When dealing in crypto, on Solana or any other chain, there’s always the risk of having your wallet compromised. This can happen by connecting to a malicious contract, clicking on phishing links, or becoming exposed in other ways.
As Solana becomes more popular, it’s increasingly important to educate the community on security best-practices, which is why we created the multi-wallet system and security toolbox you’ll discover in The Solana Security Playbook.
Inside we, the Joe Shmoes team, lay out a 3-step process for keeping your assets safe from hackers and scammers.
Recently my wallet was compromised for 2,349 SOL, roughly $240,000 in value at the time.
Due to the transparency of the blockchain, @ZachXBT was able to track the hacker as he attempted to “wash” the dirty money by transferring it through multiple wallets, a wormhole, and peer-to-peer swaps.
With the help of Zach, we were able to recover ~$50k by alerting the vendors to freeze the funds while they were in escrow.
The rest of the funds have yet to be recovered, and probably never will be. It’s extremely rare to recover anything at all; I was fortunate to even get a portion of it back. While I thought I had decent practices to keep my wallets secure, this theft made me realize that there are more vulnerabilities I wasn’t prepared for.
This ignited a fire in myself and the Joe Shmoes team. We went into a deep inquiry about how to ensure this does not happen again — to me or anyone else.
This Security Playbook is the result of our research, development, and hard-learned lessons.
Do you have…
One Phantom wallet that you use for everything? Do you use a single wallet to mint, trade, and store NFTs and to send, receive, and hold Solana? This is the most risky wallet setup.
Multiple wallets with the same seed phrase tied to all of them? Although slightly better, this leaves a major hole in security.
Multiple wallets, each with unique seed phrases? Do they all have specific purposes?
If you are in the first or second group, this Playbook was written with you in mind.
If you are in the third group, you’re on the right track. This Playbook will take your security to the next level by introducing you to ways of allocating your assets between specific wallets, with an added layer of security provided by tools created by the Solana community, such as Famous Fox Federation and Joe Shmoes.
The 3 Steps
Step 1: Get A Piece Of Paper
When setting up a new wallet, the first and most important step is to maintain the privacy of your
seed phrase, as it is the key to your wallet.
To Store Your Seed Phrase Safely…
● WRITE IT DOWN ON A PHYSICAL PIECE OF PAPER. PREFERABLY MORE THAN
● Never put it in a note or document on any of your devices.
● Never airdrop it.
● Never copy or paste it, because it has to get stored in the cloud in order to paste.
If your seed phrase is uncovered, then your wallet is compromised. Maintain security by keeping it out of the cloud and off digital devices. Ideally, it’s only located on a piece of paper that’s hidden in a private, ideally locked, physical place.
Step 2: Create 4 Wallets
Within the Solana ecosystem, you have multiple wallet options to choose from, including Phantom, Sollet, and Solflare. Phantom is the most popular and user-friendly option (and what we recommend).
The second step is to create 4 separate wallets with completely different key phrases (not just a new wallet in the same Phantom wallet).
The 4-Wallet System
🔒 1. Cold Wallet
- Stores your most valuable assets
🔒 2. Minting Wallet
- Holds SOL only when minting NFTs
🔒 3. Trading Wallet (aka “Hot Wallet”)
- Connects only to Magic Eden for actively trading NFTs
🔒 4. Staking Wallet
- Connects only to verified staking contracts that you trust
Wallet #1: Your Cold Wallet (AKA “Storage Vault”}
To set up your first wallet, you’ll need a hardware device, such asa Ledger, that acts as a Cold
Storage Vault for your SOL reserves and any valuable NFTs that you’re not listing yet.
Ledger Live is a great choice because they offer direct support for Solana.
When Buying A Ledger…
● ONLY BUY A BRAND NEW LEDGER FROM THE OFFICIAL COMPANY WEBSITE.
● Never buy from Amazon or any other major retailer.
● Never buy from a store or a secondary market.
● Never accept a ledger as a gift.
Your Cold Wallet Is For Storing…
● NFTs you are not listing, especially your most valuable NFTs
● All SOL that you are not actively using mint, trade, or stake
You will never connect this wallet to any contract – that’s what the next wallet is for.
Wallet #2: Your Minting Wallet
The second wallet you’ll need is for minting NFTs. When you connect your wallet to an external
contract, such as one used to mint an NFT, there is a risk of the contract being malicious. This is
a universal law of all external contracts.
Your Minting Wallet Holds…
1. The SOL needed to mint NFTs, at the time you’re ready to mint them
2. A tiny amount of extra SOL needed to cover transaction fees to…
○ Mint the NFTs
○ Send them to your Cold Wallet or Hot Wallet (which we’ll cover next)
After Minting, Send…
1. The new NFTs to your Trading Wallet (if you’re listing them), or to your Cold Wallet (if you’re HODL’ing them)
2. All leftover SOL back to the cold vault, leaving no SOL in your minting wallet. If you’re looking to flip the NFTs you minted quickly, you’ll use your third wallet, which is your Hot Wallet.
Wallet #3: Your Trading Wallet (AKA “Hot Wallet”)
You’ll connect your Hot Wallet wallet to Magic Eden, and only Magic Eden, in order to buy and sell Solana NFTs. Do not connect it to any other websites besides Magic Eden. If you do so, you risk connecting your wallet to a malicious contract. Do so at your own risk (only with your Minting or Staking wallet, which we’ll cover next).
Your Trading Wallet Holds…
● NFTs you are ready to sell now or very soon
● NFTs that hold minimal value (in other words, NFTs that you’re ready to let go of, or wouldn’t mind losing if your Hot Wallet gets compromised)
The last wallet is used for staking your NFTs.
Wallet #4: Staking Wallet
This Wallet is used only for staking your NFTs, which can be used to earn rewards for holding.
When an NFT project you’re HODL’ing introduces a staking system that you’d like to participate in, you’ll move those NFTs from your Cold Wallet to your Staking Wallet.
Likewise, if you’d like to stake an NFT you recently purchased with your Hot Wallet, send it to your Staking Wallet.
We also advocate for multiple staking wallets if you are staking valuable NFTs from multiple collections.
You’ll then connect your Staking wallet to the contract (once you’ve discerned that it is verified and trustworthy).
Do Not Connect Your…
● Cold Wallet to anything at all
● Hot Wallet to anything other than Magic Eden (or only well-verified sources)
With an investment of 60 minutes of your time and between $59-$149 (depending on which Ledger you choose), you can set up the 4-Wallet System and trade more safely on Solana.
Want to beef up your security even more? Keep reading for Step 3.
Step 3: Use Tools For Solana Security
Solana Shield by Joe Shmoes
A ‘2-factor-authenticator’ like system for your hot wallet.
When activated, this tool automatically transfers SOL out of your Hot Wallet(s) and into your Cold Wallet. This means that no SOL would exist in your hot wallet for transactions to be made, even if your Hot Wallet becomes compromised, essentially rendering a hacker unable to access your funds.
Revoke Tool by Famous Fox Federation
A tool to revoke access to all contracts that you’ve given permission to.
This helps to keep your wallet safe from old contracts that could potentially be used maliciously.
FoxySend by Famous Fox Federation.
Easily send NFTs in bulk to and from your Cold Wallet.
This saves time and hassle when needing to move many NFTs quickly between wallets.
While there’s no ultimate, risk-free solution to wallet security on ANY blockchain, the practices we laid out will reduce your exposure to malicious actors and reduce losses if they occur.
We hope this guide gives you practical steps and peace of mind along your journey through crypto.
It’s worth noting that, while this multiple-wallet setup is how to optimize for security and mitigate risk, this may not be the best or most complete solution out there.