Issue #73: Wallets, Please Protect Us
For the first time in two months, I hosted another Web 3 Security Roundtable on Twitter Spaces this week. The topic was “Protecting Ends Users”, and I had the pleasure of moderating a discussion with four people who knew a heck of a lot more than I do about security.
This was an important topic for us at the Forta Foundation: first, we believe Forta alerts can help protect individual Web 3 users just as well as they protect protocols; and second, it put the spotlight on a security threat that I feel is under-reported by the media and under-supported by the industry.
Smart contract exploits get most of the attention. When a bridge gets hacked for $500M, it’s all over the media. $500M stolen in a single security event is sensational after all.
But you may be surprised to learn that while $2.3B was stolen last year in smart contract exploits, almost $8B was stolen from users in phishing attacks, rug pulls and other scams (Chainalysis 2022 Crypto Crime Report).
The numbers don’t lie - retail users are getting taken to the cleaners - and wallet providers aren’t doing enough to protect them.
Here’s an example of a phishing scam that affected both new and seasoned DeFi users last year…
Let’s zoom in…
Education Problem or Technology Problem?
The losses incurred by Web 3 users to phishing attacks and other scams are staggering - and it begs the question - is this an education problem or a technology problem?
Advocates of this being an education problem will argue Web 3 users custody their own assets, and therefore assume the responsibility of understanding how the technology works and appreciative of the risks that go along with being solely responsible for the security of those assets.
I see the merit in that argument, and yes, anyone interacting in Web 3 today should understand basic operational security and follow best practices: never share your private key or seed phrase, never click on links from people you don’t know, and if something looks to good to be true it probably is. Elon Musk isn’t really going to send you 2 BTC.
Education is important, but we can’t hang our hat on Danny Degen becoming a security wizard. Instead, we need user experiences that play to the lowest common denominator.
At the heart of the technology problem is the complexity of approving and signing transactions. For example, if you’re transacting on Ethereum with ERC 20 tokens (basically any token but ETH), you have to approve each asset to interact with a smart contract before transacting. It is this complexity that scammers exploit, because they assume most people don’t fully understand what they’re doing. And they’re right. Here’s an example of the asset approval request on Metamask…
Not only is it hard to verify exactly what I’m approving, it’s basically impossible for the average user to verify that the smart contract they are giving permission to is legitimate. This is the point of maximum complexity for the users, and it’s the point in the transaction flow when most attacks happen.
The wallet experience has largely ignored security features to protect end users (presumably because it introduces additional friction into the process), but it’s time that changed. Wallet providers are in the best position, and have an obligation, to protect their users to the extent they have knowledge that a smart contract or asset they want to interact with is suspicious.
Introducing Reputation
When it comes to security, Web 2 can offer helpful perspective and solutions. Short of censoring what users can do, the goal should be to help users determine whether the actions they want to take are safe.
Positive Reputation
Whether you know it or not, that little gray lock in the top left corner of your browser’s search bar is a form of positive reputation. It represents a valid SSL certificate, which confirms the website has a secure connection, and any data you share is private. If you don’t see the grey lock, be suspicious.
Another example from social media is Twitter’s coveted verified account badge. The blue check mark lets people know that an account of public interest (public figure, celebrity, influencer) is authentic - aka, the real Elon Musk.
Negative Reputation
When you visit a webpage with no valid SSL certificate, the gray lock will usually turn red. You may also receive a notification prior to your browser connecting to the webpage that the connection isn’t private, and giving you the option to navigate back to a secure webpage.
Positive and negative reputation signals can alert even the most novice users that the action they are about to take is safe or dangerous.
Curation
Positive and negative reputation systems represent one tool in the bag, but curation and what I’ll call “strategic friction” in the wallet experience is another.
Kyle Creyts, the Threat Intelligence Lead at Coinbase, shared an analogy during the roundtable that informed my perspective on this. He said…
“Imagine each Web 3 user is a hiker, walking down a trail. There are well-worn paths that 99% of users take that have proven legitimate and safe (ex: swapping assets on Uniswap, or borrowing USDC on Compound). Wallets should make those paths accessible with minimal friction. On the other hand, there are paths less traveled that are unproven and potentially dangerous (ex: interacting with unverified contracts or known scams). In an effort to protect end users while preserving their autonomy, wallet providers can still allow access to these less-worn paths, but they should introduce a healthy amount of friction to ensure that only the most intentional and sophisticated users proceed.”
Stay safe out there,
Andy
—
Not a subscriber? Sign up below to receive a new issue of 30,000 Feet every Sunday.