Research Summary - What is in Your Wallet? Privacy and Security Issues in Web 3.0

Great comment @cashkid18, your view on the pros and cons of data privacy is quite keen.
@tolulope, a great question I think it largely depends on the priorities as a society.
@cashkid18, your response is succinct they are both imperative but as a society where do you think our priorities lie based on your view and can you give more suggestions to the core question- What requirements do DeFi sites need to ensure user privacy and security?

Hi Tolu

Your summary inspired an article I’m working on at the moment. Currently, I’m reading through while researching the subject matter.

Just like I thought, there is a huge disconnect between the security beliefs in DeFi and the current reality. And it pains me to know that many users are ignorant of these issues.

This part paints a vivid picture of how our beloved decentralized finance is not without elements of centralization. It also reminds me of a Twitter space I joined two weeks ago, where I learned that MetaMask, TrustWallet, and other dubbed Web3-native dapps are more centralized than we think.

Which brings me to my question?

Will Web3, Crypto, and DeFi be permanently rid of the centralization which evidently complicates and puts users at potential risk?

Additionally, how can users be made aware of these risks and how they can better secure themselves?

Thanks for your comment @Harvesto. Can’t wait to read your article!

Centralization does put users at potential risk considering the high level of third-party involvement, control in central authority, single point of failure, lack of transparency and so many other issues. Will it end? Well, we will have to wait and see as some people will always favor centralization over decentralization.

I think there can be two approaches to this - first, from the DApps and second, from the general public. DeFi Apps could take on the responsibility of researching associated risks and educating users about them on their platforms. Also, people in the general public who are knowledgeable about these risks could do so by creating awareness, writing articles, and hosting webinars for other people who may not have the same level of knowledge.

When I signed up for the SCRF badge, I was told to connect my MetaMask wallet to the right website. If the website’s security is breached, will there be a threat to the assets I own?

If yes, what extra protection do you recommend?

Can you throw more light on the centralized nature of MetaMask, TrustWallet and other dubbed Web3-Native dapps?

As noted in the research and summary, these so-called Web3 native dapps have some form of third-party scripts embedded in them - mostly because they interact with protocols.

Furthermore, Metamask and TW data are hosted on cloud software like AWS which poses a huge risk.

What if the servers go down temporarily or permanently?

What will happen to user funds?

Then, you have the issue of hacks, which could result from the third party scripts or other possible attack vectors the hacker figures out.

Discussion Summary.

• De-Fi has been perceived as a more secure, private, less centralized alternative to traditional financial systems, but De-Fi applications may not be as secure as previously thought.
• Third-party applications embedded in DeFi applications and services may result in data leaks; script blockers can help to prevent trackers from operating but are not a permanent cure.
• The authors proposed a remedy to identified vulnerabilities by designing an in-browser patch for MetaMask to prevent third-party address leaks.

Tags.
Security, Privacy, Web3, Wallet, and De-Fi.

Points of Disagreements.

Differences in Functions.

• For me, privacy and anonymity are distinct concepts that perform distinct functions.
  When we talk about privacy, we mean a situation in which the user’s identity is known but what the user does or does not do is protected or not known.
  see full post here:Research Summary - What is in Your Wallet? Privacy and Security Issues in Web 3.0 - #15 by Cashkid18

• In terms of personality, Web 3.0 addresses many of Web 2.0’s security problems, although secrecy and decentralization have drawbacks. For starters, anonymity provides little to no security for buyers and makes it harder to hold terrible fictitious characters accountable. Research Summary - What is in Your Wallet? Privacy and Security Issues in Web 3.0 - #14 by WaterLily

Unresolved Question.

• To the original point that was part of the summary, however, do the developers of DeFi projects also have an obligation here? Would the user advice that you are providing here be sufficient to identify things like the third-party scripts being discussed here?
• What requirements do DeFi sites need to ensure user privacy and security?
• What will happen to user funds?

Points of Consensus.

• I agree with you on the pros and cons of anonymity that you have mentioned.
  Research Summary - What is in Your Wallet? Privacy and Security Issues in Web 3.0 - #11 by Tolulope

• For me, I believe that Web 3.0 is a given, and generally speaking, there are more reasons to be optimistic than negative not minding the security issues and privacy as regards users’ data.

Offered Solution.

• well, I agree that to thwart phishing attacks, the creation of fake addresses is a good approach to this. Research Summary - What is in Your Wallet? Privacy and Security Issues in Web 3.0 - #13 by Freakytainment

• Solving a problem it is always advisable to start from the root cause. Considering the problem from a wallet perspective will solve the vulnerability better. Relying on script blockers is like buying time to avoid a problem. In the end, the problem will resurface.

• As a second layer of security, anyone interacting with DeFi sites should have a separate wallet for that. Taking this precaution can save one a lot of drama too.
  Research Summary - What is in Your Wallet? Privacy and Security Issues in Web 3.0 - #10 by Ulysses

• This is something that blockchain has already largely enabled. We can utilize the blockchain to authenticate whether a video was indeed shot in a certain location and at a specific time, preventing deepfakes.
  Research Summary - What is in Your Wallet? Privacy and Security Issues in Web 3.0 - #5 by Gearlad

Identification of Consequences.

• Web 3.0 addresses many of Web 2.0’s privacy problems regarding identity, yet anonymity and decentralization have drawbacks. For one thing, anonymity makes it harder to hold bad actors accountable for their acts and provides little to no consumer protection. Furthermore, anonymity makes regulation more difficult while also making money laundering and terrorist financing easier. Furthermore, decentralized identification challenges current requirements such as GDPR and makes it harder for data controllers to determine user identity.

Key Resources

Depending on the level of access you have granted the website, I believe if there is a security breach, you will be affected in one way or another, but the security of your assets will depend on the security measures implemented by MetaMask. However, in the event of a security breach, you will be exposed to many threats including social engineering attacks, which can inadvertently lead to a loss of assets as well.

Great points to consider, it has become even more clear recently that although the optionality for private transactions or increased security is available, developers might not have the right incentivization for improving their infrastructure.

Most instances of this have occurred when communities warn team members of potential security risks, yet these warnings are ignored until they become exploited.

The better a project’s chances are of preventing a DeFi breach, the quicker it installs these security patches.

To this point, I think there are many instances where human errors hinder any effective solutions being made. Instead, users tend to warn protocols of failed audits but eventually pay the price when a project feature becomes exploited.

Human error is one of the main reasons why solutions aren’t implemented well. One big problem with smart contracts is that they can’t be changed. There is no way to fix bugs or flaws in the code after it has been deployed. Before smart contracts can be used, the code must be checked for bugs and tested to see how well it works.

When smart contracts interact with each other and with real-world systems like financial institutions, there could be risks and holes. So, it’s important for people who work with smart contracts to be aware of the risks and take steps to reduce them. We can use access restrictions, encryption, and multi-signature authorization to make sure that only the right people can get into smart contracts.

Like any other software, smart contracts need to be updated and patched regularly to fix security flaws in the code so that they can’t be used in bad ways.

Lastly, to make sure smart contracts are safe and reduce the chance of a mistake being made by a person, research should include thorough audits and testing, an understanding of real-world risks and weaknesses, security protocols, and frequent code upgrades.

It will interesting to explore smart contracts and AI or the integration of both