Research Summary - What is in Your Wallet? Privacy and Security Issues in Web 3.0

TLDR

  • DeFi has been perceived as a more secure, private, less centralized alternative to traditional financial systems, but DeFi applications may not be as secure as previously thought.
  • Third-party applications embedded in DeFi applications and services may result in data leaks; script blockers can help to prevent trackers from operating but are not a permanent cure.
  • The authors proposed a remedy to identified vulnerabilities by designing an in-browser patch for MetaMask to prevent third-party address leaks.

Core Research Question

What requirements do DeFi sites need to ensure user privacy and security?

Citation

Winter, P., Lorimer, A. H., Snyder, P., & Livshits, B. (2021, September 14). What’s In your wallet? privacy and security issues in web 3.0. arXiv.org. [2109.06836] What's in Your Wallet? Privacy and Security Issues in Web 3.0.

Background

  • Centralized Finance (CeFi): Transactions in CeFi are handled through a central exchange. Centralized exchanges are vulnerable to security threats.
  • DeFi: Collective term for public financial products and services that are publicly accessible, built on top of smart contract-based blockchain systems, and are not under the control of a single entity.
  • Ethereum: A decentralized blockchain that implements automated smart contracts in a payment and transaction-oriented architecture.
  • MetaMask: Available as a browser extension and mobile application; it is a commercially available software cryptocurrency wallet used to interact with Ethereum blockchain.
  • Third-party scripts: Scripts embedded in a site from a third-party vendor. Can increase privacy, security, and performance concerns.
  • Web tracking: A common way of tracking users’ activities across websites is through third-party cookies and alternative tracking vectors.
  • Personal Identifiable Information (PII): Information that can identify a person or link a user’s real-world identity, e.g., name and demographic information.
  • eTLD+1: Effective Top-Level Domain (TLD) +1 is the effective TLD and the part of the domain before it. For example, given a URL of https://my-project.github.io, the eTLD is .github.io, and the eTLD+1 is my-project.github.io, which is considered a “site”.
  • Remote Procedure Call (RPC): Software communication protocol used for client-server-based applications to call processes on remote systems like a local system.
  • Application Programming Interface (API): Software interface that allows two applications to communicate with each other.

Summary

  • DeFi is claimed to be a more secure, private, and less centralized alternative to Centralized Finance (CeFi), but this claim is yet to be substantiated by adequate studies.
  • DeFi applications suffer from similar privacy and security issues common to other parts of the web.
  • The presence of third-party scripts on DeFi sites poses a substantial threat to sensitive information.
  • On over 56% of the analyzed websites, a common tracker provided by Google was found to record Ethereum addresses.
  • Third-party scripts can leak users’ Ethereum addresses, connect them to their PII, and track sensitive user browsing activities.
  • Third-party scripts threaten the security of user funds as their ability to interact with connected wallet applications could open the door to phishing attempts or allow unauthorized transactions from the user’s wallet.
  • Numerous DeFi sites use services like Google Tag Manager and Google Analytics to leak users’ financial activities and Ethereum addresses.
  • The sensitive nature of DeFi sites magnifies these threats as they have custody of substantial amounts of user funds and a unique identifier in the form of an Ethereum address.
  • Essentially, a DeFi site’s operation consists of a two-way interaction, one with the Ethereum blockchain, the other with the user’s wallet.
  • MetaMask aids some of these interactions and allows DeFi sites to access users’ Ethereum addresses and balances, and to create transactions with a users’ permission.
  • Although script blockers can help protect users from trackers, they are not a permanent solution to the threat posed by third-party scripts.
  • Therefore, the researchers propose the implementation of a privacy-enhancing patch for the MetaMask in-browser wallet to remedy privacy and security vulnerabilities.

Method

  • First, the researchers conducted qualitative studies to collect data from 78 sites on DeFi Pulse.
  • Then, the sites were manually converted by the researchers to clickable URLs for easy access.
  • Finally, using a puppeteer-based crawler, the researchers visited all listed sites and recorded every request the sites made (consisting of the requested context, the requested URL and the type of request) on a JSON file.
  • Design of Countermeasure:
    • A patch was developed to prevent third-party leaks of Ethereum addresses to DeFi sites. The patch hands out key-generated site-specific Ethereum addresses.
    • The key generation procedure ensures that
      • DeFi sites see the same Ethereum address during repeated visits;
      • accidental transactions on a user’s fake address can be undone;
      • different sites see different addresses and third-parties cannot easily link the user’s addresses.
    • The designed MetaMask wallet patch can protect users from third-party data leaks.

Results

  • Ethereum Address Leaks

To see if users’ data would be leaked to third parties, the researchers recorded requests from popular Ethereum sites. They then looked for requests whose destination had a different eTLD+1 than the origin and whose URL contains their Ethereum address.

Fig. 3 gives an overview of DeFi sites that leaked the Ethereum addresses. The results indicate that 13 out of 78, or approximately 17% of the sites leaked Ethereum addresses to third parties.

  • Cross-origin Dependencies

This figure above gives an overview of the top ten third-party sites with the most embedded scripts on DeFi sites.

When the researchers extracted script requests from their DeFi sites list whose destination eTLD+1 differs from the site’s origin, the study data showed that 48 DeFi sites, or 66%, embed at least one script from a total of 34 third parties, increasing the possibility of phishing attempts. Additionally, 56% of all analyzed DeFi sites embed at least one script provided by Google.

  • Conversion analysis


As shown in Fig. 5, after assessing the position of third parties in a DeFi funnel and passing all relevant entities through a 1% selection criterion, five companies were selected. Google was the largest, with substantial reach across all three parts of the funnel.

Discussion and Key Takeaways

  • Limitation of Access: False Ethereum addresses and private keys should be generated by DeFi sites to ensure third parties do not have access to the user’s real wallet address.
  • Interception of Wallets: RPC calls of Ethereum wallets can be intercepted to replace fake wallet addresses with real ones to validate transactions and generate users’ wallet balances.
  • Limitation of Countermeasure: The countermeasure is limited because DeFi sites are not prevented from searching out users’ real wallet addresses and are unable to intercept requests that do not use MetaMask’s Ethereum provider API.

Implications and Follow-ups

  • The research examines the interconnection of privacy and security in DeFi applications and recommends solutions to the vulnerabilities identified, with two major limitations to consider.
    • First, deliberately disguised leaks are difficult to reveal.
    • Second, results are difficult to generalize due to the presence of selection bias.
  • DeFi sites users should block analytic scripts and shouldn’t connect wallets except when necessary to improve their privacy and security.
  • DeFi developers should use self-hosted analytics and consider addressing privacy as a first-class tool as well as reconsidering threat models.

Applicability

  • The researchers emphasize that the lightweight patch designed in the study is useful to protect users’ real Ethereum addresses from data leaks on the MetaMask in-browser wallet.
  • Third-party scripts that expose users to serious threats can be circumvented if DeFi site developers stop using third-party scripts.
  • Users who are concerned about their privacy and security can install the lightweight MetaMask in-browser wallet patch to access adequate protection.
17 Likes

A question for you (from @rlombreglia) The paper states that 56% of DeFi sites analyzed contain tracking scripts from Google that leak Ethereum addresses or other data that can link people to other sites including gambling or adult sites. How important/controversial is it to publicize this fact?

1 Like

@Tolulope What a well-written summary! I will be doing some re-editing on mine after getting such a good writeup from you!

To address @jmcgirk 's question here as well, I find it vitally important to publicize this. It breaks the ethos of blockchain & crypto (in my opinion) that Google is still mining and analyzing our data in DeFi dApps. We can’t hold to principles if we don’t know when they’re being undermined. It’s also concerning as a user. Insightful as a developer (though not a coder myself).

I appreciate how actionable the #applicability section is:

For clarity too, I don’t believe there’s any other patch offered right now besides the upgrade that was initiated on February 15th. I’m seeing that the most up to date version of MetaMask is 10.9.3. Their Github hosts 10.10.0 and was released hours ago. It may include the patch described in the paper but I don’t see it (if someone else finds it to confirm). Your MetaMask wallet will update simply when you log out and log back in. Hope that helps the SCRF community!

4 Likes

Recently the EU found the use of Google analytics violates the 2020 Schrems II decision. Some countries in the EU are also warning that using Google Analytics may soon be illegal, while others are advising that companies start looking for alternatives to Google tools{1}. I think it is important that we create awareness on the fact that 56% of DeFi sites analysed in the paper used at least one script provided by Google alongside the potential risks involved with their use. Creating such awareness will help people, especially Web 3 users and developers, conceptualise the extent of risk they are in and learn how to mitigate such risks.

{1} US-EU data transfers on life support after French Google decision. (2022, February 10). POLITICO. US-EU data transfers on life support after French Google decision – POLITICO

6 Likes

The problem is real, and the solutions offered are simple and easy to apply. Interesting how one of the third-party sites is a .net facebook domain rather than .com. The generation of false addresses seems to make a lot of sense for avoiding phishing attempts. Kind of similar to how we can poison data in AI which may be used for both good and nefarious purposes.

I’d say poisoning the data is good if the model is being used for nefarious purposes such as in the case of throwing off the models used for unwanted surveillance. Kind of on a tangent - I remember in the video game “Watchdogs 2” they were trying to use mass surveillance AI to find Marcus, and the hackers threw off the surveillance by making 40 different Marcus’s walking just around the SF bay area. Naturally, data poisoning can also be bad if used to provide false authentication, or for things like deepfakes. To me, it’s slightly surprising that there are no universally used methods for proving the legitimacy of data. This is something that blockchain has largely already made possible. We can use blockchain for verifying whether a video was actually recorded in a specific place and, with the timestamp, at a specific time, thereby preventing deepfakes.
@zube.paul @Larry_Bates tagging for if you’d like to carry our discussion last month to the forum

5 Likes

In this context it’s interesting that Google is now creating a blockchain division under the Google Labs group: Report: Google Launches Blockchain Division – Blockchain Bitcoin News
In the past, Google has shied away from crypto in general, but this is less and less the case now. Without namely ‘endorsing’ crypto or supporting it as a means of commerce on its own platforms, this branch seems to be primarily focused on the distributed computing elements of blockchain.

5 Likes

This research is handy especially now that data protection is a thing all over the world and could see DeFi operators fined for such privacy breach. Welldone @Tolulope

Will the fake wallet address generated still lead to identification of the user whether directly or indirctly?

If it does, there maybe need to introduce anonymisation technique so as to take it away from the ambit of data protection.

2 Likes

Thank you for your comment @Samuel94

The purpose of the fake address is to disassociate the wallet owner’s identification and footprint from their original address; therefore, the fake address shouldn’t lead to the identification of the wallet owner under normal circumstances.

1 Like

That was really a nice summary on web3.0 security and privacy @Tolulope. For me,I believe that Web 3.0 is a given, and generally speaking, there are more reasons to be optimistic than negative not minding the security issues and privacy as regards to users data’s. However, firms,users and developers who wish to take part in Web 3.0 must be aware of the security concerns involved. I still believe that no system is perfect, and anonymity can make it difficult to identify and prosecute hostile actors or even to recover monies that have been taken.

For identity issues, Web 3.0 improves upon many of Web 2.0’s privacy concerns, but anonymity and decentralization also have a downside. For one, anonymity makes it difficult to hold bad actors accountable for their actions and offers little to no protection for consumers. Furthermore, anonymity makes regulation more difficult and simplifies money laundering and terrorist funding In addition, decentralized identification complicates current regulations like GDPR and makes it difficult to discern user identity for data controllers. Finally, most self-sovereign identity (SSI) and crypto wallets require a lengthy security onboarding process, making widespread adoption more difficult and less secure.

3 Likes

The issue of security in DeFi can never be overemphasized. If you have ever experienced theft, extortion, or cyberbullying resulting from the leakage of personal identifiable information, you will understand better.

I like the solution proposed by the researchers, because in solving a problem it is always advisable to start from the root cause. Considering the problem from a wallet perspective will solve the vulnerability better. Relying on script blockers is like buying time to avoid a problem. In the end, the problem will resurface, somehow.

As a second layer of security, it is advisable that anyone interacting with DeFi sites have a separate wallet for that. Taking this precaution can save one a lot of drama too.

@Tolulope You did a good work here. I’m curious, it looks like only DeFi sites hosted on Ethereum blockchain were studied? Have an idea why? I was hoping to see other blockchains so as to get a bird’s eye view of the security threat. That doesn’t mean this is not comprehensive anyway.

For the sites selected, were there criteria laid down for the selection?

3 Likes

Thank you for your comment @Cashkid18. I agree with you on the pros and cons of anonymity which you have mentioned. Would you agree that anonymity could better preserve people’s privacy and that people’s privacy is more important vis-a-vis money laundering and terrorist funding regulations?

1 Like

Thank you for your comment @Ulysses. I believe the researchers may have decided to use DeFi as their sample population due to the fact that they found that most of the privacy and security issues in DeFi apps are those that can be found in other parts of the web. If you would like to read more on privacy issues in Blockchain generally, I think you may find this paper helpful - Blockchain Access Privacy: Challenges and Directions | IEEE Journals & Magazine | IEEE Xplore

2 Likes

Great work @Tolulope well i agree that for the purpose of thwarting phishing attacks, the creation of fake address is a good approach to this.

Web 3.0, in my opinion, is a given, and generally speaking, there are more positive reasons than negative ones, security concerns and user data privacy aside. To participate in Web 3.0, businesses, users, and developers must be aware of the security issues involved.

DeFi offers a wide range of possibilities. Regulators, investors, and the financial markets, however, also face significant risks and difficulties as a result.
Consider in a DeFi undertaking is constructed inside the network. people work with each other at once, for reasons to navigate their economic choices. That said, the platform is susceptible to bugs inside the clever agreement, that’s a self-executing agreement that bureaucracy the premise of DeFi tasks. Well, DeFi platforms are encountering more hacks than ever some time recently as request for decentralized back (DeFi) applications rises. DeFi hacks have fetched clients more than $2.0 billion so distant in 2021, making token security more critical than ever. According to me, I would say there isn’t a straightforward way to bargain with such dangers.

2 Likes

@Tolulope Because it is always appropriate to start by addressing the underlying cause of the problem, I simply appreciate the arrangement that the experts have suggested. The powerlessness will be much more clear when the problem is viewed from the perspective of the wallet. Although relying on script blockers is like buying time to avoid a problem, the problem will somehow reappear in the end.
Web 3.0 addresses many of Web 2.0’s security concerns in terms of character, but secrecy and decentralization also have a downside. For starters, anonymity gives little to no security for buyers and makes it difficult to hold bad fictional characters accountable for their deeds.
Additionally, concealment complicates management, changes money laundering, and disrupts funding for psychological demonstrators. Decentralized recognizable proof complicates present directions in terms of expansion.

3 Likes

Hi Tolu, for me privacy and anonymity are different things which serves different purposes.
When we are talk about privacy, we are referring to a situation where the identity of the user is known but what the user does or doing is protected or not known. You can say that the user’s data is protected from the public eyes.

Then, when it comes to anonymity, we are referring to a situation where the the identity of the user is protected and not known but what he does is seen. That’s where tools like tor and VPN comes in, to hide our identity but people will still see what we did on the internet but they won’t know who did it.
If you are talking about preserving our privacy better then that’s where encryption comes in and it should be a very strong encryption at that in order to protect and encrypt users data better.

For your second question, I don’t believe that privacy is more important when it comes to a case of using the privacy to commit crimes like money laundering and terrorist activities. Apart from such scenarios, privacy is very important and should be protected.

1 Like

Thank you for your comment @WaterLily

1 Like

I agree with you. Thank you for your comment @Cashkid18

Great research summary @Tolulope thanks for taking your time to write on this …diverting from this question

I would like highlight an important step users can take to stay safe using DeFi
Verifying if a dApp and smart contract has undergone an audit, is an important step users should take.
Numerous programs and websites analyze various dApps to look for security holes, reliable developers, or other potential problems. The following is a list of various auditing tools you can find helpful while looking into dApps:

DeFi Safety is a website where reports and safety ratings for DeFi projects are posted.
Solidity finance - website that determines whether a protocol has been audited or not is.
Rugscreen is a website that can determine whether a protocol is a known rug pull or fraud.
Coinsniper is a website that provides further details on how to avoid frequent DeFi frauds.

Smart contract audit helps to prevent code vulnerabilities.

1 Like

Thanks for the advice on the user side, @kingdamieth. To the original point that was part of the summary, however, do the developers of DeFi projects also have an obligation here? Would the user advice that you are providing here be sufficient to identify things like the third-party scripts being discussed here?

2 Likes

Thanks for taking me back to the main point of the summary … surely developers of DeFi projects have an obligation in relation to their privacy and security issues. Although answering this question,

It is quite insufficient. This is because both Users and Developers have to play their part as they both bear responsibilities for DeFi safety. Due diligence is the best strategy for investors to manage DeFi risks. Likewise, projects should pass routine security checks and finish the audit of their smart contracts before listing in order to reduce the danger of DeFi attacks. Additionally, technical companies release fresh patches and upgrades for DeFi systems so they may fix security flaws before hackers discover them. The better a project’s chances are of preventing a DeFi breach, the quicker it installs these security patches.

Key security tips DeFi developers should take i to consideration

2 Likes