So here's the deal. If you've got an unrevoked DeFi connection and something goes sideways with that DeFi platform, does that mean your recovery seed gets exposed automatically?
And what about airgapped devices? Are the assets still secure on them? I thought since an airgapped device requires itself to sign any transaction, it should keep things safe.
Question about airgapped devices
13 replies 137 views
You connect your wallet through the web3 to a site, but you also posted that the wallet is a wallet on an airgapped device. How is a wallet on an airgapped device be able to connect to the internet and connect to a web3 site? That is not possible.
But I understand your question, your seed phrase can not be revealed if you connect your wallet to a web3 but know that the wallet is online and that someone like that will most likely make a mistake of sending his coin to the site. If it is a fake site, the coin will be lost as the site belong to scammers.
Just leave the amount of money that you can afford to lose on wallet that you connect to web3. Your main wallet should not be used for something like that.
cryptobridgeSenior Member
Posts: 221 · Reputation: 1481
#3Aug 26, 2023, 03:37 PM
You don't know airgap device, the airgap device doesn't make any special type of connection online. It's an idle device that sign transaction without the internet.
Perhaps you mean a hardware wallet, but even the wallet doesn't expose your keys, where you make connection is entirely your responsibility.
If you have any defi connections you have not revoke, use https://revoke.cash/ to revoke it.
You are using the airgapped hardware wallet in a wrong way.
You shouldn't be connecting the wallet to any staking platform or any DeFi platforms, you have airgapped wallet because you plan to hold your coins for a long time, correct me if I am wrong.
You better go on revoke and check if you still have connected connections before it's too late.
Do not use your hardware wallet to claim anything online, you are simply using it the wrong way.
silentchainHero Member
Posts: 473 · Reputation: 2317
#5Aug 26, 2023, 07:07 PM
The airgapped device is not the universal shield that automatically protects your funds.
In the end, everything depends on user. What you sign is what you get. If you use airgapped device to sign transaction or contract that has been hacked or intentionally designed to steal your money, your funds will still be lost. Even if you sign correct contract without fully understanding the mechanics behind it like slippage, for example you can still lose money.
No, your seed isnt exposed but your connection & permission given and how you did it is a concern , this pose same threat on your wallet just like your seed getting exposed, the goal is always to drain your wallet with or without seed.
Cold storage may not matter much depending on the permissions, but whether or not its on an airgapped device, the contract will still need your seed if it requires approval..
If you cant remember what approvals you gave earlier, its better to create a new wallet on your airgapped device and move your funds there.
Make sure to back up your seed before doing anything.
As long as you're not visiting that site. your wallet is safe. I have a wallet that connected to the platform that has ever got hacked, Yet, my wallet is still fine caused by i was never connecting it back to the hacked site.
My fund is still there, and nothing happened. The problem is that when you're re-visiting the site, then resign your wallet, it's opening the loophole for the hacker to hijack your wallet. If you're not doing it, you're fine.
It's safe as long as you didn't have site permission to access your wallet. If you gave it, even airgapped device would be useless. The key is avoid to sign in a suspicious or hacked site. This obviously reduce your chance to be hacked by scammer.
I have never really thought about this, but this makes me consider the different connections in my hot wallet.
Is there a website that lists potentially compromised services, or a crypto-related site that warns people? Maybe this is a future project for other service providers.
alexwalletSenior Member
Posts: 347 · Reputation: 1933
#9Aug 28, 2023, 04:01 PM
Nope.
It depends on what you mean by "something bad," as there are several types of authorization requests that web3 services require. Some legit websites typically implement an authorization session where you need to approve every action, while others don't. The problem is, if the service is fraudulent from the start, the authorization can cover all actions and be permanent. They only require initial approval.
However, heed other members' warnings that you are not referring to airgapped wallets.
The right question is if a particular wallet actually connects to online even once does that device from the start stands to be called an airgapped device?
An airgapped device is actually that device that has never and will never connect to the outside world (network), the In capabilities to actually connect to network is what is called an airgapped device.
So if the user has connected his device to any network before then it shouldnt be called an airgapped device again
I havent found one that lists all the malicious sites, but using OKX hot wallet I was able to see all sites that I have once connected my wallet to and havent revoke the permission there
SwiftMatr1xFull Member
Posts: 59 · Reputation: 474
#11Aug 28, 2023, 10:04 PM
It acts like one in practice. An airgapped wallet should protect you from all online threats, your wallet should be invisible to them and as such fully protected from them. You will need to make an error offline for your wallet to be at any risk.
You will not be able to connect to any online contract with an airgapped device. Transactions you sign are done completely offline and only broadcasted through the watch-only wallet.
- Jay -
When OP mentioned the word airgapped, I assume they are referring to a hardware wallet (even though hardware wallets arent truly airgapped). Using a hardware wallet to approve smart contracts does not change the fact that it still functions as cold storage..
The main issue is that it could have been used incorrectly, especially with the type of approval signed, which can later lead to funds being drained from the particular wallet. So the safest option for OP is to move funds to a new wallet if they dont remember what was approved.
This is the closest assumption based on how OP described the situation, but it could also be different.. example, OP might have first used a hot wallet to generate the seed, approved a smart contract before importing it into a HW wallet. In that case, it wouldnt be true cold storage because the key was already exposed to a device that connects to the internet . I think thats what you meant below:
Keystone Wallet is considered airgapped, but you can still sign smart contract transactions via QR codes. I think this is what the OP may be talking about. Since it doesnt connect to the internet, the seed cannot be compromised. However, there are still risks if you havent revoked an exploited contract. Whichever tokens youve permitted the contract to spend can be drained up to the allowance amount you have set.
D4rkFalconSenior Member
Posts: 308 · Reputation: 1050
#14Aug 29, 2023, 03:45 AM
An airgapped device is only acts as a second authenticatio so if you made a tx or transcation like transfer between one wallet to another. But if you approve some fishy contract they might still have your approved amount and can be used for drain your wallet.
If you need to connect your airgapped device for web3 transactions like lending and swapping Im recommend to only approve limited amount and disconnecting after it. I believe this is the safest way or just simply use hot wallet for it. and use cold wallet only for HODl wallet.