By Stelo Labs, Eli Qian
This is Part 2 of a two-part report on the State of Web3 Security focused on tooling. Read Part 1 about attacks here.
In the past 18 months, the crypto landscape has been punctuated by the notable collapses of Luna, FTX, and others. While the demise of these institutions and resulting fallout wasn’t a result of security breaches per se, the result of the collapse was that many users migrated their money off exchanges and into self custody. In doing so, users opted into the increased security burden, from seed phrase storage to transaction safety.
Since then, dozens of security-focused companies were founded and funded to help users make this transition safely and securely. We specifically saw the rise of tooling around smart contract safety and auditability, on-chain transaction monitoring, and pre-signature transaction security.
This report is a deep dive on the tooling built in the last 18 months with the goal of bringing increased awareness and understanding to the web3 security landscape.
Ups and downs
2022 was a crazy year for crypto tools and services, with many ups and downs, and new developments. In 2022, the collapse of centralized tools and exchanges such as FTX reignited a mistrust in certain centralized entities with more unstable footing and a growing preference for self custody. Given the move towards self-custody, the importance of transactions and seed phrase security became much more front of mind. The onus of security shifted from the exchange to the user.
With this shift came a rush of new projects and people to serve security-conscious users. While hacks and scams have become more frequent, severe, and sophisticated, the crypto community is finding ways to respond and become more resilient.
On-chain sleuths like ZachXBT and crypto security researchers like samczsun are there to give breakdowns of major attacks and track stolen funds. White hat hackers are also becoming an integral part of the crypto ecosystem, helping identify vulnerabilities before they can be exploited for hundreds of millions of dollars. The crypto community has gotten better at sharing information and educating users on attacks. There are more resources for learning about hacks and scams, as well as ways to stay safe.
In addition to the community response, developers are creating more tools to protect against attacks. So, while attacks may be more sophisticated than ever, so are the ways to prevent those attacks. There are a host of tools available, across the crypto stack, to keep users and institutions safe.
Some of the biggest leaps have been made in:
- Pre-transaction interfaces—improving the usability of crypto by making sure users understand the transaction they sign.
- Wallets—making hardware wallets more secure and software wallets easier to navigate.
- Contract verification—ensuring the trustlessness of smart contracts.
These are some of the tools and services users can use to stay ahead of the rising tide of crypto attacks and scams.
What are wallets?
A crypto wallet is a way to store public and private keys. Unlike a traditional wallet, cryptocurrency and assets aren’t actually stored “in” the wallet. Rather, assets live on the blockchain, and a private key gives access to the assets of a given address. In addition to storing keys, wallets often allow users to interact with and manage their assets (transferring, receiving, etc.)
Software vs hardware wallets
Software wallets are typically browser extensions or apps, and private keys are either stored locally on a user’s device or backed up on an online server. However, since software wallets run on devices that are connected to the internet, they are susceptible to attacks.
Hardware wallets attempt to remedy this issue by storing private keys in a device that’s not connected to the internet, and by signing transactions without the private key leaving the wallet (often with the help of companion software that allows the wallet to connect to an internet-enabled device).
Here’s how it works: First, the wallet software creates an unsigned transaction with information about the amount and address to send funds to. Then, the unsigned transaction is passed to the hardware wallet via the companion software. The hardware wallet will prompt the user if they wish to sign the transaction—once signed, the wallet will then pass the signed transaction back to the software which will broadcast the transaction to the blockchain. Throughout this whole process, the private keys remain isolated and offline.
What is Ledger?
Ledger is a Paris-based company making hardware wallets. They launched in 2014 and released their first wallet, the Ledger Nano S, in 2016. Today, in addition to hardware products, Ledger has an enterprise business that provides solutions for managing crypto assets.
Ledger in 2022
One of the biggest announcements for Ledger in 2022 happened in December with the debut of Ledger Stax. Ledger recruited Tony Fadell, designer of the iPod, to work on Ledger Stax. The big redesign is part of a broader Ledger goal to give web3 a “fresh look.”
Ledger Connect Browser Extension
In 2022, Ledger announced Ledger Connect—a browser extension that enables dApps to connect to Ledger hardware wallets. Ledger Connect is a multi-chain extension, meaning users won’t need different extensions to interact with dApps on Ethereum, Solana, and other chains.
2022 also saw Ledger Op3n, the company’s bi-annual flagship event where many major product releases are announced. This year, Ledger Stax was announced at Op3n. In addition, Ledger hosted the Op3n Developer Experience, an invite-only hackathon. Overall, some of the prevailing themes for Ledger in 2022 were their hardware releases and focus on building Ledger as a platform.
What is ZenGo?
ZenGo is a self-custodial software wallet. ZenGo’s unique feature is that it uses multi-party computation to secure users’ private keys. In traditional wallets, the private key is a single point of failure. If the private-key is compromised, the wallet and all its funds are at risk.
In contrast, MPC wallets distribute a private key among multiple parties so that each holds a part of the key. A key characteristic of MPC is that multiple parties can assess a computation without revealing their own inputs. For example, three employees who want to know their average salary can use MPC to calculate it without revealing their own salary.
In the case of wallets and ZenGo, each party that holds a part of the private key can apply their key share to form a valid signature. Even if one party is compromised, the private key cannot be constructed with a single key share.
An additional benefit of MPC wallets is that key shares can be backed up in a way that does not risk compromising the entire private key. Thus, ZenGo wallet users can recover their seed phrase for deriving their own key share with their email or back it up to the cloud.
ZenGo in 2022
ZenGo’s major launch in 2022 was ClearSign—a wallet firewall that screens, translates, and verifies transactions. Similar to many browser extensions, ClearSign will simulate transactions to detect malicious requests and transfers. ZenGo also announced a partnership with Collab.Land to verify and greenlight legitimate signatures from Collab.Land.
In August, ZenGo extended this verification to multiple platforms including OpenSea and UniSwap. ClearSign now provides green (for verified contracts), yellow (for suspicious transactions), and red (for signing away access) checkmarks on all messages.
ClearSign is a clear sign that web3 companies are focusing more on usability, especially in the context of safety and security. The rise of extensions and built-in wallet features is indicative of a demand for more and better ways to protect against scams.
What is pre-transaction simulation?
In 2022, many new web3 security extension tools entered the market that protect against phishing and scams by simulating transactions. These extensions aren’t wallet replacements. Instead, they offer an improved interface to better translate and understand what a message or transaction will do. Some of the tools mentioned are built directly into wallets via an API.
Crypto’s usability problem
The extensions that have launched in 2022 are in response to a very serious usability problem in crypto. It’s simply too easy to fall victim to a scam because the tools people use to interact with crypto aren’t intuitive and leave most users confused. That, on its own, is already cause for concern.
However, the past year has shown that, despite all the interesting use cases, crypto is rife with scams and malicious actors. For crypto to achieve larger scale adoption, users need to feel safe and be able to explore with confidence.
A new wave of extensions and APIs are addressing this. Developers are realizing that displaying an unreadable transaction hash with no context or explanation is not user-friendly behavior. Tools are beginning to leverage the open nature of crypto—namely, public bytecode/source code allows users to simulate transactions before signing.
Full disclosure, Stelo is the author of this report. We did our best to stay neutral and highlight alternative tools.
What is Stelo?
Stelo major updates
Stelo launched in September of 2022 and released a host of new functionality since then including a redesign in February 2023. When signing Safe transactions, Stelo can interpret and display, in simple language, what signing the transaction will do. Stelo also got safer with support for Seaport bulk listing on OpenSea, addressing one of the most common attack vectors. Now, Stelo will alert users when they might be signing away their NFTs for free.
In 2023, Stelo announced the v2 of their extension, a developer API, a new token approval service, and their $6m seed round led by a16z crypto. The v2 extension is redesigned with a new interface for viewing and approving transactions. The API allows any developer to integrate Stelo's risk engine into their app. Approvals.xyz, the token approvals manager, will help users understand the approvals they've given, as well as provide security recommendations.
What is Wallet Guard?
Wallet Guard is an extension that provides phishing and malware protection. Wallet Guard also has a security dashboard with information about suspicious activity, extensions, and a transaction simulator.
Wallet Guard major updates
Wallet Guard announced a 2023 roadmap that includes a suite of new features. Namely, transaction simulation, machine learning-based URL phishing detection, and a revamped v2 browser extension.
What is Fire?
Fire is an extension that simulates transactions, showing users what will happen to their wallets before they sign. In addition, Fire allows users to block contracts, so once they discover a malicious contract once, they never have to interact with it again. Fire is also one of the few extensions to have a companion NFT. The Fire NFT mint is a browser-based minigame that showcases how Fire can protect users from scams.
Fire major updates
Some of the major product updates for Fire in 2022 were expanding support for the extension, across browsers, wallets, and networks. Early in 2023, Fire also announced a new NFT for Fire holders, the Fire Check.
What is Pocket Universe?
Pocket Universe is a browser extension that simulates transactions. It works by running a transaction on a forked copy of the blockchain and checking the outcome for malicious activity. Pocket Universe is one of the only transaction simulator extensions to offer a paid tier—$4.99/month for access to “hyperdrive mode,” a feature that skips popups for transactions with whitelisted contracts, and early access to new features.
Pocket Universe major updates
The big updates of 2022 for Pocket Universe were the release of a mobile beta and support for Polygon. In early 2023, Pocket Universe also teased the release of an announced project called “Pocket Protect.”
What is Blowfish?
Blowfish is a security engine for crypto wallets. It comes in the form of an API that wallets and other custodians can implement to keep their users safe from attacks. Blowfish currently supports Solana, Ethereum, and Polygon, and the largest Solana wallet, Phantom, uses their API.
Blowfish in 2022
Blowfish was launched in September 2022 and announced its $11.8 million round led by Paradigm. Along with the launch, Blowfish announced an initial partnership with Phantom to integrate their API into the Phantom wallet. Using Blowfish, the Phantom wallet screens for malicious activity and flags suspicious transactions. According to Blowfish, they have already scanned more than 125 million transactions and prevented 11,000+ malicious ones.
In addition to Phantom, Blowfish has also partnered with PartyBid, Light Wallet, and Spot Wallet to provide protection against scams and attacks. In early 2023, Blowfish released an extension in private beta.
What is Forta?
Forta is a decentralized threat-detection and monitoring network that scans for threats in web3 systems. Forta is built on a network of independent node operators that scan transactions and state changes across a variety of chains and surfaces. When node operators detect suspicious activity, they send an alert to the Forta network, allowing key actors to respond to threats.
Currently, anyone can subscribe to the Forta network and receive alerts—either through apps like OpenZeppelin Defender, or directly via the Forta public API.
In addition, Forta allows for developers to create and deploy their own detection bots, contributing to the broader Forta network. Forta's threat detection has been used to monitor everything from governance attacks to phishing bots to smart contract exploits, and watches over billions in TVL across projects including Lido, Compound, and Polygon.
Forta major updates
In 2022, Forta released the Forta App—a tool that allows anyone to monitor and receive alerts for wallets and smart contracts. Forta also launched an integration with ZenGo, enabling real time phishing protection.
The broader Forta ecosystem is developing as well. Last year, over 900 detection bots were deployed to the Forta network and 4,300+ nodes worked to scan for threats. Overall, Forta's network was monitoring over $30 billion across multiple chains.
Source Code Verification
What is source code verification?
Smart contracts are written in a high-level language, such as Solidity. However, for the source code to be interpreted and processed by the EVM, it has to be converted to bytecode. Bytecode is typically a HEX string that represents a piece of binary code. To humans, it is unreadable:
The process of converting high-level source code to machine-readable bytecode is called compiling. However, a problem arises because compiling decouples source code from the code deployed to the blockchain. People need a way to verify that a contract’s source code (written in Solidity, for instance) compiles to the same bytecode that ends up getting executed at the contract’s address. In other words, if executing the contract actually does what the source code says it will do.
Source code verification tools accomplish this by recompiling bytecode from the original source, and checking if it matches the bytecode of the on-chain contract.
What is Etherscan?
Etherscan is an Ethereum blockchain explorer, but also has a contract verification tool. It is the most popular tool for verifying contracts and maintains an extensive repository of verified contracts.
One major limitation of Etherscan is its inability to compare source code metadata. Metadata contains information about the source code including compiler settings, code documentation (comments), and variable names. This information is appended to the bytecode, but Etherscan ignores it during the verification process. Thus, verified contracts on Etherscan may have misleading variable names and comments, though the source code will still behave the same as the deployed bytecode.
Another limitation of Etherscan is data availability. If the website were to be taken down or otherwise made unavailable, no one would be able to access Etherscan’s repo of verified contracts.
What is Sourcify?
Sourcify is a contract verification platform. In contrast to Etherscan, Sourcify is not a block explorer. It functions as a base layer that other tools and services can build on top of. Sourcify has three core functions—an interface that developers can use to verify source code, a repository of verified contracts, and a monitoring service that checks new Ethereum blocks for contracts and attempts to verify them automatically.
Sourcify vs. Etherscan
Sourcify solves the two primary limitations of Etherscan—comparing metadata and data availability. Sourcify compares the metadata as part of its verification process. Contracts with matching metadata are called a perfect verification while non-matching metadata is called a partial verification.
Sourcify also addresses the issue of data availability by storing verified source code via IPFS in addition to HTTPS. As a result, the storage of source code is decentralized and more resistant to attempts at censorship and potential outages.
Token approvals are necessary to use tools like OpenSea and Uniswap. When listing or swapping an asset, the user must first give an approval to the necessary contract. Approvals grant the recipient complete transfer control over the approved asset.
However, open approvals also put your wallet at risk. Subsequent off-chain signatures can result in unwanted asset transfers and loss of funds.
Approvals.xyz is made by Stelo Labs.
What is Approvals.xyz?
Approvals.xyz is a token approvals site that gives you a wallet health score and lets you know your highest risk approvals. It pulls in NFT and token data like prices, images, and value at risk so that you can understand which approvals need the most attention.
What is revoke.cash?
Revoke.cash is the original token approvals site. In early 2023 it underwent a major update that made it easier to use and much more performant. Revoke.cash supports eight different popular chains including Ethereum, Polygon, Arbitrum, Optimisim, and Binance Smart Chain.
Etherscan token approvals
What is Etherscan token approvals?
Etherscan's token approvals tool simply allows you to see open approvals and revoke them.