (Paraswap, 1inch) If you are just sending and receiving funds normally, then it's not an issue. They talk about it in their own blog here: www.ledger.com/academy/cryptos-greatest-weakness-blind-signing-explained This is also what was the issue with the attack I mentioned at the very start of the video: medium.com/@hugh_karp/nxm-hack-update-72c5c017b48 (Ledger Nano + Compromised Metamask)
If you sign a smart contract for unlimited spend on your hardware wallet and you have not revoked permissions to that account and at a later date that contract has a exploit or turns out to be malicious, can it at a later date drain those funds without any interaction with the hardware wallet? I know it could if there is a time delay in the code that you have allowed it can. Do you know much about unlimited spend and if it can at a later time take funds out without the hardware wallet when it has the permission of unlimited spend?
Basically the permission means what it says, so it can take all of whatever you have approved it for without you needing to sign anything in your wallet. (Hardware or software)
@@CryptoGuide I thought that may be the case. Someone told me it's not so I started to question it and thought I should ask someone more educated in the DeFi smart contract space. Thanks :)
I think there will need to be and it's certainly something that both hardware and software vendors are working on. Vendors like to throw around terms like "next generation hardware wallet" while offering basically the same thing, but I think the reality is that securing defi (not just standard transactions) is what will define next generation wallets.
Hello man. Can you make a video on how to verify a smart contract using keystone and rabby? And how to upload the smart contract data from polygonscan instead of etherscan? Thank u
@@CryptoGuide I have a macbook. I do not know if i am doing a mistake with the .json or if it’s something else, but i cannot decode the tx. I can only see the verified smart contract but not decode the last line which is important. What could be the error?
@@CryptoGuide on eth chain, it works perfectly with only the smart contracts I uploaded from the keystone github. But when i create one for the polygon, something is going wrong
@@CryptoGuide I remember password and I have the . wallet file backup in the pc but while sending the fund it's normal ask me to plug my ledger nano which I have lost also the seed phrase so in this situation what I can do
Well yea if you were using your Ledger Nano with Electrum then you either need your Ledger seed or the working Ledger. The wallet file in its own is useless.
You should make a video of how to make a multi sig wallet with gnosis safe for eth with ledger, keystone and metamask 2 out of 3 to sign a tx. Just a request that will help a lot of people! Thanks
Still very wary of Eth based multi-sig as they are quite dangerous compared to things like Multisig on Bitcoin, particularly if you are working on multiple EVM chains.
Basically the issue is that they are only valid on one chain, so if you do something like create it on Eth and accidentally send funds there on Binance Smart Chain, then those funds are unrecoverable.
Was wondering if you could help me? I bought some NFT's on solo dex and All of a sudden they're gone with a 404 message saying nft cannot be found. Solo also has a message saying due to blah blah blah the nft has been removed from the dex but still exists on the block chain. Do you have any idea what's going on? Seems like solo scammed me!
Keystone still have to approve any PRs that come in, so it's not automatic. (And they are strongly incentivized to not merge malicious smart contract definitions) That said, a malicious project could create their own definition and send it directly to users to attempt to build trust. (A bit like how projects can distribute their own ledger apps or custom Trezor firmware) Also, if you are in the habit of checking the data tab in metamask then you are confirming the smart contract information from two independent sources.
@@CryptoGuide Correct me if I'm wrong, but could there even be such a thing as "malicious ABI"? It's just a bunch of variable definitions. So wouldn't anything other than the correct ABI spit out nonsense?
Basically yea, the ABI is needed to be able to interact with the EVM. That said, ABI function names are arbitrary, so you could deploy a malicious smart with corresponding ABI. (It would be obvious looking at the ABI that it didn't do what it said) That said, the smart contract verification is vetted by both keystone for what is committed to their GitHub and also by other entities for the definitions that Metamask shows you.
Hi, Can you make a video about the following problem: A coin (SPI) has changed to "SHOP" through a fork. I have the SPI on the ledger. I can only get the "SHOP" token via Metamask. I can't do it. Also not about adding a coin. Can you make a tutorial video how to do this?
@@CryptoGuide you fail to understand what I mean, you use hot wallets for daily transaction and then transfer to your hardware wallet when you’re done. Why you’d even use a HD for smart contracts is beyond comprehension.
You are better off using a hardware wallet for both, just segregating out in to different accounts. Using a hot wallet for any meaningful amount of funds never makes any sense.
You're exposing whatever funds are in your hot wallet to risk. Yes, it's only a portion of your portfolio, but if compromised, scammers will just wait until you transfer in and move your funds.
Another amazing video. U master hardware wallets bro!! I have just learnt how to sign transactions knowing exactly from and where my funds are going. Thumbs up !! Underestimated youtuber bro
Thanks , glad it helped :)
@@CryptoGuide bro u are another level. Noone says and explains this stuff. U are a legend. Thank u. I will never again sign a transaction blindly
Thanks :)
great vid thanx... this is still very advanced for most users...
Yea it's certainly not straightforward. (Though frankly defi is a security disaster across the board)
Hello I picked up the keystone pro 3 for this specific feature of decoding smart contracts, after following all tutorials on loading up ABI zip files on to sdevice I’m still getting “unknown contract” when using meta mask or uniswap. Any suggestions? Are those two platforms not supported?
Does it work with other smart contract platforms? (Eg: Are able to validate that you installed all the ABI stuff correctly?)
@ I followed the tutorial listed on site. I only use the two platforms listed. I recall from one of your videos you had difficulty displaying contract details on MetaMask then you switched to pancake where it worked.
Perhaps give 1inch a go, I recall that it worked
Excellent topic and coverage.
Glad it helped :)
2 years later and this is still a pretty serious problem. The industry needs to standardize certain security features and make them universal so everyone can protect themselves.
Yea unfortunately the nature of smart contract platforms makes this very difficult to do in a consistent way on EVM chains, let alone across other smart contract platforms.
Something that bugs me is that the smart contract ABI is just sitting there on the blockchain explorer just waiting to be used, but it's a HUGE hassle to actually use it. The person who wrote the contract must provide the ABI to verify the contract (so people can interact with it directly on the blockchain explorer). So the data is already there, just not in a way that hardware wallets can use. I feel like (which means I don't understand the technicalities involved) there should be an easier way to pull the ABI from all verified contracts so hardware wallets can use them. It's also a struggle because most solid projects use 3-8 different smart contract for simple things like the router and lending so you'd potentially need to 3-8 different ABI files.
Yea it's a complete mess and reflects the reality that the jury is still out on whether the approach that Ethereum went with will be workable over the long term. (Never mind that the incentives simply aren't there for projects to spend time ensuring that their platform is verifiable)
Nice video. Any thoughts on the new debank Rabby wallet? Also could there be an issue putting an SD card into your hardware wallet? It seems kind of freaky if you put in the wrong file and had issues from that
Haven't heard of Rabby but I'll certainly check it out.
In terms of the SD card, it's still much lower risk than connecting a hardware wallet over USB or Bluetooth, in that you aren't creating a two way active connection.
Exploits via malicious SD card data are possible, (especially given that the device runs Android, so higher risk than SD card in something like a ColdCard) but they would need to be very sophisticated to actually leak any data/keys given that signing all happens via QR.
Keystone runs Android? Can the wireless be reactivated like on there ELLIPAL?
.
Excellent video, thanks 👍
Glad it helped :)
Steve, how are you? Thanks for adding translation to the videos. I have a doubt. can you guide me better? " I have my address, because I have a transaction print. (I lost the HD). I'm lost in the videos on where to start to check the pk. It's possible to do this with the database I downloaded from your site. Could you guide me better , where to start?
Don't spam comments on multiple videos, once is enough. Replied to your other comment.
Very informative info i think ill stay away from smart contracts and just use hardware wallet for deep storage. cheers steve
Yea the whole defi space is a security nightmare.
Fortunately it's not difficult to hodl securely with a hardware wallet :)
many thanks.
No worries:)
This doesn't seem to be the case with Ledger Nano X per a video on their channel, a second video from another channel shows setup: Ledger nano settings, Contract data, allow contract data in transactions, Allowed. Afterwards, there doesn't appear to be "blind signing." Does this sound right?
They recently (about 6 months ago) changed the language of the warning message to from "Data Present" (With the setting toggle being called "allow contract data") to "Blind Signing" (With the setting toggle being changed to match)
Prior to this, the Nano also didn't even support basic smart contract interactions like "Transfer", meaning that you were not only blind for complex contract interactions, but for every ERC20/BEP20 transfer too. (You can see what it looked like early last year in this video here: th-cam.com/video/Doo9aEVM0bM/w-d-xo.html)
@@CryptoGuide Maybe the Nano S, not hearing, seeing any issues with the Nano X regarding "blind signing." Maybe it's an Ethereum issue?
Nano S and X behave the same way.
If you go to do a swap with something like Pancakeswap, Uniswap, etc, anything beyond a basic transfer, you will need to enable blind signing (or contract data) and get a warning that you are either "blind signing", or that there is "data present". (Which language it gives you will depend on which Eth app version you are running)
It’s weird, I have a ledger S and nano X , they are not acting the same as you in the video. When I sign a smart contact I can see all the transactions detail on the screen of my ledger ( address sending, address receiving, text into , fee, ect. ) So I can co firm that I’m signing the right contract
It's not just the contract address that you need, but you also need to confirm the what the contract will actually execute.
If you aren't seeing warnings about "data present" or "blind signing" then your are just doing a normal transaction. (So send, receive, etc)
@@CryptoGuide no I don’t have any warnings about blind signing, yes I see everything, i see all the message info, which function is getting called, slippage , ect.
All the data you can see on the explorer of the blockchain (when you sign a contract) I see it on my ledger before I sign the contract
Oh I see, did you know that there is an option on ledger to show contract data ?
Then you are using one of the few smart contracts that is supported natively.
since keystone is based on android firmware, cant we put the wallet on a pixel phone with graphene os firmware? that would be a banger
It's not just a stock android SoC, but actually has a secure element in there too. You can just graphine to run something like Airgap wallet if you want to go with this approach.
Great video. For people who cannot get keystone,there is no other ways like using a air gapped pc or airgapped Android phone ?
If you want to use Metamask with a a hardware wallet too then your best bet is to have a dedicated "clean" (ie: used for nothing else) system for Metamask. This could be a dedicated PC or a virtual machine. (Keeping it offline isn't really an option as it would need to pull down smart contract definitions for Metamask) Even just making a habit of checking the data tab in metamask is better than nothing.
The other thing is that since Metamask has added QR based signing for the keystone, broader offline signing support for Metamask is now much easier to implement. (So a software stack that does what the keysone is doing is much easier to make/use, though don't expect a working solution any time soon)
Hey I understood partially but can a compromised metamask wallet be protected. 100 percent by a ledger..pls justify
At this time no, a Ledger doesn't allow you to fully verify smart contracts outside of a very small number of projects. (Paraswap, 1inch) If you are just sending and receiving funds normally, then it's not an issue.
They talk about it in their own blog here: www.ledger.com/academy/cryptos-greatest-weakness-blind-signing-explained
This is also what was the issue with the attack I mentioned at the very start of the video: medium.com/@hugh_karp/nxm-hack-update-72c5c017b48 (Ledger Nano + Compromised Metamask)
If you sign a smart contract for unlimited spend on your hardware wallet and you have not revoked permissions to that account and at a later date that contract has a exploit or turns out to be malicious, can it at a later date drain those funds without any interaction with the hardware wallet? I know it could if there is a time delay in the code that you have allowed it can. Do you know much about unlimited spend and if it can at a later time take funds out without the hardware wallet when it has the permission of unlimited spend?
Basically the permission means what it says, so it can take all of whatever you have approved it for without you needing to sign anything in your wallet. (Hardware or software)
@@CryptoGuide I thought that may be the case. Someone told me it's not so I started to question it and thought I should ask someone more educated in the DeFi smart contract space. Thanks :)
.
Do you think there will be a website one day where you can do this? For the less tech savvy out there.
I think there will need to be and it's certainly something that both hardware and software vendors are working on.
Vendors like to throw around terms like "next generation hardware wallet" while offering basically the same thing, but I think the reality is that securing defi (not just standard transactions) is what will define next generation wallets.
Hello man. Can you make a video on how to verify a smart contract using keystone and rabby? And how to upload the smart contract data from polygonscan instead of etherscan? Thank u
Same process for both
@@CryptoGuide I have a macbook. I do not know if i am doing a mistake with the .json or if it’s something else, but i cannot decode the tx. I can only see the verified smart contract but not decode the last line which is important. What could be the error?
So have you tested on some other smart contracts on other chains first? (To make sure you are getting the process right)
@@CryptoGuide on eth chain, it works perfectly with only the smart contracts I uploaded from the keystone github. But when i create one for the polygon, something is going wrong
Did you try reproducing the custom contact I added in the video?
Helo sir I use electum wallet but I don't have ledger nano I only have .wallet and password which video will help me can please suggest.
So what's the problem? What's stopping you from just opening the wallet file with Electrum?
@@CryptoGuide I remember password and I have the . wallet file backup in the pc but while sending the fund it's normal ask me to plug my ledger nano which I have lost also the seed phrase so in this situation what I can do
Well yea if you were using your Ledger Nano with Electrum then you either need your Ledger seed or the working Ledger. The wallet file in its own is useless.
Just Fantastic content...
Thanks, glad it helped :)
@@CryptoGuide I have learnd more in the past couple of hours than I have in 4 years re wallets.... Thanks very much..
I'm glad to hear it, thanks for the feedback :)
@@CryptoGuideLiked and followed on Twitter also gave you a shout out..
Thanks heaps :)
How would you cancel a sign contract on a defi wallet ?
You can't, though you can use tools like this etherscan.io/tokenapprovalchecker to revoke approvals which you may have granted.
You should make a video of how to make a multi sig wallet with gnosis safe for eth with ledger, keystone and metamask 2 out of 3 to sign a tx. Just a request that will help a lot of people! Thanks
Still very wary of Eth based multi-sig as they are quite dangerous compared to things like Multisig on Bitcoin, particularly if you are working on multiple EVM chains.
@@CryptoGuide oh thanks.
@@CryptoGuide the upcoming days gonna buy a device with 1 of ur affiliate links to help u out for all this amazing work u give for the community.
Basically the issue is that they are only valid on one chain, so if you do something like create it on Eth and accidentally send funds there on Binance Smart Chain, then those funds are unrecoverable.
Great, thanks
Was wondering if you could help me? I bought some NFT's on solo dex and
All of a sudden they're gone with a 404 message saying nft cannot be found. Solo also has a message saying due to blah blah blah the nft has been removed from the dex but still exists on the block chain. Do you have any idea what's going on? Seems like solo scammed me!
So can you see them on a block explorer at your wallet address?
@@CryptoGuide ok, I'll try that. Thank you!!!
@@CryptoGuide nope, says " oops something went wrong cannot find what you're looking for
So if you look up your address on an XRP block explorer you see nothing?
@@CryptoGuide so i can see the transactions on xrp scan but not sure how to access or recover the nft's
Can't someone put something malicious in the Keystone github?
Keystone still have to approve any PRs that come in, so it's not automatic. (And they are strongly incentivized to not merge malicious smart contract definitions) That said, a malicious project could create their own definition and send it directly to users to attempt to build trust. (A bit like how projects can distribute their own ledger apps or custom Trezor firmware)
Also, if you are in the habit of checking the data tab in metamask then you are confirming the smart contract information from two independent sources.
@@CryptoGuide Thank you!
@@CryptoGuide Correct me if I'm wrong, but could there even be such a thing as "malicious ABI"? It's just a bunch of variable definitions. So wouldn't anything other than the correct ABI spit out nonsense?
Basically yea, the ABI is needed to be able to interact with the EVM. That said, ABI function names are arbitrary, so you could deploy a malicious smart with corresponding ABI. (It would be obvious looking at the ABI that it didn't do what it said)
That said, the smart contract verification is vetted by both keystone for what is committed to their GitHub and also by other entities for the definitions that Metamask shows you.
Hi, Can you make a video about the following problem:
A coin (SPI) has changed to "SHOP" through a fork.
I have the SPI on the ledger.
I can only get the "SHOP" token via Metamask.
I can't do it. Also not about adding a coin. Can you make a tutorial video how to do this?
So if you can get both in Metamask then what's the actual problem?
@@CryptoGuide i can not get them. I want to see them in my account and sell them but i can not see them.
So can you see them on a block explorer? What happens if you just import the tokens in to Metamask?
@@CryptoGuide just don`t know how. i tried often. Metamask don`t find it or something.
Just follow the process in my video on recovery from Binance smart chain. Basically if you can see both on a block explorer then it's straightforward.
This is why you use a hot wallet for smart contracts and a hardware wallet to store.
Nope... That is even worse... You might as well just give your funds to scammers...
@@CryptoGuide you fail to understand what I mean, you use hot wallets for daily transaction and then transfer to your hardware wallet when you’re done. Why you’d even use a HD for smart contracts is beyond comprehension.
You are better off using a hardware wallet for both, just segregating out in to different accounts. Using a hot wallet for any meaningful amount of funds never makes any sense.
You're exposing whatever funds are in your hot wallet to risk. Yes, it's only a portion of your portfolio, but if compromised, scammers will just wait until you transfer in and move your funds.
@@brbubba what do you mean ? once transfered from the hot wallet to the cold one, how can they do anything to your cold wallet ?