As the Web3 space continues to expand and gain traction, the industry is increasingly forced to grapple with an uncomfortable truth: For all its promise, Web3 remains deeply flawed. Accepting that reality is the first step toward paving the way to a stronger ecosystem.
As things stand, navigating the risks associated with this fast-evolving technology is tricky — not least due to the abundance of opportunistic scammers keen to take advantage of unassuming users. The decentralized nature of Web3, coupled with the pseudonymous nature of cryptocurrency transactions, presents an inviting opportunity for bad actors to take advantage of a widely held perception that the blockchain makes users bulletproof.
Those of us who have been around the block know this isn’t the case. From hacks to phishing attacks, rug pulls and other exploits, the risks that face Web3 users are almost too many to mention.
Web3 Sign-In: Convenient But Dangerous
One of the main problems relates to the sign-in process. While Web2 sign-in requires users to enter their email and password, or opt for “log in With Google, Facebook” etc., connecting via cryptocurrency wallet is the default sign-in for Web3.
Most of the time, this process works just fine. But sometimes it doesn’t — and the outcome can be devastating. Connecting your wallet to a fake website or dApp can result in lost funds, as we saw recently with the ETHDenver scam. In short, a fake website purporting to represent the ETHDenver conference was spun up and scammers made off with over $300k ETH. Bad times.
While signing in with a wallet is less annoying and more private than using an email and password, the risks are there for all to see. The rise of malicious actors targeting Web3 users is alarming, and it is imperative that we take steps to safeguard the community.
It’s natural to ask why, if such risks exist, Web3 users continue to accept it. Well, some just don’t know any better; it’s only when they’ve burned their fingers that they realize they were vulnerable. Moreover, many users labor under the misapprehension that because Web3 is “decentralized,” they are much safer than they would be in the centralized world of Web2.
Of course, there are other reasons — like the fact that almost all Web3 sites require users to connect their wallet or the lure of receiving future airdrops. Ultimately, though, this attitude needs to change; connect-with-wallet makes access to funds (including valuable NFTs) wide open, particularly if you inadvertently grant permission to fraudulent smart contracts. So, how do we square this circle? How do we preserve the decentralized ethos of Web3 while also erecting safeguards to protect users?
One solution to this problem is education. As more people become aware of the risks associated with Web3, they will naturally be better equipped to protect themselves against potential scams. Education can help users identify phishing attacks and follow best practices for protecting their funds — like using a multi-sig wallet, for example. Thankfully, the ecosystem is increasingly coming together to school naive users on common examples of fraud, and numerous security tools are also emerging to help them avoid such dangers.
Account Abstraction
Inarguably, the industry needs to tackle the paradox of anonymity. Web3 users clearly value privacy and anonymity more than their Web2 counterparts, but wallet-based authentication doesn’t mean you’re a ghost in the machine: Dedicated individuals can use clever tactics to unmask the person behind the wallet, particularly if you engage in multiple transactions or convert your crypto to fiat. Hence the rise of privacy-focused cryptocurrencies like monero and zcash.
The tl;dr here is that while Web3 sign-in is convenient and allows people to execute blockchain transactions on dApps in a matter of seconds, there is a heavy element of risk, which underscores the need for a technological solution that preserves the benefits while slamming the door shut on bad actors. This is entirely possible through smart contract technology since contracts can be designed to ensure funds are only released under certain conditions.
A good solution would be to ensure wallets serve not only as an identifier during logins but also as a “crypto holder” when executing transactions. ERC-4337 (Account Abstraction) aims to address this issue. As Tom Teman from the Ethereum Foundation explains, “Account Abstraction introduces the concept of session keys, which allow users to limit the privileges they give applications when they log in. This key can be configured to only spend a certain amount of gas, interact with specific contracts and methods, expire after a designated time, etc. Everything is enforced on-chain, of course, ensuring the benefits of decentralization are preserved.”
With Account Abstraction, your Web3 wallet remains the gateway to dApps. But it’s effectively equipped with checks and balances to stop you from being ripped off. Sort of like in Web2, where if you log into your email from a random territory, you get an alert to check if it’s really you.
Navigating the risks associated with Web3 is undoubtedly a challenge. However, with the right education, technology and security measures in place, it is possible to preserve the decentralized spirit of Web3 while also ensuring users are protected. The future of Web3 is certainly bright — we just need to stay vigilant.
(Omri Lahav is the CEO and co-founder of Blockfence, a top security solution focused on safeguarding users and companies from scams and fraud, establishing the first Web3 security hub.)