You are at risk. The Truth About Web3 Wallets

Get ready for some eye-opening insights. By the end of 2022, we embarked on a project centered around the security of web3 wallets. During this time, we reported close to a hundred security vulnerabilities and created security resources for developers. We discovered a shocking truth: there’s no tool or process to objectively and quickly compare the security levels of different web3 wallets. While there are existing efforts to evaluate and compare crypto wallets, they do not focus exclusively on security. Existing evaluations often miss the mark when it comes to focusing exclusively on the most significant threats in web3, such as phishing campaigns via malicious or compromised dApps.

The Need for Standardized Security Metrics

Our extensive experience in vulnerability reporting revealed some alarming trends. Many wallet developers were reluctant to acknowledge and address security issues, demonstrating a lack of interest in protecting users. What’s even more concerning, is that we discovered many vendors didn’t consider malicious dApps in their threat models, leaving users vulnerable to common phishing scams.

Users deserve a reliable way to make informed decisions about which crypto wallets to trust. Given that scams involving malicious dApps are one of the most frequent threats, this oversight is unacceptable. Wallets can and should play a critical role in preventing crypto scams.

A Call to Action for the Web3 Community

We need your help to make web3 safer. We’re inviting the security and wallet developer community to collaborate to establish a standard set of security properties, comparable, and repeatable security checks. These checks aim to protect users from various threats to web3 wallets and their assets, from malicious or compromised dApps to unauthorized access to devices running wallets. The security checks could cover both protections against well-known vulnerabilities and additional features that enhance user security across different web3 products. Moreover, these checks should be applicable across various platforms like browser, iOS, Android, etc.

Key Challenges and Proposed Solutions

One challenge we foresee is how we can prioritize the most critical checks while minimizing subjectivity. For example, how do we ensure that a significant vulnerability, like a wallet draining issue, is given more importance than a less critical issue, such as showing spam NFTs? To address this, we need a mechanism that allows us to systematically assign “weights” to the different security checks and tests based on the likelihood and impact of attack scenarios within each category. Such an approach would help us achieve a more precise and balanced assessment, enhancing objectivity.

Here’s what we are proposing to improve web3 wallet security:

• Comprehensive Security Checks: Covering protections against well-known vulnerabilities and additional features that enhance user security across different web3 products.
• Platform Inclusivity: These checks should apply across various platforms, including browser, iOS, and Android.
• Prioritizing Critical Checks: We need a mechanism to systematically assign “weights” to the different security checks based on the likelihood and impact of attack scenarios. This approach will help achieve a precise and balanced assessment, enhancing objectivity.

How You Can Get Involved

We need your feedback. By participating in this project, you’ll be at the forefront of improving web3 wallet security. Take the first step towards transforming web3 wallet security—you’re just a click away.

Join our Discord server to collaborate. Together, we can build a safer digital future for all web3 users.