Original title: "Security Special Issue 04 | OKX Web3 & OneKey: Add some "Buff" to device security"

Original source: OKX

Introduction | OKX Web3 wallet has specially planned the "Security Special Issue" column to provide special answers to different types of on-chain security issues. Through the most real cases happening around users, in conjunction with experts or institutions in the security field, dual sharing and answers from different perspectives, we will sort out and summarize the rules of safe transactions from the shallow to the deep, aiming to strengthen user security education while helping users learn to protect their private keys and wallet asset security from themselves.

Surfing in the Web3 world, there are two things you can’t save

One is to pay Gas on the chain; the other is to buy equipment off the chain

But whether on or off the chain, security is equally important~

This issue is the 04th special issue on security. We invite the OneKey security team and the OKX Web3 wallet security team, crypto hardware wallet vendors, to teach you how to add some "buffs" to your device security from the perspective of a practical guide.

OneKey Security Team:Founded in 19, OneKey is a company that focuses on secure open source hardware wallets and software wallets. It also has a security attack and defense laboratory and has received support from first-line institutions such as Coinbase, Ribbit Capital, and Dragonfly. Currently, OneKey hardware wallets are becoming one of the best-selling hardware wallet brands in Asia.

OKX Web3 Wallet Security Team:Hello everyone, I am very happy to share this. The OKX Web3 Wallet Security Team is mainly responsible for the construction of various security capabilities of OKX in the Web3 field, such as the construction of wallet security capabilities, smart contract security audits, on-chain project security monitoring, etc., providing users with multiple protection services such as product security, fund security, and transaction security, and contributing to the maintenance of the entire blockchain security ecosystem.

Q1: Can you share a few real device risk cases of users?

OneKey Security Team:The device risk cases involving Web3 users are diverse. Let us give some examples of common cases.

Case 1: After user Alice left her device, someone around her physically hacked into her device and stole her assets without her knowledge. This is often called an "evil maid attack" in the field of computer security, and it is also one of the most common types of device risks encountered by users.

From colleagues in the "Lu Mao Studio", the aunt who cleans the room, and even the intimate pillowmate, there may be attackers who are motivated by money. Previously, we have assisted users in tracing the theft of assets in hardware wallets. After the user reported the case, the exchange obtained the KYC of the exchange account used by the attacker. In the end, it was discovered that it was someone around him who did it. As the saying goes, "You can be on guard against a thief at home, but you can't be on guard against a thief at home."

Case 2: User Bob was physically coerced and had to hand over his device with asset control authority. This has a ridiculous name in the crypto circle - "Five Dollar Wrench Attack ($5 Wrench Attack)".

In recent years, as the Crypto wealth effect has become popular, kidnapping and extortion against high-net-worth individuals seem to be getting worse, especially in countries with high crime rates. In early 2023, there was a media report about a robbery of an offline virtual currency transaction. The victim was participating in an offline digital currency investor gathering and was controlled in the car after dinner. The criminals forcibly used the victim's facial recognition to unlock the phone and wallet software, exchanged the cryptocurrency in the wallet for 4.1 million USDT, and then transferred the funds and left. Recently on Twitter, it was also hotly circulated that a crypto mining OG said that he was robbed by an international criminal group and was extorted for most of his life-long accumulated crypto assets.

OKX Web3 Wallet Security Team:Today's topic is very good. Previously, we talked about many on-chain security topics such as private key security, MEME transaction security, and wool safety. In fact, device security is also very important. Let's share some classic cases.

Case 1: Tampered Hardware Wallet

User A purchased a hardware wallet from an unauthorized platform and started using it without verification. In fact, the wallet firmware was tampered with, and multiple sets of mnemonics had been pre-generated. The crypto assets stored in the hardware wallet by the end user were completely controlled by hackers, resulting in heavy losses.

Preventive measures: 1) Users should try to purchase hardware wallets from official or trusted channels. 2) Before using the wallet, complete the official verification process to ensure the firmware is safe.

Case 2: Phishing Attack

User B received an email from the "Wallet Security Center" stating that there was a security issue with the user's wallet and asked the user to enter the wallet's recovery phrase for a security update. In fact, this was a carefully designed phishing attack, and the user eventually lost all his assets.

Precautions: 1) Users should never enter private keys or recovery phrases on any unverified website. 2) Use the screen of the hardware wallet to verify all transactions and operation information.

Case 3: Software Security

User C downloaded malware from an unverified channel. When the user performed wallet operations, the software had malicious logic that led to asset losses.

Precautions: 1) Users download software from official channels and regularly update related software and firmware. 2) Use antivirus software and firewalls to protect your devices.

Q2: Physical equipment and facilities commonly used by users and risk types

OneKey Security Team: The devices involved in user asset security usually include users' mobile phones, computers, hardware wallets, USB storage devices, and network communication devices (such as WIFI).

In addition to the "Evil Maid Attack" and the violent crime "$5 Wrench Attack" we mentioned earlier, we will add a few more aspects that need special attention.

1. Social Engineering and Phishing Attacks

Social engineering and phishing attacks are currently very common and effective attack methods. Attackers use human weaknesses to trick users into performing dangerous operations. For example, malicious phishing links and attachments. Attackers may send emails, text messages, or social media messages containing malicious links, disguised as trusted sources, such as bank notifications or reminders from social media platforms. Once users click on these links or download attachments, malware will be implanted in the device, causing the device to be remotely hacked.

For another example, impersonating technical support personnel, attackers may pretend to be technical support personnel and contact users by phone or email, claiming that there is a problem with their device and that immediate action is required. They may induce users to provide remote access to their devices or disclose sensitive information. Currently, as long as you mention cryptocurrency-related terms on Twitter, an army of robots will soon come to pretend to be technical support to "serve" you.

2. Supply chain attack

Supply chain attack refers to the attacker's malicious implantation during the production or transportation of the device. It is specifically manifested in the following three points.

The first is hardware tampering. Attackers may implant malware during the manufacturing process of hardware wallets or USB storage devices. For example, if a user purchases a hardware device from an unreliable source, they may receive a tampered device that may be pre-installed with malware that can steal information or allow remote access.

The second is software tampering. Attackers may attack in the software supply chain of the device and tamper with the software or firmware update package. When users download and install these updates, the device may be implanted with backdoor programs or other types of malicious code.

The third is logistics attack: during the transportation of the device, the attacker may intercept and tamper with the device. For example, during the express delivery, the hardware device may be replaced or tampered with to facilitate the attacker to carry out subsequent attacks.

3. Man-in-the-Middle Attack

Man-in-the-Middle Attack (MITM) refers to the data transmission that the attacker intercepts and tampers with during the communication between two parties.

For example, when the user uses unencrypted network communication, the attacker can easily intercept and tamper with the data in transit. That is, when using an unencrypted HTTP website, the attacker can intercept and modify the data sent and received by the user.

Another example is public WIF. When using public WIFI, users' data transmission is more easily intercepted by attackers. Attackers can even set up malicious public WIFI hotspots. Once users connect, attackers can monitor and steal users' sensitive information, such as login credentials and bank transaction records. In extreme cases, your own WIFI may also be hacked to install malware.

Fourth, third-party internal attacks and software vulnerabilities

Third-party internal attacks and software vulnerabilities are risks that are difficult for users to control, but they have a significant impact on the security of physical devices.

The most common are software and hardware security vulnerabilities. These vulnerabilities may be exploited by attackers for remote attacks or physical bypass attacks. For example, some plug-ins or applications may have undiscovered vulnerabilities that attackers can use to gain control of the device. This can usually be solved by keeping security updates. At the same time, hardware should consider using the latest encryption chips.

And the activities of insiders on the software side: insiders of software developers or service providers may abuse their access rights to conduct malicious activities, steal user data or implant malicious code in the software. Or the malicious activities may be caused by external factors.

For example, there was a case in which "Lu Mao Studio" had its assets stolen because of the use of a certain multi-fingerprint browser, which may have been caused by the internal evil of the software or plug-in. This shows that even legitimate software may pose a threat to the security of users' assets if its internal control is not strict.

For another example, Ledger had a panic attack before-the Connect Kit used by many dapps had problems. The cause of the attack was that a former employee fell victim to a phishing attack, and the attacker inserted malicious code in the GitHub repository of the Connect Kit. Fortunately, Ledger's security team deployed a fix within 40 minutes of being informed of the problem, and Tether also froze the attacker's USDT funds in time.

OKX Web3 Wallet Security Team: We summarize some physical devices commonly used by users and expand on the potential risks they may generate.

Currently, the physical devices commonly used by users mainly include: 1) Computers (desktops and laptops), used to access decentralized applications (dApps), manage cryptocurrency wallets, participate in blockchain networks, etc. 2) Smartphones and tablets, used for mobile access to dApps, managing crypto wallets and conducting transactions. 3) Hardware wallets, dedicated devices (such as Ledger, Trezor), used to securely store cryptocurrency private keys to prevent hacker attacks. 4) Network infrastructure, routers, switches, firewalls and other equipment to ensure the stability and security of network connections. 5) Node devices, software devices that run blockchain nodes (can be personal computers or dedicated servers), participate in network consensus and data verification. 6) Cold storage devices, devices used to store private keys offline, such as USB drives, paper wallets, etc., to prevent online attacks.

Currently, the potential risks of physical devices are mainly the following

1) Physical device risks

•  Device loss or damage: If a hardware wallet or computer is lost or damaged, the private key may be lost, making it impossible to access encrypted assets.

•  Physical intrusion: Criminals use physical means to invade the device and directly obtain private keys or sensitive information.

2) Cybersecurity risks

•  Malware and viruses: Attack user devices through malware to steal private keys or sensitive information.

•  Phishing attacks: Disguised as legitimate services to trick users into providing private keys or login credentials.

•  Man-in-the-middle attacks (MITM): Attackers intercept and tamper with communications between users and blockchain networks.

3) User behavior risks

• Social engineering attacks: Attackers use social engineering to trick users into revealing private keys or other sensitive information.

• Operational errors: User errors when trading or managing assets may result in asset loss.

4) Technical risks

• Software vulnerabilities: Vulnerabilities in dApps, crypto wallets, or blockchain protocols may be exploited by hackers.

• Smart contract vulnerabilities: Vulnerabilities in smart contract code may lead to theft of funds.

5) Regulatory and legal risks

• Legal compliance: Different countries and regions have different regulatory policies on cryptocurrencies and blockchain technology, which may affect users' asset security and trading freedom.

• Regulatory changes: Sudden changes in policies may lead to asset freezes or trading restrictions.

Q3: Is a hardware wallet a must for private key security? What are the types of private key security protection measures?

OneKey Security Team:Of course, although hardware wallets are not the only option for private key security, it is indeed a very effective way to enhance private key security. Its biggest advantage is that it isolates private keys from the Internet from generation, recording to daily storage, and requires users to directly verify and confirm transaction details on physical devices when executing any transactions. This feature effectively blocks the risk of private keys being stolen by malware or hackers.

Let's talk about the advantages of hardware wallets first:

1) Physical isolation: Hardware wallets store private keys in dedicated devices, which are completely isolated from networked computers and mobile devices. This means that even if the user's computer or mobile phone is infected with malware, the private keys are still safe because they have never been exposed to the Internet.

2) Transaction verification: When using a hardware wallet to make a transaction, the user must confirm and verify the transaction details directly on the device. This process prevents attackers from transferring assets without authorization even if they obtain the user's online account information.

3) Security chip: Many hardware wallets use dedicated security chips to store private keys. These chips have undergone strict security certifications, such as CC EAL6+ (the standard adopted by new hardware wallets such as OneKey Pro and Ledger Stax), which can effectively protect against physical bypass attacks. Security chips not only prevent unauthorized access, but also resist a variety of advanced attack methods, such as electromagnetic analysis and power analysis attacks.

In addition to hardware wallets, there are many ways to enhance the security of private keys. Users can choose the appropriate solution according to their needs:

1) Paper wallet: Paper wallet is an offline storage method that prints private keys and public keys on paper. Although this method is simple and completely offline, it is necessary to pay attention to physical security issues such as fire prevention, moisture prevention, and loss prevention. If possible, it is best to buy a metal plate for physical recording (there are many options on the market, such as OneKey's KeyTag).

2) Mobile cold wallet: A cold wallet refers to a private key or encrypted asset that is stored completely offline, such as an offline mobile phone or computer. Similar to hardware wallets, cold wallets can also effectively avoid cyber attacks, but users need to configure and manage these devices themselves.

3) Sharded encrypted storage: Sharded encrypted storage is a method of splitting a private key into multiple parts and storing them in different locations. Even if an attacker obtains a part of the private key, it cannot be fully recovered. This method improves security by increasing the difficulty of attack, but users need to manage each private key shard to avoid being unable to recover the private key due to the loss of some shards.

4) Multisig: Multisig technology requires multiple private keys to sign a transaction to complete the transfer operation. This method improves security by increasing the number of signers to prevent a single private key from being stolen and causing assets to be transferred. For example, a multi-signature account with three-party signatures can be set up, and transactions can only be executed when at least two private keys agree. This not only improves security, but also enables more flexible management and control.

5) Cryptography innovation technology: With the development of technology, some emerging cryptography technologies are also being applied to private key protection. For example, technologies such as Threshold Signature Scheme (TSS) and Multi-Party Computation (MPC) further improve the security and reliability of private key management through distributed computing and collaboration. This is generally used more by enterprises and rarely by individuals.

OKX Web3 Wallet Security Team: Hardware wallets prevent private keys from being stolen by cyber attacks, malware or other online threats by storing them on an independent, offline device. Compared with software wallets and other forms of storage, hardware wallets provide higher security and are particularly suitable for users who need to protect a large amount of encrypted assets. The security protection measures for private keys can be roughly based on the following perspectives:

1) Use secure storage devices: Choose a trusted hardware wallet or other cold storage device to reduce the risk of private keys being stolen by cyber attacks.

2) Establish a sound security awareness education: Strengthen the importance and protection of private key security, be vigilant of any web page or program that requires the input of private keys, and when you must copy and paste the private key, you can only copy part of it and leave a few characters to enter manually to prevent clipboard attacks.

3) Safe storage of mnemonics and private keys: Avoid taking photos, screenshots or recording mnemonics online. Try to write them on paper and store them in a safe place.

4) Separate storage of private keys: Divide the private key into multiple parts and store them in different places to reduce the risk of single point failure.

Q4: Current vulnerabilities in identity authentication and access control

OneKey Security Team: Blockchain does not need to identify and store our identity information like Web2. It uses cryptography to achieve self-custody and access to assets. This means that private keys are everything. The biggest risk of user access control of encrypted assets generally comes from improper storage of private keys - after all, user private keys are the only credentials for accessing cryptocurrency assets. If the private key is lost, stolen, exposed, or even encounters a natural disaster, it is very likely that the asset will be lost permanently.

This is also the meaning of the existence of our OneKey and other brands, to provide users with a secure private key self-custody solution. Many users often lack security awareness when managing private keys and use unsafe storage methods (such as saving private keys in online documents and screenshots). The best way is to use offline generation and storage. In addition to manual dice rolling and handwriting, you can also consider using the previously mentioned hardware wallet with mnemonic metal plate engraving.

Of course, there are also many users who use exchange accounts to directly store assets. At this time, identity authentication and access control are more similar to Web2.

This will be related to the user's password security awareness. The use of weak passwords and repeated passwords is a common problem. Users tend to use simple, easy-to-guess passwords or reuse the same password on multiple platforms (such as verification emails), increasing the risk of being attacked by brute force or after data leakage.

Although multi-factor authentication (such as SMS verification codes, Google Authenticator) can increase security, if it is not implemented properly or there are vulnerabilities (such as SMS hijacking), it will also become an attack target. For example, SMS hijacking SIM swap attacks-attackers transfer the victim's phone number to a SIM card controlled by the attacker by deceiving or bribing employees of mobile operators, thereby receiving all SMS verification codes sent to the victim's mobile phone. Previously, Vitalik had been attacked by "SIM SWAP", and the attacker used his Twitter to send phishing messages, resulting in the loss of assets of many people. In addition, improper storage of backup codes of multi-factor authenticators such as "Google Authenticator" may also be obtained by attackers and used to attack accounts.

OKX Web3 Wallet Security Team:This is a very noteworthy sector. At present, we need to pay attention to

1) Weak passwords and password reuse: Users often use simple, easy-to-guess passwords, or reuse the same password on multiple services, increasing the risk of passwords being brute-force cracked or obtained through other leak channels.

2) Insufficient multi-factor authentication (MFA): Multi-factor authentication in Web2 can significantly improve security, but once the private key is leaked in the web3 wallet, it means that the attacker has mastered all the operating permissions of the account, and it is difficult to establish an effective MFA mechanism.

3) Phishing attacks and social engineering: Attackers use phishing emails, fake websites and other means to trick users into leaking sensitive information. Currently, phishing websites targeting web3 are characterized by groupization and service-oriented, and it is easy to be deceived if you do not have enough security awareness.

4) Improper management of API keys: Developers may hard-code API keys in client applications, or fail to perform appropriate permission control and expiration management on them, resulting in the keys being abused after being leaked.

Q5: How should users prevent the risks brought by emerging virtual technologies such as AI face-changing?

OneKey Security Team:At the 2015 BlackHat conference, hackers around the world unanimously agreed that face recognition technology is the most unreliable method of identity authentication. Nearly a decade later, with the advancement of AI technology, we already have a nearly perfect "magic" to replace faces. As expected, ordinary visual face recognition can no longer provide security guarantees. In this regard, the recognition party needs to upgrade the algorithm technology to identify and prevent deep fake content.

For the risks of AI face replacement, there is really not much that the user can do except to protect their own private biometric data. Here are some small suggestions:

1) Use face recognition applications with caution

When choosing to use face recognition applications, users should choose applications with a good security record and privacy policy. Avoid using applications from unknown sources or with questionable security, and update the software regularly to ensure the latest security patches are used. Previously, many small loan company apps in China illegally used users' face data for resale and leaked users' face data.

2) Understand multi-factor authentication (MFA)

Single biometric authentication is risky, so combining multiple authentication methods can significantly improve security. Multi-factor authentication (MFA) combines multiple verification methods, such as fingerprints, iris scans, voiceprint recognition, and even DNA data. For the identification party, this combined authentication method can provide an additional layer of security when one authentication method is compromised. For users, it is also important to protect their privacy data in this regard.

3) Be skeptical and guard against fraud

Obviously, when both the face and the voice can be imitated by AI, it becomes much easier to impersonate a person across the network. Users should be particularly wary of requests involving sensitive information or fund transfers, and adopt double verification to confirm the identity of the other party by phone or in person. Stay vigilant, do not trust urgent requests, and identify common fraud methods such as impersonating executives, acquaintances, and customer service. Nowadays, there are many people impersonating celebrities, and you should also be careful of "fake platforms" when participating in some projects.

OKX Web3 Wallet Security Team: Generally speaking, emerging virtual technologies bring new risks, and new risks will actually bring new research on defense techniques, and new research on defense techniques will bring new risk control products.

1. Risk of AI forgery

In the field of AI face-changing, many AI face-changing detection products have appeared. The current industry has proposed several methods to automatically detect fake human videos, focusing on detecting unique elements (fingerprints) in digital content caused by the use of deepfakes. Users can also identify AI face-changing by carefully observing facial features, edge processing, and audio-visual asynchrony. In addition, Microsoft has also launched a series of tools to educate users on deepfack recognition capabilities, so that users can learn and enhance their personal recognition capabilities

2. Data and privacy risks

The application of large models in various fields also brings data and privacy risks to users. In the usual use of conversational robots, users should pay attention to the protection of personal privacy information, avoid direct input of key information such as private keys, keys, and passwords, and try to hide their key information through substitution, obfuscation, and other methods. For developers, Github provides a series of friendly detections. If there is OpenAI apikey or other risky privacy leaks in the submitted code, the corresponding Push An error will be reported.

3. Risk of abuse of content generation

In daily work, users may encounter many results of large model generated content. Although these contents are effective, the abuse of content generation also brings false information and intellectual property rights. Now there are some products that can detect whether the text content is generated by large models, which can reduce some corresponding risks. In addition, when developers use the code generation of large models, they should also pay attention to the correctness and security of the generated code function. For sensitive or open source code, they must conduct sufficient review and audit

4. Daily attention and learning

When users browse short videos, long videos and various articles in daily life, they should consciously judge and identify, remember possible AI forgery or AI generated content, such as common male and female voices, pronunciation errors, and common face-changing videos. In critical scenarios, they should consciously judge and identify these risks.

Q6: From a professional perspective, share some physical device security advice

OneKey Security Team: Based on the various risks mentioned above, we briefly summarize the protective measures.

1. Beware of the risk of intrusion of networked devices

In our daily lives, networked devices are everywhere, but this also brings potential intrusion risks. In order to protect our high-risk data (such as private keys, passwords, MFA backup codes), we should use strong encryption methods and try to choose storage methods that are isolated from the network to avoid storing these sensitive information directly in plain text on the device. In addition, we need to always be vigilant against phishing and Trojan attacks. You can consider separating dedicated devices for crypto asset operations from other general-purpose devices to reduce the risk of being attacked. For example, we can separate the laptop used daily and the hardware wallet used to manage crypto assets, so that even if one device is attacked, the other device can still remain safe.

2. Maintain physical monitoring and protection

To further ensure the security of our high-risk devices (such as hardware wallets), we need to take strict physical monitoring and protection measures. These devices at home should be stored in high-standard anti-theft safes and equipped with comprehensive intelligent security systems, including video surveillance and automatic alarm functions. If we need to travel, it is particularly important to choose a hotel with secure storage facilities. Many high-end hotels offer dedicated security storage services, which can provide an additional layer of protection for our devices. In addition, we can also consider carrying a portable safe with us to ensure that our important devices are protected in any situation.

3. Reduce risk exposure and prevent single points of failure

Dispersing storage of devices and assets is one of the key strategies to reduce risks. We should not store all high-authority devices and crypto assets in one place or one wallet, but should consider dispersing storage in safe places in different geographical locations. For example, we can store some devices and assets at home, in the office, and with trusted relatives and friends. In addition, using multiple hot wallets and hardware cold wallets is also an effective method. Each wallet can store a portion of assets and reduce the risk of single point failure. To increase security, we can also use multi-signature wallets, which require multiple authorized signatures to conduct transactions, thereby greatly improving the security level of our assets.

4. Contingency measures for assuming the worst case scenario

When facing potential security threats, it is crucial to develop contingency measures for the worst case scenario. For high net worth individuals, keeping a low profile is an effective strategy to avoid becoming a target. We should avoid showing off our crypto assets in public and try to keep our property information low-key. In addition, it is necessary to develop an emergency plan for device loss or theft. We can set up a decoy crypto wallet to temporarily deal with possible robbers, while ensuring that the data of important devices can be remotely locked or erased (if there is a backup). When traveling publicly in high-risk areas, hiring a private security team can provide additional security, and using special VIP security channels and high-security hotels to ensure our safety and privacy.

OKX Web3 Wallet Security Team: We will introduce it in two levels, one is the OKX Web3 APP level, and the other is the user level.

1. OKX Web3 APP level

OKX Web3 Wallet uses a variety of means to reinforce the App, including but not limited to algorithm obfuscation, logic obfuscation, code integrity detection, system library integrity detection, application tamper-proofing, and environmental safety detection, etc., to minimize the probability of users being attacked by hackers when using the App. At the same time, it can also minimize the black industry from repackaging our App and reduce the probability of downloading fake Apps.

In addition, at the Web3 wallet data security level, we use the most advanced hardware security technology and chip-level encryption to encrypt sensitive data in the wallet. The encrypted data is bound to the device chip. If the encrypted data is stolen, no one can decrypt it.

2. User level

For users' physical devices including hardware wallets, commonly used computers, and mobile phones, we recommend that users can first strengthen their security awareness from the following aspects

1) Hardware wallet: Use hardware wallets of well-known brands, purchase from official channels, and generate and store private keys in an isolated environment. The medium for storing private keys should be fireproof, waterproof, and anti-theft. It is recommended to use a fireproof and waterproof safe, and store private keys or mnemonics in different safe locations to improve security.

2) Electronic devices: It is recommended to use brands with good security and privacy (such as Apple) for mobile phones and computers that install software wallets, and at the same time reduce the installation of other unnecessary applications to purify the system environment. Use Apple's identity ID management system to back up multiple devices to avoid single-machine failures.

3) Daily use: Avoid performing sensitive operations on wallet devices in public places to prevent camera records from being leaked; regularly use reliable antivirus software to check the device environment; regularly check the reliability of the physical device storage location.

Finally, thank you for reading the 04th issue of the OKX Web3 Wallet "Security Special Issue". We are currently preparing the 05th issue, which will not only include real cases, risk identification, but also safe operation tips. Stay tuned!

Disclaimer:

This article is for reference only and is not intended to provide (i) investment advice or investment recommendations; (ii) an offer or solicitation to buy, sell or hold digital assets; or (iii) financial, accounting, legal or tax advice. Digital assets held (including stablecoins and NFTs) involve high risks and may fluctuate significantly or even become worthless. You should carefully consider whether trading or holding digital assets is suitable for you based on your financial situation. Please be responsible for understanding and complying with local applicable laws and regulations.

This article is from a contribution and does not represent the views of BlockBeats.

欢迎加入律动 BlockBeats 官方社群：

Telegram 订阅群：https://t.me/theblockbeats

Telegram 交流群：https://t.me/BlockBeats_App

Twitter 官方账号：https://twitter.com/BlockBeatsAsia