Home - Coinspect Security
wallet hand

You are at risk. The Truth About Web3 Wallets

Matias Sequeira
linkedin icon twitter icon
Security Engineer
Security, Wallets, EVM, Ethereum, Ranking

Get ready for some eye-opening insights. By the end of 2022, we embarked on a project centered around the security of web3 wallets. During this time, we reported close to a hundred security vulnerabilities and created security resources for developers. We discovered a shocking truth: there’s no tool or process to objectively and quickly compare the security levels of different wallets. While there are existing efforts to evaluate and compare wallets, they do not focus exclusively on security. Existing evaluations often miss the mark when it comes to focusing exclusively on the most significant threats in web3, such as phishing campaigns via malicious or compromised DApps.

Our extensive experience in reporting bugs has raised some serious red flags. Many wallets were reluctant to acknowledge and address security issues, demonstrating a weak interest in security. What’s even more concerning, is that we discovered many vendors didn’t consider malicious DApps in their threat models. This decision leaves their users unprotected against a myriad of phishing scenarios when, in fact, wallets can play a significant role in preventing this. Given that attacks involving malicious DApps are the most common way users get rekt, this is unacceptable… Users need a reliable way to make informed decisions about which wallets to trust.

We need your help to make web3 safer. We’re inviting the security and wallet developer community to collaborate to establish a standard set of security properties, comparable, and repeatable security checks. These checks aim to protect users from various threats to web3 wallets and their assets, from malicious or compromised DApps to unauthorized access to devices running wallets. The security checks could cover both protections against well-known vulnerabilities and additional features that enhance user security across different web3 products. Moreover, these checks should be applicable across various platforms like browser, iOS, Android, etc.

One challenge we foresee is how we can prioritize the most critical checks while minimizing subjectivity. For example, how do we ensure that a significant vulnerability, like a wallet draining issue, is given more importance than a less critical issue, such as showing spam NFTs? To address this, we need a mechanism that allows us to systematically assign “weights” to the different security checks and tests based on the likelihood and impact of attack scenarios within each category. Such an approach would help us achieve a more precise and balanced assessment, enhancing objectivity.

Here’s what we are proposing:

  • Comprehensive Security Checks: Covering protections against well-known vulnerabilities and additional features that enhance user security across different web3 products.
  • Platform Inclusivity: These checks should apply across various platforms, including browser, iOS, and Android.
  • Prioritizing Critical Checks: We need a mechanism to systematically assign “weights” to the different security checks based on the likelihood and impact of attack scenarios. This approach will help achieve a precise and balanced assessment, enhancing objectivity.

We need your feedback. By participating in this project, you’ll be at the forefront of improving web3 wallet security. Take the first step towards transforming web3 wallet security—you’re just a click away.

Join our Discord server to collaborate and innovate. Together, we can build a safer digital future for all web3 users.