Easing into Crypto, Part 18: More preparing to invest (security, understanding what price targets are realistic, and using “expected return” to choose between opportunities)

Michael CalozCryptoLeave a Comment

crypto logos

Welcome to my free cryptocurrency educational series. Each part builds on the previous ones, so I suggest starting at the beginning and moving through part by part:

Cryptocurrency 101 series (core principles, social justice, blockchain tech, Bitcoin):

Cryptocurrency 201 series (intermediate principles, Ethereum, NFT’s, DAO’s):

Cryptocurrency 301 series (advanced principles, DeFi, reinventing the finance world):

Cryptocurrency 401 series (investing, making money in crypto):

This is part 18 in my cryptocurrency educational series.

Part 18 Reading Time: 32 minutes

Want to listen to this post instead?

Important Note: If you read the previous post, Part 17, before November 15, I suggest you go back and re-read it before starting this one. While writing this post, I shuffled some parts from here into there and vice-versa, and I added a lot more detail to some sections in that post—particularly Steps #3, 6, and 7.

12/6 Update: Added an important new bullet point at the bottom of the “minimum steps” area of the security section.

This is my third post specifically about investing in crypto, so if you haven’t read Part 16 (“Intro to investing”) and Part 17 (“Preparing to invest”), I highly recommend you start with those.

In the next post (“Investing options”), we’ll begin exploring the specific ways you can invest your money in the crypto space. I’ll even share my ranked list of coins and tokens that I’ve personally invested in.

But first, we need to finish up my nine todos for making sure you have the understanding and preparation necessary to confidently invest your hard-earned money in crypto. This will include an advanced technique for choosing which investment opportunity to go with if you’re torn between several.

P.S. I want to share a little update that I’ve started using the exchange Kraken, and it might now be my favorite on-ramp (except for one thing, which I’ll share in a moment). Kraken doesn’t have quite as many coins and tokens as Coinbase; but, it has lower fees, and it feels more user-friendly (e.g., it encourages you to whitelist your external wallet address so you’re always just selecting it from a dropdown instead of having to copy and paste it). One thing really annoyed me about Kraken though, so be careful of the following: Don’t use the “instant buy widget,” which is the big “Buy Crypto” button. That way of buying crypto is meant to be extra beginner-friendly, so it might be fine if you’re brand new and aren’t working with a lot of money. But, buying crypto that way charges you a fee of 1.5%. Instead, the trick is to hit the Trade button and place a market order, which only charges you a fee of 0.5% or less.

Ok, let’s finish up the todos:

Todo #7: Tighten up your security so you don’t lose everything.

You might be sick of hearing about all the risks in crypto, but I can promise you that they’re very real. Especially as more and more money is being poured into this space, the number of scammers and hackers is only increasing.

If you don’t work in tech, you might be surprised by the level of precaution I’m suggesting here. You’re probably used to using a traditional bank that handles everything for you—where all you have to worry about is setting up a password, and if your bank gets hacked (in the United States at least), you’ll be fully covered by FDIC insurance.

That’s not the case here. It’s possible to make a lot of money in crypto, but there are no guardrails. Your security is all in your hands.

Most importantly, let’s start with your seed phrase:

  • You know this part by now: Never share your seed phrase or private key. If you play in the crypto world enough, someone is going to try to scam you. It’s easy to get tricked. Don’t fall for it.
  • Don’t store your private key or seed phrase on your computer. Do write it down on a physical medium (like paper), ideally with two copies. Don’t take a photo of it. Don’t email it to yourself. Seriously. Your email is less secure than you think. And how careful are you really with your overall computer security?
    • Do you have strong passwords for everything? Do you screen lock your computer whenever you leave it alone? Do you ever install browser extensions that haven’t been vetted by a third-party to ensure they’re not snooping on you? Do you ever screen share your entire screen rather than just PowerPoint or Keynote?
    • All this might seem paranoid, but many of us have a lot of money invested in crypto, and again, the police probably can’t help you if it’s stolen. You shouldn’t need to use your seed phrase regularly anyway, so you might as well tuck it away somewhere safe that’s a bit harder to access.
    • I know you’re probably thinking that it’s fine to save account details in a Notepad file on your desktop, or in a document in Google Drive or iCloud. But those are actually some of the most common attack vectors nowadays. Seed phrases are typically groups of 12 dictionary words, and you might think that no one’s going to guess what 12 random words in a Notepad file actually are, but that’s wrong. Hackers nowadays are specifically looking for groups of 12 words like that (and think about how often you read about iCloud hacks on the news).
  • Bottom line: If you’re holding thousands of dollars in crypto, you really need to take this stuff seriously. If you lose access to your wallet, the company behind Ledger or MetaMask can’t help you, there’s no password reset, and you’re just out of luck.
  • One more thing here: If you choose to use a hardware wallet as I do, your private key never actually leaves that device. At no point does your computer even see it. All the computer (and thus the dapps you connect to) get is your cryptographically signed public key. But, as soon as you write down your seed phrase or private key on your computer, that protection becomes much less strong.

By the way, I know that all this seed phrase stuff is confusing and frustrating. The best solution on the horizon is through something called smart contract wallets. I’m not aware of any being available yet, but the idea is this: Instead of having to keep track of your private key or seed phrase, you can instead designate several trusted contacts who will get notified if you lose your wallet. Then, they’ll be able to jointly approve you to regain access. Cool, huh?

Beyond your seed phrase, here are the minimum steps to take for security:

  • Never reuse passwords. Seriously. If you still do this, enter your email address at the website haveibeenpwned.com and you’ll see how many times your information has been involved in a data breach (i.e., when a company you’ve used in the past has been hacked).
    • In my case, it looks like my main email address was involved in nine different breaches. But it doesn’t matter because I used a unique password for each. If instead you use the same password for everything and haveibeenpwned reports that you’ve been involved in a data breach, it means that hackers now know your password.
    • Don’t worry, though—I don’t expect you to memorize dozens of different passwords. All you have to do is use LastPass or another password management app to automatically create and remember strong, unique passwords for each website and app.
  • Use 2FA whenever it’s offered. 2FA stands for two-factor authentication. 1FA means there’s only one thing required to log you in, like a password. 2FA means that two separate things are required—typically a password plus a unique number sent to your phone. This makes it much harder for hackers even if they do figure out your password.
  • Don’t use a work computer or public computer for anything crypto-related. You’d probably be shocked by how much companies are logging nowadays when you use your work computer.
  • In fact, be careful on any computer that you use to invest in crypto, since any of the following could be attack vectors if you’re not careful. Keeping safe means things like:
    • Staying up-to-date on updates for your operating system;
    • Being careful about which browser extensions you install;
    • Running regular virus and malware scans;
    • Being judicious about who you let use your computer when you’re not there (if you’re already logged into MetaMask and don’t use a hardware wallet, someone sitting at your computer could just send crypto from your wallet to theirs without needing a password);
    • Staying away from dangerous websites (e.g., don’t use the same browser to trade crypto and to visit shady torrent or porn websites).
  • Install security/privacy extensions in Chrome/Brave. Here’s what I recommend (though keep in mind that these might cause some websites to break in subtle ways once in a while; so, if a website isn’t working how it should be, try temporarily disabling one or more of these):
    • uBlock Origin (for blocking all sorts of bad stuff)
    • LastPass for password management (and, even though this is secure, I still don’t save my private keys or seed phrases in here, though I do save passwords for quickly logging into wallets like MetaMask)
    • HTTPS Everywhere for forcing the most secure version to be loaded of every website you visit
    • Privacy Badger for blocking invisible trackers
  • Be on the lookout for scams. I already described several categories of these in Part 16, but here’s an example of an even trickier one I’ve been seeing lately: As you begin using various DeFi platforms, you’ll start to notice random tokens you’ve never seen before appear in your wallet—often in huge numbers. It’s your lucky day—someone must have accidentlly sent all that crypto the wrong wallet address, right? Nope. The scammers can use this technique, called “dusting,” to try to figure out the identity of the person who owns a wallet. Then, they’ll use phishing or extortion techniques to steal from them. Bottom line: Ignore weird tokens in your wallet if you’re not sure where they came from.
    • Careful, though: Sometimes you might also receive legitimate “air drops” of free tokens from projects you’ve supported or as a marketing mechanism for a new platform related to one you’ve participated in. One way to tell these apart is that they’ll typically appear in your wallet in much smaller numbers than the scam ones. But the best way is to just do some Googling or posting on Reddit. It usually becomes obvious pretty quickly which tokens are rewards and which are scams.
    • For example, if you search for something like “ABC token air drop” or “ABC appeared in my wallet,” you might find a post or article explaining that everyone who was staking on a certain platform from August to December 2021 just received free ABC tokens. If you know that you did indeed stake on that platform in that timeframe, those tokens are probably legitimate.
  • Don’t tell people how much crypto you have. Nothing good can come of this, but there can be a lot of negative consequences:
    • Friends or family members might pester you to invest their money for them;
    • Sharing exact numbers on social media can allow people to trace you and identify your wallet;
    • Worst of all, you might encourage thieves in the physical world if they know you have a computer or wallet at your house worth potentially many thousands of dollars or more. Would you proudly announce in public that you’re wearing a $100,000 USD watch unless you had a security detail following you around?
  • Be very careful about approving “unlimited allowance” for a coin or token. This type of risk just recently came to my attention because a fairly prominent DeFi platform, BadgerDAO, was hacked on December 1st 2021, and over $100M USD worth of crypto was stolen. I’m going to describe this in detail because it’s a major risk that I realized I had personally overlooked.
    • The core cause here was that a hacker broke in and changed the type of approval being requested whenever a user interacted with the BadgerDAO dapp—whether it was staking crypto, claiming rewards, etc.
    • Whenever you’re interacting with a dapp and initiate some kind of transaction, MetaMask will pop up and give you a preview of what kind of permission the smart contract is asking for. Then, you can accept it or reject it.
    • In this case, the hacker changed it so that an “unlimited allowance” was requested. In other words, say you have 10 ETH in your wallet, and you’re initiating a transaction to stake just 0.5 ETH on a DeFi platform. If you approved “unlimited allowance,” that platform’s smart contract would be able to manage all 10 of your ETH instead of just the 0.5 you’re staking.
    • This isn’t an uncommon practice, and it’s not necessarily a red flag. The alternative is for the dapp to ask you to approve only a specific amount of cryptocurrency. But, dapps will often request “unlimited” or “infinite” allowance instead to save you time and gas fees so that you don’t have to re-approve every time you claim rewards. As you can see, while this is often safe, sometimes it can go very wrong too.
    • This hack got me a little spooked since it made me realize how often I’d given various platforms unlimited access to my ETH in particular. There are three major things you can do here to protect yourself:
    • First, carefully review what exactly the smart contract is requesting in MetaMask before you approve or reject. A simple transaction like claiming your rewards should never require unlimited access to your crypto.
    • Second, don’t keep a huge amount of any cryptocurrency in a single wallet and use that wallet to interact with a lot of different DeFi platforms. Instead, move some of it to a another wallet that you won’t use on DeFi, or that you’ll only connect to the most trusted platforms. Remember that you can have multiple wallets in the same MetaMask or Ledger and they’re totally separate (and thus safe from each other) even though you’re accessing them through the same extension.
    • Third, if you’ve already offered some platforms unlimited or infinite access to your crypto, you can revoke it. Each revocation will cost you a gas fee (and another one to give access back later if you use that platform again); so, this is only worth it if you have at least, say, $1,000 USD in a certain crypto at risk via an unlimited allowance. The best place I’ve found to see all your allowances and revoke them is Debank: Connect your wallet, hit Profile, then hit Approval to see them all. Etherscan also has a tool that showed some smart contracts that Debank missed for me.

Here are some additional steps to take for even stronger security:

  • Use a hardware wallet like a Ledger Nano X. I already explained why in in the previous section (as well as in Part 17 and Part 6). Here’s one more thing to keep in mind though: If you think you might end up using a hardware wallet eventually, you might be better off getting started with it immediately instead.
    • This doesn’t really matter if you stay within your on-ramp’s ecosystem (i.e., Coinbase, crypto.com, etc.). But, if you plan to move some of your crypto assets onto an external wallet like MetaMask, you’ll have to pay gas fees for every single coin or token you move from that MetaMask wallet onto your Ledger (even if you’re connecting your Ledger to your MetaMask). So, you’ll save a lot of money by just starting on the Ledger instead.
    • Again though, if you’re only planning to stay in CeFi, or if you’re only dealing with a small amount of money in DeFi, it might not be worth the trouble of getting a hardware wallet.
  • Use better 2FA. Sadly, it turns out that SMS messages can be hijacked. So, even if you have 2FA set up to text you a unique number, it’s possible that hackers can intercept that. Instead, use an authenticator app on your phone as your second method. The most common one is Google Authenticator. Once you’ve added a site or app, Google Authenticator will generate a new number to enter in when you log in. Since that number is not going from your carrier to your phone like with SMS, this kind of 2FA is more secure because it requires you to have your physical phone with you. Personally, I actually prefer the app Authy because it lets you back up your list of accounts to the cloud. Any websites and apps that say they support Google Authenticator will also support Authy.
  • Keep careful records so you notice if something seems off. I have a master spreadsheet where, each month, I log the value and holdings of each of my wallets, accounts, and specific cryptocurrencies (the Zapper.fi wallet dashboard can be a huge help with this). This way, I feel safer seeing that everything still looks right, and I’m also able to be real with myself about how much money I’m truly making after all the fees, etc., and which of my strategies are doing well and not so well.
  • Whitelist withdrawal addresses. Especially with CeFi platforms like Coinbase or Celsius, you can opt to whitelist certain wallet addresses—in other words, you make a list of the only wallets that you want to allow transfers to. So, for example, you might set it up so that your MetaMask/Ledger wallet is the only place that you’re able to withdraw ETH to. That keeps you safer in two ways: first, you won’t accidentally make a typo or copy-and-paste error; and second, if someone gains access to your account, it will be harder for them to steal your money by sending it to a different wallet (Celsius, for example, freezes withdrawals for 24 hours and emails you if the whitelist in your account changes).
  • Enable delayed withdrawals. Similarly, some platforms have the option of emailing you and requiring a waiting period if any withdrawal is attempted (this is called HODL Mode in Celsius).
  • Back up your wallet’s seed phrase either on a piece of metal or outside your home (e.g., in a safety deposit box at a bank). Again, this depends entirely on how much money you have in crypto. This level of precaution would be ridiculous for $100. But what if you have $50,000 or $500,000 USD in there? Remember: Your wallet is not insured, and there’s no password reset. If you lose your seed phrase, you lose everything. So consider this: Even if you wrote down your seed phrase on a piece of paper and kept it in a drawer in your room, what if your house burned down? What if your house were robbed? Even if you have multiple copies of your keys and seed phrases throughout your house, would they be safe? The point is: As you put more money into crypto (or your existing investments grow in value), you should be continually stepping up your security procedures.
    • Update: I’ve been reading more about safety deposit boxes at banks, and it turns out that most of them are not as secure as I’d imagined. This might sound even crazier, but better advice I’ve read is to either (a) bury a container in your garden with your seed phrase in it, or (b) split up your seed phrase into two or three groups of words and store each of those little pieces of paper in innocuous places like inside books (with another copy of those at a friend’s house or elsewhere). Again though, this only applies if you have tens or hundreds of thousands of dollars in crypto.
  • Disable non-critical browser extensions when not using them. I’m not entirely sure how paranoid I’m being with this one and how much it actually helps. But, I feel safer disabling any extensions I’m not actively using and then re-enabling them only when I need them. Have you ever noticed how many extensions contain a warning like “this extension will be able to read and change all your data on the websites you visit”? Again, this might be paranoid, but I feel a lot safer knowing that most extensions will not be reading all my data on crypto websites.
  • Use cold storage. Once you have enough money in crypto, you might consider spreading out your assets across multiple wallets. With this strategy, you might keep a small amount of money in one wallet for your day-to-day transactions, but move larger chunks of cryptocurrency out to “cold storage” wallets—in other words, wallets that you don’t regularly connect to the Internet. For example, you could physically put one Ledger in a safety deposit box at a bank, or you could create a paper wallet whose only copy is stored at a friend’s house in another city. To be clear, these wouldn’t be copies of the same wallet / seed phrase, but totally separate wallets so that even if a hacker or burglar got into one, your assets in the other ones would be safe.

Ok, I know that was a lot for security. But imagine how it would feel to turn on your computer one day, open your MetaMask, and see a balance of zero when the night before you’d had thousands of dollars in there. Or, imagine how hard it would be for your house to be destroyed in a fire or earthquake, and how much more devastating that would be if all your crypto savings were lost in that disaster too.

Now, let’s get back to more specific investing techniques.

Todo #8: Understand market caps so you know what price targets are realistic.

The easy way to think of the term “market cap” is the total value of a company, platform, or cryptocurrency. In other words, for our purposes, it’s the total value of all the coins or tokens of a certain type that exist.

It’s important to understand how market caps work for at least two reasons:

  1. When you’re trying to decide if a new coin or token is worth buying;
  2. When you’re trying to set price targets or decide how high a coin or token might rise in value.

What I most want you to understand here is how to calculate it: market cap = circulating supply (i.e., number of coins or tokens) * coin price.

Here’s why that’s important: You’ll often hear people saying that some coin or token is about to shoot up to the moon. Let’s take SHIB as an example because people love to think it’s about to explode. When I wrote this post, it was priced at $0.00005108, and I sometimes still hear people claiming it’ll be up to $1 in no time.

To understand whether or not that’s even remotely possible, you first need to know that coin or token’s circulating supply—how much of it exists?

For example, if you look up ETH on CoinGecko, you’ll find that it has a circulating supply of 118,358,437. ETH’s price at the time of writing is $4,395.15, meaning its market cap (supply * price) is $520,203,084,381 (i.e., $0.52 trillion).

Now, here’s the thing: Remember that SHIB is currently priced at $0.00005108. It has a circulating supply of 549,152,552,136,067. Now, let’s imagine that the price went up to just $0.10. Multiplying those, SHIB rising up to that level would mean it reached a market cap of $54,915,255,213,606 (i.e., $54 trillion).

In other words, if SHIB were to rise up to the value of just $0.10, its market cap of $54 trillion would make it a hundred times more valuable than ETH. And if it rose to the value of $1, as some people claim it will, that would make it a thousand times more valuable than ETH. 

So, you have to ask yourself: How likely is it that SHIB will turn out to be 1,000 times bigger than ETH?

Not very, which means it’s extraordinarily unlikely it will ever reach $1. Everyone who’s hoping for that is confused either because they don’t understand how market caps work or because they don’t understand how blockchains work and how much effort it took to get Ethereum to where it is today.

It’s ok if this “market cap” concept takes a bit of time to sink in—it did for me. But it can be a very useful tool for understanding how high the price is likely to rise for each new cryptocurrency. When a new coin or token is released, pay close attention to how much of it was created and what price it started at.

Todo #9: Understand “expected return” to help you choose between opportunities.

When I first started investing in crypto, it felt like I just had to trust my gut a lot of the time. Sure, I would do my research; but, when it came down to choosing between two investment opportunities, it often felt hard to weigh the risk and reward of each.

Surely there’s a more precise way, right?

As I continued on my crypto journey, I was inspired by some professional poker players (like Taiki Maeda) who have gotten into crypto and carried over poker strategies that are based on very sound probability models. I was blown away by the rigor with which some of those people approach poker: with pages and pages of spreadsheets to calculate the exact probability of every possible combination of cards.

What if we applied some of that mentality to crypto?

There’s a concept called “expected return.” In short, you multiply the probability that something will happen by the impact if it does happen.

For example, let’s say you make a bet with a friend on a coin toss.

Heads, you get $1, tails you lose $1.

Since the odds of heads versus tails are 50/50, the expected return would be (50% * $1) + (50% * -$1) = 0. That means that, if you kept repeating this bet over and over again, you’d make nothing on average.

But, let’s say that the bet is this instead: Heads, you get $2, tails you lose $1.

Now, the expected return would be (50% * $2) + (50% * -$1) = 0.5 (i.e., 50%). In other words, if you kept flipping that coin over and over with this bet, you’d end up increasing your initial investment by 50% on average.

Since 0.5 (or 50%) is bigger than 0, the second bet is much better than the first one.

You can expand this further if there are more than two possibilities.

The total expected return will be each potential outcome multiplied by the chance that that outcome will occur, all added together.

For example, let’s say there’s a very low (say, 5%) chance that the coin will land on its side. So, we’ll create a new bet with the following terms: Heads, you lose $1, tails you lose $1, side you gain $25.

What do you think: Is that a good bet?

(To make room for that third possibility of 5%, I’ll remove the 5% equally from the other two possibilities by subtracting 2.5% from each.) Our formula ends up as: (47.5% * -$1) + (47.5% * -$1) + (5% * $25) = 0.3 (i.e., 30%). So, it turns out that this bet is better than the first one (which had an expected return of 0%) and not as good as the second one (which had an expected return of 50%).

Make sense? It’s easier if you make a simple spreadsheet.

Anyway, let’s say you’re trying to decide about investing in ETH versus DOGE.

For each option, let’s define three different possibilities: a pretty likely scenario in the middle, and a kind of worst-case and best-case scenario on either side. The specific probabilities we give for each outcome are subjective—in other words, you’ll make them up based on a gut feeling after doing your research.

To figure out the future prices to use for each probability row, think about the concept of market cap from the previous section. You can use that in reverse:

  1. Start with a market cap (i.e., total value) that you think might be reasonable. You can use ETH’s market cap as a starting point, or another cryptocurrency doing something similar—like UNI or SUSHI if you’re dealing with a DEX’s token. Then, ask yourself: Best case, is this likely to be twice as big as Uniswap? Five times as big? Half as big? What about worst case? Will it be a quarter as big? 5% as big?
  2. Once you have a future market cap in mind, look up the coin or token’s circulating supply on CoinGecko.
  3. Divide the future market cap by the circulating supply to get the future price to use.

Ok, let’s compare ETH and DOGE.

What we’re doing here to calculate the overall expected return is coming up with three different scenarios for each investment option (the middle case, worst case, and best case), then finding the expected return of each of those and adding them all together.

Remember too that expected return is the probability that something will happen multiplied by the impact if it does happen.

So, for each row (i.e., each possibility), we’ll need to define our subjective probability that that possibility will happen (i.e., the leftmost column), then multiply it by the impact if it does happen, i.e., the % return, which we get by subtracting the current price by our subjective future price, then dividing all that by the current price.


Probability (subjective)Current PriceFuture PriceReturn (future – current / current)

Expected return = (20% * -52.6%) + (55% * 31.6%) + (25% * 526.3%) = 138.4%

In other words, in this thought experiment, investing in ETH is likely to more than double our money at some point, despite that 20% probability of a -52.6% return. The other two positive probabilities make up for it.


Probability (subjective)Current PriceFuture PriceReturn (future – current / current)

Expected return = (45% * -58.7%) + (50% * 165.3%) + (5% * 413.2%) = 76.9%

So, in this example, ETH (with an expected return of 138.4%) would be almost double as good an investment as DOGE (with an expected return of 76.9%).

By the way, I didn’t put much effort into thinking through these actual probabilities—it was just an example, and I suspect the real expected return of DOGE would be much lower.

Now I don’t apply this level of rigor to all my crypto investment decisions, but I find it helpful sometimes when I’m second-guessing myself or having a hard time deciding between two opportunities.

That’s it for the todos.

I know you’re probably excited to dive into actual crypto investing, and that’s exactly where we’ll go in my next post—I’ll begin walking you through a variety of crypto investment categories, along with my picks and strategies for each.

Part 19: Investing options (buying and holding, index tokens, leveraged tokens, my list of coins and tokens, and mining & staking)

P.S. Crypto is one of my newest passions, but my overarching focus in life is personal growth and intentional living. Do you want help with challenges like confidence, decision-making, or idea overwhelm? I’m a transformation coach who helps analytical thinkers get unstuck, find consistent motivation to take action, and design their life purpose. Read more about me here or my coaching practice here.

Notify of

Inline Feedbacks
View all comments