Operational security

The most common way people lose crypto is not through smart contract bugs. It is through human-layer compromise.

The risk in concrete terms:

Someone (you, an asset manager team member, a third party) is tricked, coerced, or induced to perform an action that causes loss.

The mechanisms: phishing emails, fake support staff, sim swap attacks, malware, social engineering of family members, physical coercion, compromised seed phrase backups.

These attacks do not require any technical vulnerability in the platform. They exploit normal human behavior.

What the platform does:

Hardware-backed authentication. Critical actions (vault upgrades, parameter changes, asset manager onboarding) require hardware-backed auth from multiple team members. No single person can execute a high-impact action.

Segregated environments. Dev, staging, and production are segregated. Production access is role-based with auditable logs.

Asset Manager security review. Every asset manager goes through an operational security review as part of KYP: key management, team access controls, incident response, social engineering resistance. See the operational security requirements.

Incident response procedures. Documented procedures covering smart contract exploits, custodian-side issues, asset manager compromise, and user-reported phishing.

What you should do:

The platform cannot fully protect you from compromise on your end. These practices matter.

Use a hardware wallet. For any amount that would hurt to lose. Hardware wallets isolate signing keys from your computer. Even on a compromised machine, the attacker cannot sign without the device.

Never share your seed phrase. No legitimate party will ever ask. Not MakeBanc. Not Noah. Not Ceffu. Not your asset manager. The request is the attack.

Verify URLs. Phishing sites are common and visually identical to real ones. Bookmark the real URL. Use the bookmark. Check for typos.

Use sim swap protection. Configure PIN protection or carrier-level lock on your phone account. Free. Takes 10 minutes.

Consider a Safe multisig for meaningful amounts. Requires multiple signatures per transaction. Even if one signer is compromised, the attack cannot succeed alone.

Compartmentalize. Separate crypto operations from daily browsing, work email, and social accounts. Dedicated email. Dedicated device or browser profile.

Practice the recovery scenario. Before allocating meaningful capital, verify you can recover your wallet from your seed phrase backup on a different device. If the dry run fails, your recovery is not real.

Attack patterns to know:

Approval drainer attacks. You sign a transaction that looks routine but grants a malicious contract permission to drain your wallet. Mitigation: read every signature request. If you cannot understand it, do not sign.

Address poisoning. An attacker sends a small transaction from a similar-looking address. Later, you copy the wrong address from transaction history. Mitigation: never copy addresses from history. Always from the source.

Romance and friendship scams. Someone builds trust over time, then steers you to a drainer or fake platform. Mitigation: be very cautious about any platform recommended by someone who only exists in your messages app.

Fake support staff. Someone contacts you via Telegram, Discord, email, or DM claiming to be MakeBanc support. MakeBanc does not proactively reach out via DM. Mitigation: ignore unsolicited support. Use official channels.

The wrench attack. Physical coercion to force asset transfer. Mitigation: do not publicly disclose meaningful crypto holdings. Consider a duress wallet for high-net-worth situations.

What the platform will never do:

The platform will never ask for your seed phrase. Never ask you to sign a transaction outside the official interface. Never instruct you to disable wallet security features.

If anyone claiming to represent MakeBanc asks for any of these, the request is fraudulent. Report it through official support channels.

What this is not:

This page does not cover every attack vector. The landscape evolves. The general principle: be slow, be skeptical, verify everything, and assume that anyone proactively offering to help is most likely trying to exploit you.

Most losses come from skipping the basics, not from sophisticated attackers. The basics work.