Web3 is an exciting space that’s brimming with innovative concepts around decentralization and giving users back control of their online identities and data. It’s the driving force of new technologies like cryptocurrency, non-fungible tokens and the metaverse, and once fully developed it promises to radically alter the way people interact and work online.
But for all of the promises of Web3, many dangers lurk. In 2022, hackers and scammers managed to steal more than $3.9 billion worth of crypto assets, according to Immunefi. Malicious actors in Web3 are numerous and extremely creative, using sophisticated fraud techniques to catch people off guard and relieve them of their digital assets. Some of the most common dangers faced by Web3 users include smart contract vulnerabilities, phishing attacks, copymints and poisoning attacks. To avoid them, Web3 users need to know how these methods work.
Common Web3 Attacks
One of the easiest ways to fall victim to a Web3 hacker is to end up at a malicious “phishing” website that looks and feels like a legitimate one. Criminals make copies of genuine websites using a slightly different URL, such as Openseea.io instead of Opensea.io and hope to catch users unawares. They use a number of creative methods to direct users to these fake websites, such as sending an official-looking email or using a spoofed celebrity social media account to send messages. As soon as someone enters their credentials into the fake site, the attacker can gain control of their account on the official website and steal whatever assets they’re holding.
Another threat is malicious smart contracts that integrate dangerous logic, such as an ability to restrict a transaction, burn tokens, delegate calls to other smart contracts, or give the contract creator access to the user’s wallet. Scammers can either create their own, malicious dApps with dodgy smart contracts, or use a vulnerability in a legitimate smart contract to adapt its code.
Copymints refer to fake or plagiarized NFTs that violate the rights of the author. For instance, someone may try to fake a popular NFT collection such as the Bored Ape Yacht club and sell it for bargain prices. Only later will the buyer realize that it has no value.
Finally, poisoning attacks occur when a scammer creates a wallet address where the first and last characters are the same as the user’s own wallet. The idea is that the user may mistakenly believe they are sending funds to their own wallet address, when in fact they’re sending their assets directly to the scammer.
Web3 Security Innovations
The good news is that the Web3 space has developed a number of innovative tools that aim to counter these kinds of crypto scams.
One of the best in the business is Blockfence, which has created a browser extension that acts as a protective layer that guards against suspect transactions. Blockfence combines complex analysis with machine learning algorithms and data on hackers and vulnerabilities gathered by the Web3 community to safeguard user’s transactions. It can prevent many kinds of attacks, including phishing attacks and malicious smart contracts.
When a user installs Blockfence in their browser, they will receive automated alerts each time they attempt to approve a transaction using a linked wallet such as MetaMask. Blockfence will warn them anytime the address they’re sending funds to is listed as suspicious, enabling that user to back out if they’re uncertain. Blockfence’s knowledge of vulnerabilities and suspect addresses is enhanced by a strong network of security partners. In addition, it offers a transaction interpreter powered by generative artificial intelligence, similar to ChatGPT, that helps users to understand by explaining in plain English what will happen with each transaction.
A similar offering comes from TrustCheck, which aims to safeguard Web3 transactions by verifying crypto wallet addresses, token collections, smart contracts and URLs before the user interacts with them. It will highlight potential problems such as risky transaction approvals, fake websites, dangerous signing requests and more.
Before each transaction is approved, TrustCheck provides the user with a visualization of what will happen, with token metadata such as names and addresses presented in human readable data.
Immunefi aims to secure Web3 in a different way through its bug bounty platform, which provides rewards to benevolent hackers who can find vulnerabilities in smart contracts or dApps and warn the community. This kind of auditing is critical to the safety of Web3 and especially the DeFi ecosystem, which uses very complex smart contracts to facilitate multi-swap transactions. Immunefi claims to have saved more than $25 billion worth of digital assets from being hacked.
Proactive Prevention Is Best
While the above tools are recommended and will certainly help to prevent most Web3 attacks, users should always follow best practices to minimize their chances of falling victim to scammers.
The single worst mistake anyone can make is to share their private key or seed phrase. There is no reason to do this ever, and no reputable company will ever ask for it. The best way to store this information is to write it down somewhere on a piece of paper and keep it hidden in a safe place. Storing it on a computer or mobile device is not advised, as these can also be hacked.
Moreover, users should always store their funds in a non-custodial wallet rather than a custodial one. While custodial wallets are simpler to recover in the event of getting locked out, they also mean trusting someone else to store your funds for you. As FTX users found out to their horror, that really isn’t a good idea, no matter how reputable the company might seem.
In addition, users should always stay very focused whenever they’re about to approve a transaction or sign a message. Care should be taken to double-check the recipient’s address and the amount being sent. Never respond to messages received on social media, and always enter URLs of crypto-related websites manually to avoid being spoofed.
Security Is Your Problem
The decentralized nature of Web3 means there’s no fallback in the event you’re scammed, so security is solely your responsibility. Beware that even the most sophisticated crypto users have fallen victim to hacks and scams before, so always take great care and take advantage of Web3 security tools that can double check the safety of your crypto transactions.