Research Summary - What is in Your Wallet? Privacy and Security Issues in Web 3.0

TLDR

  • DeFi has been perceived as a more secure, private, less centralized alternative to traditional financial systems, but DeFi applications may not be as secure as previously thought.
  • Third-party applications embedded in DeFi applications and services may result in data leaks; script blockers can help to prevent trackers from operating but are not a permanent cure.
  • The authors proposed a remedy to identified vulnerabilities by designing an in-browser patch for MetaMask to prevent third-party address leaks.

Core Research Question

What requirements do DeFi sites need to ensure user privacy and security?

Citation

Winter, P., Lorimer, A. H., Snyder, P., & Livshits, B. (2021, September 14). What’s In your wallet? privacy and security issues in web 3.0. arXiv.org. [2109.06836] What's in Your Wallet? Privacy and Security Issues in Web 3.0.

Background

  • Centralized Finance (CeFi): Transactions in CeFi are handled through a central exchange. Centralized exchanges are vulnerable to security threats.
  • DeFi: Collective term for public financial products and services that are publicly accessible, built on top of smart contract-based blockchain systems, and are not under the control of a single entity.
  • Ethereum: A decentralized blockchain that implements automated smart contracts in a payment and transaction-oriented architecture.
  • MetaMask: Available as a browser extension and mobile application; it is a commercially available software cryptocurrency wallet used to interact with Ethereum blockchain.
  • Third-party scripts: Scripts embedded in a site from a third-party vendor. Can increase privacy, security, and performance concerns.
  • Web tracking: A common way of tracking users’ activities across websites is through third-party cookies and alternative tracking vectors.
  • Personal Identifiable Information (PII): Information that can identify a person or link a user’s real-world identity, e.g., name and demographic information.
  • eTLD+1: Effective Top-Level Domain (TLD) +1 is the effective TLD and the part of the domain before it. For example, given a URL of https://my-project.github.io, the eTLD is .github.io, and the eTLD+1 is my-project.github.io, which is considered a “site”.
  • Remote Procedure Call (RPC): Software communication protocol used for client-server-based applications to call processes on remote systems like a local system.
  • Application Programming Interface (API): Software interface that allows two applications to communicate with each other.

Summary

  • DeFi is claimed to be a more secure, private, and less centralized alternative to Centralized Finance (CeFi), but this claim is yet to be substantiated by adequate studies.
  • DeFi applications suffer from similar privacy and security issues common to other parts of the web.
  • The presence of third-party scripts on DeFi sites poses a substantial threat to sensitive information.
  • On over 56% of the analyzed websites, a common tracker provided by Google was found to record Ethereum addresses.
  • Third-party scripts can leak users’ Ethereum addresses, connect them to their PII, and track sensitive user browsing activities.
  • Third-party scripts threaten the security of user funds as their ability to interact with connected wallet applications could open the door to phishing attempts or allow unauthorized transactions from the user’s wallet.
  • Numerous DeFi sites use services like Google Tag Manager and Google Analytics to leak users’ financial activities and Ethereum addresses.
  • The sensitive nature of DeFi sites magnifies these threats as they have custody of substantial amounts of user funds and a unique identifier in the form of an Ethereum address.
  • Essentially, a DeFi site’s operation consists of a two-way interaction, one with the Ethereum blockchain, the other with the user’s wallet.
  • MetaMask aids some of these interactions and allows DeFi sites to access users’ Ethereum addresses and balances, and to create transactions with a users’ permission.
  • Although script blockers can help protect users from trackers, they are not a permanent solution to the threat posed by third-party scripts.
  • Therefore, the researchers propose the implementation of a privacy-enhancing patch for the MetaMask in-browser wallet to remedy privacy and security vulnerabilities.

Method

  • First, the researchers conducted qualitative studies to collect data from 78 sites on DeFi Pulse.
  • Then, the sites were manually converted by the researchers to clickable URLs for easy access.
  • Finally, using a puppeteer-based crawler, the researchers visited all listed sites and recorded every request the sites made (consisting of the requested context, the requested URL and the type of request) on a JSON file.
  • Design of Countermeasure:
    • A patch was developed to prevent third-party leaks of Ethereum addresses to DeFi sites. The patch hands out key-generated site-specific Ethereum addresses.
    • The key generation procedure ensures that
      • DeFi sites see the same Ethereum address during repeated visits;
      • accidental transactions on a user’s fake address can be undone;
      • different sites see different addresses and third-parties cannot easily link the user’s addresses.
    • The designed MetaMask wallet patch can protect users from third-party data leaks.

Results

  • Ethereum Address Leaks

To see if users’ data would be leaked to third parties, the researchers recorded requests from popular Ethereum sites. They then looked for requests whose destination had a different eTLD+1 than the origin and whose URL contains their Ethereum address.

Fig. 3 gives an overview of DeFi sites that leaked the Ethereum addresses. The results indicate that 13 out of 78, or approximately 17% of the sites leaked Ethereum addresses to third parties.

  • Cross-origin Dependencies

This figure above gives an overview of the top ten third-party sites with the most embedded scripts on DeFi sites.

When the researchers extracted script requests from their DeFi sites list whose destination eTLD+1 differs from the site’s origin, the study data showed that 48 DeFi sites, or 66%, embed at least one script from a total of 34 third parties, increasing the possibility of phishing attempts. Additionally, 56% of all analyzed DeFi sites embed at least one script provided by Google.

  • Conversion analysis


As shown in Fig. 5, after assessing the position of third parties in a DeFi funnel and passing all relevant entities through a 1% selection criterion, five companies were selected. Google was the largest, with substantial reach across all three parts of the funnel.

Discussion and Key Takeaways

  • Limitation of Access: False Ethereum addresses and private keys should be generated by DeFi sites to ensure third parties do not have access to the user’s real wallet address.
  • Interception of Wallets: RPC calls of Ethereum wallets can be intercepted to replace fake wallet addresses with real ones to validate transactions and generate users’ wallet balances.
  • Limitation of Countermeasure: The countermeasure is limited because DeFi sites are not prevented from searching out users’ real wallet addresses and are unable to intercept requests that do not use MetaMask’s Ethereum provider API.

Implications and Follow-ups

  • The research examines the interconnection of privacy and security in DeFi applications and recommends solutions to the vulnerabilities identified, with two major limitations to consider.
    • First, deliberately disguised leaks are difficult to reveal.
    • Second, results are difficult to generalize due to the presence of selection bias.
  • DeFi sites users should block analytic scripts and shouldn’t connect wallets except when necessary to improve their privacy and security.
  • DeFi developers should use self-hosted analytics and consider addressing privacy as a first-class tool as well as reconsidering threat models.

Applicability

  • The researchers emphasize that the lightweight patch designed in the study is useful to protect users’ real Ethereum addresses from data leaks on the MetaMask in-browser wallet.
  • Third-party scripts that expose users to serious threats can be circumvented if DeFi site developers stop using third-party scripts.
  • Users who are concerned about their privacy and security can install the lightweight MetaMask in-browser wallet patch to access adequate protection.
10 Likes

A question for you (from @rlombreglia) The paper states that 56% of DeFi sites analyzed contain tracking scripts from Google that leak Ethereum addresses or other data that can link people to other sites including gambling or adult sites. How important/controversial is it to publicize this fact?

@Tolulope What a well-written summary! I will be doing some re-editing on mine after getting such a good writeup from you!

To address @jmcgirk 's question here as well, I find it vitally important to publicize this. It breaks the ethos of blockchain & crypto (in my opinion) that Google is still mining and analyzing our data in DeFi dApps. We can’t hold to principles if we don’t know when they’re being undermined. It’s also concerning as a user. Insightful as a developer (though not a coder myself).

I appreciate how actionable the #applicability section is:

For clarity too, I don’t believe there’s any other patch offered right now besides the upgrade that was initiated on February 15th. I’m seeing that the most up to date version of MetaMask is 10.9.3. Their Github hosts 10.10.0 and was released hours ago. It may include the patch described in the paper but I don’t see it (if someone else finds it to confirm). Your MetaMask wallet will update simply when you log out and log back in. Hope that helps the SCRF community!

2 Likes

Recently the EU found the use of Google analytics violates the 2020 Schrems II decision. Some countries in the EU are also warning that using Google Analytics may soon be illegal, while others are advising that companies start looking for alternatives to Google tools{1}. I think it is important that we create awareness on the fact that 56% of DeFi sites analysed in the paper used at least one script provided by Google alongside the potential risks involved with their use. Creating such awareness will help people, especially Web 3 users and developers, conceptualise the extent of risk they are in and learn how to mitigate such risks.

{1} US-EU data transfers on life support after French Google decision. (2022, February 10). POLITICO. US-EU data transfers on life support after French Google decision – POLITICO

3 Likes

The problem is real, and the solutions offered are simple and easy to apply. Interesting how one of the third-party sites is a .net facebook domain rather than .com. The generation of false addresses seems to make a lot of sense for avoiding phishing attempts. Kind of similar to how we can poison data in AI which may be used for both good and nefarious purposes.

I’d say poisoning the data is good if the model is being used for nefarious purposes such as in the case of throwing off the models used for unwanted surveillance. Kind of on a tangent - I remember in the video game “Watchdogs 2” they were trying to use mass surveillance AI to find Marcus, and the hackers threw off the surveillance by making 40 different Marcus’s walking just around the SF bay area. Naturally, data poisoning can also be bad if used to provide false authentication, or for things like deepfakes. To me, it’s slightly surprising that there are no universally used methods for proving the legitimacy of data. This is something that blockchain has largely already made possible. We can use blockchain for verifying whether a video was actually recorded in a specific place and, with the timestamp, at a specific time, thereby preventing deepfakes.
@zube.paul @Larry_Bates tagging for if you’d like to carry our discussion last month to the forum

3 Likes

In this context it’s interesting that Google is now creating a blockchain division under the Google Labs group: Report: Google Launches Blockchain Division – Blockchain Bitcoin News
In the past, Google has shied away from crypto in general, but this is less and less the case now. Without namely ‘endorsing’ crypto or supporting it as a means of commerce on its own platforms, this branch seems to be primarily focused on the distributed computing elements of blockchain.

3 Likes