State of Web3 Security: Part 2, Tooling

Ledger is a Paris-based company making hardware wallets. They launched in 2014 and released their first wallet, the Ledger Nano S, in 2016. Today, in addition to hardware products, Ledger has an enterprise business that provides solutions for managing crypto assets.

Ledger Stax

One of the biggest announcements for Ledger in 2022 happened in December with the debut of Ledger Stax. Ledger recruited Tony Fadell, designer of the iPod, to work on Ledger Stax. The big redesign is part of a broader Ledger goal to give web3 a “fresh look.”

Ledger Connect Browser Extension

In 2022, Ledger announced Ledger Connect—a browser extension that enables dApps to connect to Ledger hardware wallets. Ledger Connect is a multi-chain extension, meaning users won’t need different extensions to interact with dApps on Ethereum, Solana, and other chains.

Ledger Op3n

2022 also saw Ledger Op3n, the company’s bi-annual flagship event where many major product releases are announced. This year, Ledger Stax was announced at Op3n. In addition, Ledger hosted the Op3n Developer Experience, an invite-only hackathon. Overall, some of the prevailing themes for Ledger in 2022 were their hardware releases and focus on building Ledger as a platform.

ZenGo is a self-custodial software wallet. ZenGo’s unique feature is that it uses multi-party computation to secure users’ private keys. In traditional wallets, the private key is a single point of failure. If the private-key is compromised, the wallet and all its funds are at risk.

In contrast, MPC wallets distribute a private key among multiple parties so that each holds a part of the key. A key characteristic of MPC is that multiple parties can assess a computation without revealing their own inputs. For example, three employees who want to know their average salary can use MPC to calculate it without revealing their own salary.

In the case of wallets and ZenGo, each party that holds a part of the private key can apply their key share to form a valid signature. Even if one party is compromised, the private key cannot be constructed with a single key share.

An additional benefit of MPC wallets is that key shares can be backed up in a way that does not risk compromising the entire private key. Thus, ZenGo wallet users can recover their seed phrase for deriving their own key share with their email or back it up to the cloud.

ZenGo’s major launch in 2022 was ClearSign—a wallet firewall that screens, translates, and verifies transactions. Similar to many browser extensions, ClearSign will simulate transactions to detect malicious requests and transfers. ZenGo also announced a partnership with Collab.Land to verify and greenlight legitimate signatures from Collab.Land.

In August, ZenGo extended this verification to multiple platforms including OpenSea and UniSwap. ClearSign now provides green (for verified contracts), yellow (for suspicious transactions), and red (for signing away access) checkmarks on all messages.

ClearSign is a clear sign that web3 companies are focusing more on usability, especially in the context of safety and security. The rise of extensions and built-in wallet features is indicative of a demand for more and better ways to protect against scams.

Stelo is an extension that keeps users safe from phishing. It interprets and enriches transactions so users don’t have to blindly sign. Stelo isn’t a wallet—rather, Stelo pauses transaction requests sent to wallets like Metamask by wrapping the window.ethereum Javascript object that Metamask injects into the page.

Stelo launched in September of 2022 and released a host of new functionality since then including a redesign in February 2023. When signing Safe transactions, Stelo can interpret and display, in simple language, what signing the transaction will do. Stelo also got safer with support for Seaport bulk listing on OpenSea, addressing one of the most common attack vectors. Now, Stelo will alert users when they might be signing away their NFTs for free.

In 2023, Stelo announced the v2 of their extension, a developer API, a new token approval service, and their $6m seed round led by a16z crypto. The v2 extension is redesigned with a new interface for viewing and approving transactions. The API allows any developer to integrate Stelo's risk engine into their app. Approvals.xyz, the token approvals manager, will help users understand the approvals they've given, as well as provide security recommendations.

Wallet Guard is an extension that provides phishing and malware protection. Wallet Guard also has a security dashboard with information about suspicious activity, extensions, and a transaction simulator.

Wallet Guard announced a 2023 roadmap that includes a suite of new features. Namely, transaction simulation, machine learning-based URL phishing detection, and a revamped v2 browser extension.

Fire is an extension that simulates transactions, showing users what will happen to their wallets before they sign. In addition, Fire allows users to block contracts, so once they discover a malicious contract once, they never have to interact with it again. Fire is also one of the few extensions to have a companion NFT. The Fire NFT mint is a browser-based minigame that showcases how Fire can protect users from scams.

Some of the major product updates for Fire in 2022 were expanding support for the extension, across browsers, wallets, and networks. Early in 2023, Fire also announced a new NFT for Fire holders, the Fire Check.

Pocket Universe is a browser extension that simulates transactions. It works by running a transaction on a forked copy of the blockchain and checking the outcome for malicious activity. Pocket Universe is one of the only transaction simulator extensions to offer a paid tier—$4.99/month for access to “hyperdrive mode,” a feature that skips popups for transactions with whitelisted contracts, and early access to new features.

The big updates of 2022 for Pocket Universe were the release of a mobile beta and support for Polygon. In early 2023, Pocket Universe also teased the release of an announced project called “Pocket Protect.”

Blowfish is a security engine for crypto wallets. It comes in the form of an API that wallets and other custodians can implement to keep their users safe from attacks. Blowfish currently supports Solana, Ethereum, and Polygon, and the largest Solana wallet, Phantom, uses their API.

Blowfish was launched in September 2022 and announced its $11.8 million round led by Paradigm. Along with the launch, Blowfish announced an initial partnership with Phantom to integrate their API into the Phantom wallet. Using Blowfish, the Phantom wallet screens for malicious activity and flags suspicious transactions. According to Blowfish, they have already scanned more than 125 million transactions and prevented 11,000+ malicious ones.

In addition to Phantom, Blowfish has also partnered with PartyBid, Light Wallet, and Spot Wallet to provide protection against scams and attacks. In early 2023, Blowfish released an extension in private beta.

Forta is a decentralized threat-detection and monitoring network that scans for threats in web3 systems. Forta is built on a network of independent node operators that scan transactions and state changes across a variety of chains and surfaces. When node operators detect suspicious activity, they send an alert to the Forta network, allowing key actors to respond to threats.

Currently, anyone can subscribe to the Forta network and receive alerts—either through apps like OpenZeppelin Defender, or directly via the Forta public API.

In addition, Forta allows for developers to create and deploy their own detection bots, contributing to the broader Forta network. Forta's threat detection has been used to monitor everything from governance attacks to phishing bots to smart contract exploits, and watches over billions in TVL across projects including Lido, Compound, and Polygon.

In 2022, Forta released the Forta App—a tool that allows anyone to monitor and receive alerts for wallets and smart contracts. Forta also launched an integration with ZenGo, enabling real time phishing protection.

The broader Forta ecosystem is developing as well. Last year, over 900 detection bots were deployed to the Forta network and 4,300+ nodes worked to scan for threats. Overall, Forta's network was monitoring over $30 billion across multiple chains.

Etherscan is an Ethereum blockchain explorer, but also has a contract verification tool. It is the most popular tool for verifying contracts and maintains an extensive repository of verified contracts.

One major limitation of Etherscan is its inability to compare source code metadata. Metadata contains information about the source code including compiler settings, code documentation (comments), and variable names. This information is appended to the bytecode, but Etherscan ignores it during the verification process. Thus, verified contracts on Etherscan may have misleading variable names and comments, though the source code will still behave the same as the deployed bytecode.

Another limitation of Etherscan is data availability. If the website were to be taken down or otherwise made unavailable, no one would be able to access Etherscan’s repo of verified contracts.

Sourcify is a contract verification platform. In contrast to Etherscan, Sourcify is not a block explorer. It functions as a base layer that other tools and services can build on top of. Sourcify has three core functions—an interface that developers can use to verify source code, a repository of verified contracts, and a monitoring service that checks new Ethereum blocks for contracts and attempts to verify them automatically.

Sourcify solves the two primary limitations of Etherscan—comparing metadata and data availability. Sourcify compares the metadata as part of its verification process. Contracts with matching metadata are called a perfect verification while non-matching metadata is called a partial verification.

Sourcify also addresses the issue of data availability by storing verified source code via IPFS in addition to HTTPS. As a result, the storage of source code is decentralized and more resistant to attempts at censorship and potential outages.

Approvals.xyz is a token approvals site that gives you a wallet health score and lets you know your highest risk approvals. It pulls in NFT and token data like prices, images, and value at risk so that you can understand which approvals need the most attention. 

Revoke.cash is the original token approvals site. In early 2023 it underwent a major update that made it easier to use and much more performant. Revoke.cash supports eight different popular chains including Ethereum, Polygon, Arbitrum, Optimisim, and Binance Smart Chain.

Etherscan's token approvals tool simply allows you to see open approvals and revoke them.